Enforcing Maven 3.9 as minimum, would you be ok?

GeoServer GeoServer Developer
1

Hi all,
we have this PR suggesting to enforce Maven 3.9 as a minimum:

Mark checked the build, it’s fine, we are using 3.9.8, I’ve checked internally, half of devs are on 3.9+, the other half is using older versions but it does not seem a problem to update.

I would like to gather a bit more feedback… would it be ok for you to require Maven 3.9 as a minimum?

Cheers
Andrea

1 Like
2

Currently ubuntu 24.04 is providing 3.8.7 so it would be mildly inconvenient for ubuntu users.

Ian

3

Please check the PR’s comment about the rationale.

Basically, for truly stable builds across environments, we need to specify the maven plugin versions. Otherwise,
the plugins will be picked up based on the maven version in use.
Since we’re not specifying a maven version we get multiple possible plugin versions, and several of the following maven errors:

mvn versions:display-plugin-updates -Prelease

[WARNING] Project does not define minimum Maven version required for build
[INFO] Plugins require minimum Maven version of: 3.0
[INFO]
[ERROR] Project does not define required minimum version of Maven.
[ERROR] Update the pom.xml to contain maven-enforcer-plugin to
[ERROR] force the Maven version which is needed to build this project.
[ERROR] See [https://maven.apache.org/enforcer/enforcer-rules/requireMavenVersion.html](https://maven.apache.org/enforcer/enforcer-rules/requireMavenVersion.html)
[ERROR] Using the minimum version of Maven: 3.0
[INFO]
[INFO] Require Maven 2.0.2 to use the following plugin updates:
[INFO] maven-checkstyle-plugin .............................. 3.1.1 -> 2.1
[INFO]
[INFO] Require Maven 2.0.6 to use the following plugin updates:
[INFO] maven-checkstyle-plugin .............................. 3.1.1 -> 2.8
[INFO]
[INFO] Require Maven 2.2.1 to use the following plugin updates:
[INFO] maven-checkstyle-plugin ............................. 3.1.1 -> 2.17
[INFO]
[INFO] Require Maven 3.0 to use the following plugin updates:
[INFO] maven-checkstyle-plugin ............................ 3.1.1 -> 3.1.2
[INFO]
[INFO] Require Maven 3.2.5 to use the following plugin updates:
[INFO] maven-checkstyle-plugin ............................ 3.1.1 -> 3.3.1
[INFO]
[INFO] Require Maven 3.6.3 to use the following plugin updates:

[INFO] maven-checkstyle-plugin ............................ 3.1.1 -> 3.6.0

But if we specify the maven version to use we get sane and reproducible recommendations:

[INFO] --- versions:2.18.0:display-plugin-updates (default-cli) @ gs-gwc ---
[INFO]
[INFO] The following plugin updates are available:
[INFO] org.jacoco:jacoco-maven-plugin .................... 0.8.6 -> 0.8.12
[INFO]
[INFO] All plugins have a version specified.
[INFO]
[INFO] Project requires minimum Maven version for build of: 3.9
[INFO] Plugins require minimum Maven version of: 3.0
[INFO]
[INFO] No plugins require a newer version of Maven than specified by the pom.

If ubuntu 24.04 is providing 3.8.7, that depends on how it’s installed. I use sdkman (e.g. sdk insta, not apt-get),
but in any case, an alternative would be to include the maven wrapper[1] so nobody needs maven preinstalled
and we always use the required version.

Do you think that’d be worth it in order to have a predictable toolset across environments?

[1] https://maven.apache.org/wrapper/
camptocamp

4

I honestly don’t care all that much… because I value solving real problems (that we have plenty of), rather than potential ones. But I’m not bothered either, as long as it does not negatively affect other devs and users.

On one side of the scale we have an inconvenience for those that need to upgrade Maven. It seems a small one (if it’s not for anyone reading, please let us know) but also a real one affecting, to my count so far, 4 people, including Ian,
On the other scale we have a “more predictable build”. A worth theoretical goal, but was there a practical trigger? Did you take action because someone with an old version of Maven reported build misbehaviors to you?

As a community we should strive for balance and shared decisions. Thinking out loud, how much predictability we lose if the build requires 3.8+, what would be te practical consequences of having this more relaxed check? (so far we’ve seen a comparison between not requiring a version at all, and requiring 3.9+, right?)

Cheers
Andrea

5

I can confirm it is a pretty minor inconvenience - it took about 5 minutes to clean up and install a new version of maven

Ian

6

I honestly don’t care that much either. But I do a little.
IIRC I was making sure dependency versions between geoserver and geoserver cloud were aligned and also wondered about the plugin versions. Then
I discovered the amount of errors and warnings presented by maven. This seemed worrisome:

[ERROR] Project does not define required minimum version of Maven.
[ERROR] Update the pom.xml to contain maven-enforcer-plugin to
[ERROR] force the Maven version which is needed to build this project.

So I did a little research and indeed it looks like defining a minimum maven version should be considered good practice.
It reminded me of all the trouble we went through by having incompatible versions of the same dependencies across cog and gwc,
and thought plugins can cause trouble too.

I’ve now asked a deepsearch AI about this, won’t paste its answer here cause it’s large, but you can read it here: https://gist.github.com/groldan/0727ada1be4c3512a83b3f3d30d420dc

To me, it boils down to whether we agree it’d be good practice and we want to implement it.

Cheers,

On Tue, Feb 25, 2025 at 5:33 AM Andrea Aime via OSGeo Discourse <noreply@discourse.osgeo.org> wrote:

aaime-geosolutions
February 25

groldan:

Do you think that’d be worth it in order to have a predictable toolset across environments?

I honestly don’t care all that much… because I value solving real problems (that we have plenty of), rather than potential ones. But I’m not bothered either, as long as it does not negatively affect other devs and users.

On one side of the scale we have an inconvenience for those that need to upgrade Maven. It seems a small one (if it’s not for anyone reading, please let us know) but also a real one affecting, to my count so far, 4 people, including Ian,
On the other scale we have a “more predictable build”. A worth theoretical goal, but was there a practical trigger? Did you take action because someone with an old version of Maven reported build misbehaviors to you?

As a community we should strive for balance and shared decisions. Thinking out loud, how much predictability we lose if the build requires 3.8+, what would be te practical consequences of having this more relaxed check? (so far we’ve seen a comparison between not requiring a version at all, and requiring 3.9+, right?)

Cheers
Andrea

Visit Topic or reply to this email to respond.

To unsubscribe from these emails, click here.

7

There currently doesn’t appear to be any difference in the plugin versions when requiring Maven 3.8 or 3.9. According to the Maven command provided previously in this thread, maven-assembly-plugin is actually the only Maven plugin that GeoServer uses without specifying a plugin version in the root POM although there is a version specified only for community modules.

8

Oh nice catch, we should specify maven-assembly-plugin version (as it has changed across versions and broken releases before).

9

Hi,

Thanks Pete for finding out using 3.8 and 3.9 as minimum recommends the same upgrades. I’ve verified it and
updated the pull request to require 3.8 instead of 3.9 as agreed on at the last PSC meeting.

Cheers,