An issue for deterministic builds with Maven + Hudson
Given that Maven is much more complex than Ant, and it dinamically resolves dependencies, people are right to be concerned with having deterministic builds. But the vast majority of problems are solved by just three good practices:
- version everything, including all Maven plugins
- run once in a while mvn dependency:go-offline, that will download all the required stuff
- routinely use mvn -o (offline mode)
When using Hudson, each job should have its private repository, which is scracthed every time.
The first item is the most important, while the other two are more relevant to saving build time and being able to work even while disconnected. To be even safer, and dramatically speed up build times, you should also set up a local mirror repository (e.g. with Nexus), that is a local cache of the artifacts you need. In particular, it is very useful to install a local repository mirror on each Hudson node you use (or one in the same subnet).
Unfortunately, this is likely to create some new build reproducibility issue. In spite of forceTen Hudson job being blue since several weeks (with only occasional spikes), I've been notified both by Milos Kleint and a blog post commenter that they weren't unable to compile it because of a missing artifact. It's really annoying to incur in such an issue after you've spent great amounts of time for having a nicely set up CI enviroment!
Granted, I've got still a few residual mess with the artifact repositories for all my projects until I complete the mavenizations of all of them, but the basic point here is that you risk to have a mirror repository with a dependency that you use, but it's not available in public (e.g. because you published to the mirror and not to a public repo, or other variations of the theme).
The only solution that I found is to create another job for each project (I called it "Compile from Scratch") that runs by itself at midnight and uses a configuration of Maven without mirrors, thus closely reproducing the environment one finds when checks out sources and compile them. If it fails when the regular compile works, you understand that there's a problem in some mirror.
Just to confirm you that a mirror repository is really important for performance, forceTen compiles and runs tests in less than 9 minutes with a mirror; it takes longer than 30 minutes to compile only without. All this extra time is Maven downloading stuff.