Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Tainnor 4 days ago

Maven artifacts are immutable, so the whole resolution is deterministic (even if hard to understand), unless you're using snapshot versions (which are mutable) or you use version ranges (which is rare in the Maven world).

beart 4 days ago | parent | next [-]

Maven artifacts are not immutable. Some maven repositories may prevent overwriting an already published version, but this is not guaranteed. I've personally seen this cause problems where a misconfigured CI job overwrote already published versions.

npm used to allow you to unpublish (and may be overwrite?) published artifacts, but they removed that feature after a few notable events.

Edit: I was not quite correct. It looks like you can still unpublish, but with specific criteria. However, you cannot ever publish a different package using the same version as an already published package.

https://docs.npmjs.com/cli/v8/commands/npm-publish?v=true

https://docs.npmjs.com/policies/unpublish

chriswarbo 4 days ago | parent | prev | next [-]

> Maven artifacts are immutable, so the whole resolution is deterministic

Nope, Maven will grab anything which happens to have a particular filename from `~/.m2`, or failing that it will accept whatever a HTTP server gives it for a particular URL. It can compare downloaded artifacts against a hash; but that's misleading, since those hashes are provided by the same HTTP server as the artifact! (Useful for detecting a corrupt download; useless for knowing anything about the artifact or its provenance, etc.)

This isn't an academic/theoretical issue; I've run into it myself https://discuss.gradle.org/t/plugins-gradle-org-serving-inco...

spooky_deep 4 days ago | parent | prev | next [-]

If your model is that you trust Maven to never change anything, then sure.

However, I think most people in the reproducible build space would consider Maven an external uncontrolled input.

Tainnor 3 days ago | parent [-]

> I think most people in the reproducible build space would consider Maven an external uncontrolled input

In an academic sense, you're probably right.

In practice it turns out that this isn't an issue in 99% of cases. Yes, I have once run into a weird issue where Nexus was corrupted and it took some debugging, so it's not like it can't happen, but assuming you don't do anything weird, the assumption that Maven artifacts are immutable is fairly safe.

I'm not saying that lockfiles aren't technically superior or anything, but the failure modes are so rare that people usually don't bother (even in Gradle where lockfiles are technically supported).

mystifyingpoi 4 days ago | parent | prev [-]

I never understood this. I can delete anything from Nexus and reupload something else in its place. Is this supposed immutability just a convention that's followed?

Tainnor 3 days ago | parent [-]

Yes, you can, if you manually interact with it. Most people don't do that because why would you? You generally use it as a proxy for maven central and similar and to upload your own internal artifacts through maven-publish. I'm not sure if it's the standard setting, but Nexus should typically be configured to prevent you from overwriting non-snapshot versions.