guava-27.0-jre.jar contains failureaccess class files #3302
Comments
|
I think this is also a problem with JPMS modules, where the same package is in guava.jar and failureaccess.
|
|
I can reproduce the issue (a guava jar containing the failureaccess classes) locally by building the release artifact: That tells me this issue is caused by a problem with a I think the problem is here in the Line 81 in 292118d I don't know what <Export-Package>!com.google.common.base.internal,!com.google.common.util.concurrent.internal,com.google.common.*</Export-Package>...then the built guava jar doesn't contain the failureaccess classes anymore. |
|
I notice that failureaccess/pom.xml doesn't include any OSGi bundle plugin configuration either, so once this is fixed and those classes are removed, Guava 27 probably won't work under OSGi without adding OSGi metadata to |
|
I get 17 errors after upgrading Guava from Guava 26.0-jre to 27.0-jre in a Gradle 4.10.2 build (that uses my Jigsaw plugin to enable JPMS modules) that previously worked fine on 26.0-jre (maybe I could exclude
|
…eaccess artifact being included in the main Guava jar. It appears (thanks to @michaelhixson on #3302) that the issue is with the maven-bundle-plugin (which does OSGi stuff). Presumably because Guava was declaring that it exports com.google.common.* (and doesn't exclude com.google.common.util.concurrent.internal), it was pulling those class files in from the dependency. It was also pointed out by @talios in that issue that failureaccess doesn't include OSGi metadata to export that package. This change should fix both of those issues, but we're going to need to release a failureaccess 1.0.1 and then guava 27.0.1. RELNOTES=Fixes an issue where classes that should only be included in failureaccess (Guava's one dependency) were also being included in the main Guava jar. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=218884985
|
The I've got a commit (a980611) that I'm hoping should fix this. I've confirmed at least that the failureaccess classes should no longer be included in the guava jar. I don't know much about OSGi though, so could someone check that the changes look right? |
|
same for |
|
@cgdecker I have never used OSGI, so this may be a dumb question: When one builds the failureaccess jar, is its I ask because when I pull your changes and then build failureaccess with Edit: Ohh, I think you need to add |
|
As @michaelhixson mentions - it looks like you're missing the |
|
@michaelhixson @talios Thanks, fixed that in 218bfd4. |
|
+1 here from the @cgdecker in the meantime, is it "safe" to add an <dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>27.0-jre</version>
<exclusions>
<!-- ugly, but safe? -->
<exclusion>
<groupId>com.google.guava</groupId>
<artifactId>failureaccess</artifactId>
</exclusion>
</exclusions>
</dependency>Lastly, is it worth introducing the |
|
you can do that with maven-enforcer-plugin using the rule banDuplicateClasses: |
|
@cgdecker Removing these classes from the main jar is not the right solution though. We care about the number of jar file dependencies, so splitting Guava into multiple pieces is very painful. And pushing a v9999 hack on the world really is a gross failure on the part of Guava maintainers. Given that you have separate releases for |
|
@stari4ek try to use this implementation: |
|
@jodastephen Why do you care about the number of jar files? Just wondering, that's somewhat surprising to me. In any case, this change isn't really about JRE vs. Android, though it was motivated by Android in some ways. The goal of the change was to allow a project to use Since such a project needs to pull in the For now, I'm just trying to fix this to not duplicate the classes between the two jars (which was unintended). We can see about trying to do something else from there. |
27.0-android contains bug google/guava#3302, causing Android builds to fail
Trying to fix build using guava 26.0-android, which should fix issue google/guava#3302
|
@cgdecker The approach you have taken to splitting out a submodule is indeed very standard, and well suited to corporate codebases and larger projects. But for a foundational library like Guava it is far from ideal. Put simply, it is not the case that all users ignore the number of jar file dependencies - for some users, details of, and number of, those dependencies really matters, There are going to be plenty of projects that have a dependency on Guava and nothing else. Those projects will now be seeing a tripling of the number of dependencies. This affects me (more or less) with Joda-Beans and Joda-Convert. In addition, many projects (like OpenGamma Strata) have to list all their dependencies in user documentation, and the version numbers thereof. The change requires both new dependencies to be added to the docs, and some kind of additional note added to try and explain the horrible v9999 hack. In essence this gives the appearance of Google making a change for its convenience (Android) rather than providing stability and security for non-Google users, which is what some of us have worried about all along with Guava. Particularly as now the floodgates of dependencies are open I fear we willl see Guava split into many more jar files. |
Hmm, that doesn't sound good. :(
I can definitely see why Stephen sees it this way - the "failureaccess" artifact-based workaround seemed and still seems very strange to me, and if I weren't already on good terms with @cpovirk and everyone else on the Guava team, I think I might've taken it as an antagonistic move (although I'm sure that wasn't intended at all!) When @cpovirk is back from leave, I'd love to hear his reasoning for the introduction of this artifact, and to discuss things further (whether publicly or privately) to see if it would be possible to achieve what the Android Support library authors would like whilst satisfying everyone else. :) |
Guava was always traditionally very restrained in making changes because of the impact those changes had on the larger Google codebase ( I'm reminded of Kevin Bourrillion's post https://plus.google.com/113026104107031516488/posts/ZRdtjTL1MpM from back in 2011 ), I'm not sure if the current process is as strict on changes for Guava, and I guess the extraction of From my perspective as an OSGi user, and one who strictly excludes all transitive dependencies from our build poms, the extra artifact, and the issue of |
|
Has there been any follow up on this at all? |
|
Nope, I'm still waiting for @cpovirk to come back from leave. :( |
|
I've released Guava 27.0.1, which no longer contains the I'm going to close this issue since it was about the duplicate classes; feel free to open a separate issues for any specific issues with the current dependency setup. |
…eaccess artifact being included in the main Guava jar. It appears (thanks to @michaelhixson on google#3302) that the issue is with the maven-bundle-plugin (which does OSGi stuff). Presumably because Guava was declaring that it exports com.google.common.* (and doesn't exclude com.google.common.util.concurrent.internal), it was pulling those class files in from the dependency. It was also pointed out by @talios in that issue that failureaccess doesn't include OSGi metadata to export that package. This change should fix both of those issues, but we're going to need to release a failureaccess 1.0.1 and then guava 27.0.1. RELNOTES=Fixes an issue where classes that should only be included in failureaccess (Guava's one dependency) were also being included in the main Guava jar. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=218884985
thank so much, it's work for me! ^^ |
I tried upgrading to guava 27.0 in my project and noticed a new warning at build time:
Indeed, I can see those
.classfiles in theguava-27.0-jre.jarI downloaded from Maven. Are those class files supposed to be there? I ask because it seems like they are supposed to be in the failureaccess jar only, but they were included in the guava jar by mistake.The text was updated successfully, but these errors were encountered: