Here is something that I have never really understood how to handle. I have a library project that, say, used jdom. When it is packaged jdom is in the dist/lib directory and the jar is is dist. When I have an application that uses that library, it seems like I have to add jdom to that project. I am referencing the first project as a "project" in the IDE - this is a right click on the libraries node and then add project (it then says project jar files - maybe it does not pick up the "lib" folder?). Is there a way to package the library so that applications that require it do not have to add the libraries it uses?
That's probably a very bad idea. Let's use a practical example:
A while ago OpenSSL suffered from the Heartbleed bug. Suppose that you built a library that packaged a bad version of OpenSSL inside it. After OpenSSL got fixed, your clients would still need to wait for you to release a new version of your software that contained a good version of OpenSSL. You can imagine that this is NOT a good situation. Instead, they can just replace their own OpenSSL version with a good one, and everything will be okay.
A much better solution is to use a dependency manager. You declare what dependencies your library has, and when one of your clients in turn depends on your library, the manager will automatically let them depend on any dependencies your library has.
The mind is a strange and wonderful thing. I'm not sure that it will ever be able to figure itself out, everything else, maybe. From the atom to the universe, everything, except itself.
Joined: Jun 25, 2008
Stephan, your argument is valid. Does it imply (using your example) if I built the library, say Lib1, with OpenSSL and it was in the libraries for this project Lib1. Then a customer used that library in application X - we know they would add the library to application X as per the original post. When it hit the fan with OpenSSL would the customer only need to rebuild application X with the new SSL? Or does the library need to be rebuilt? I am not sure which library is actually used - the one I built the library with or the one in the top level application.
I have looked at Maven but so far I have avoided the learning curve. I may need to bite the bullet.
Let's say you're using the bouncycastle jar: bcpkix-jdk15on-150.jar. Your lib1.jar has a dependency on this library. When your client builds an application using your library, they also need to put bcpkix-jdk15on-150.jar on the class path.
When some bug is found in bcpkix-jdk15on-150.jar, your client can just put another version on the class path instead. Your library should still run, without having to rebuild it. As a matter of fact, they don't even have to rebuild their application, they can just replace the jar and that's that.
Maven may be difficult at first, but it's awesome. It will take a lot of work out of your hands.