tags:

views:

41

answers:

1
Q: 

Maven and bit-for-bit identical builds

If your project requirements for a large application with many 3rd party dependencies included:

1) Maintain a configuration management system capable of reproducing from source bit-for-bit identical copies of any build for 25 years after the original build was run and

2) Use Maven2 as a build tool to compile the build and to resolve dependencies

What process would need to be followed to meet those requirements?

A: 

25 years? Let's see, I think I have my old Commodore 64 sitting around here somewhere...

Seriously though - if this is a real question, then you have to consider the possibility that the maven central repository will at some point in the future go away. Maven is heavily reliant on the maven central repository.

You will also need to archive any tools (besides maven) used to create the build. An ideal build process will create an identical binary file at any time, whether it is next week or in 25 years. In practice, there are a lot of things that can prevent you from being able to reliably reproduce your builds.

1) Use a maven repository manager to host all dependencies, and back up the contents of the maven repository.

2) Archive any tools used to create the build. Basically maven and the jdk, but if you are using any other maven plugins like NSIS or Ant, then you need to archive those as well. If you are creating any platform specific binaries (like using NSIS), then you need to archive those tools, and probably the OS used to run the tools.

3) Archive your source code repository and make sure the software needed to run it is also archived as well.

Ken Liu  2010-04-22 19:52:08
For 1), would a normal backup of the Maven repository manager be enough? I would think you would need the ability to have the repository be versioned and be able to match a repository version to a source control revision. Otherwise couldn't you run into the situation where you backup the repo, then run a build that pulls in a dependency, have the repo get corrupted, restore the backup which does not have the new dependency and then get something different when you try to pull in the dependency again?I read somewhere that 25 years was the standard for some flight control systems...
mattjames  2010-04-22 20:27:28
Released artifacts (i.e. non SNAPSHOT) in a maven repository have a version number attached and are not expected to change once released. I think if an artifact is corrupted, then you would just restore the artifact in question, and not reload the entire repository. You wouldn't want to delete any released artifacts from your repo, either. BTW, strictly speaking, a repository manager isn't really necessary - you could just keep a backup of the local repo on your build machine. (Hopefully flight control systems are at least using a real-time JVM.)
Ken Liu  2010-04-22 20:38:47
Also, once you have successfully done a build in maven, then all of the necessary dependencies should be available in the local repository, so even if the maven central is gone you shouldn't have any problems _reproducing_ the build. FWIW, if I were doing something critical like a flight control system then I would probably be extra paranoid about the validity of artifacts downloaded from the maven central - probably would want a tightly controlled private repository. You might even want the contents of the repository itself to be put in some kind of version control system.
Ken Liu  2010-04-22 20:44:32
By saying the repo gets corrupted, I mean something like losing a filesystem where you *have* to restore the whole thing. At that point, you would be relying on the artifact to still be available on a 3rd party site, correct? Or am I missing something here...
mattjames  2010-04-22 20:47:15
Sorry, I misread your previous comment. Once you have a successful build, you should back up your repository so that the build can be reproduced. If you have to pull in a new dependency, then you aren't reproducing a build, you're creating a different build.
Ken Liu  2010-04-23 01:19:46
As maven downloads the internet, you'd also have all the relevant google results and blog posts of that time era, in case something still goes wrong with the 25yr old build.
mhaller  2010-04-23 06:41:45

related questions

what is the best way to load config files for different versions of the same project on the same server?
Guidelines for separating distributed application configuration from management from recovery...?
Pros and Cons regarding extended use of branches.
What is the most popular way to implement configuration settings like about:config in Firefox?
I am looking for a tool like LibCheck to evaluate different versions of the same SDK.
What are source control and configuration management best practices?
Handling different API versions in same Java source
GlobalAssemblyInfo.cs and strong naming
TFS vs SVN
Configuration Management - History in Code Comments
How to operate with multiple assembly versions in private folders using config?
AppDomain and config section typing
Looking for application that generates INSERT statements for data in table(s)
What's the best way to pass configuration to application agnostic modules?
Which management tools would you recommend for software development?
Managing Reusable Components
Should I implement source control for j2ee application server configuration files?
Best Practices on Configuration Settings
Where to find good examples or Templates for Configuration Management Plans?
Release Management Software
UK Vat change from 17.5 to 15% - How will this affect your code?
Product Line Engineering
What's the best way to build variants of the same C/C++ application.
Best approach to perform a CMMI Physical Configuration Audit?
.net solution subversion best practices?