Improve reproducibility by removing SNAPSHOT dependencies

In building the Jitsi components written in Java from source, I noticed that they contain SNAPSHOT dependencies. Many of these dependencies have never been released as a non-SNAPSHOT version, despite many of them being unchanged for long periods of time, often years.

For example, here are some SNAPSHOT dependencies I find in jigasi:

$ mvn dependency:list versions:use-releases | grep SNAPSHOT

...

[INFO]    org.jitsi:jitsi-android-osgi:jar:1.0-SNAPSHOT:compile
[INFO]    org.jitsi:jitsi-webrtcvadwrapper:jar:1.0-SNAPSHOT:compile
[INFO]    org.jitsi:ice4j:jar:2.0.0-SNAPSHOT:compile
[INFO]    org.jitsi:jitsi-lgpl-dependencies:jar:1.1-SNAPSHOT:compile
[INFO]    org.jitsi:jitsi-videobridge:jar:1.1-SNAPSHOT:test
[INFO]    org.jitsi:fmj:jar:1.0-SNAPSHOT:compile

Some of those are transitive dependencies of snapshots, which do have releases, but others, such as jitsi-android-osgi have not been released.
I was thinking that it could be valuable to create releases of those components, and have the Jitsi components depend on those releases.

I would love to know what others in the developer community think about this, and what I could do to help with this process.

(I ran into this in the context of trying to build the Jitsi components with Nix. The nix tooling does not play nicely with SNAPSHOT dependencies, largely because of the issues in build reproducibility.)

All projects has reproducible builds. Which repo you have a problem with?

It was jigasi where I first encountered this issue. I could be doing something wrong though! Is there a way that works to build jigasi without snapshot dependencies?

Checkout jigasi pom file, do you see any snapshot to be used there?

You can check it with mvn dependency:tree.

Hum, I see snapshots there … I will take a look later this week

Yes, the issue was transitive dependencies, which aren’t specified as SNAPSHOTs in the pom.xml.

Thanks a lot for taking a look!

There is no snapshot in the pom file. Where do you see one?

I’m agreeing with you, there are none in the pom file. Maven seems to be bringing in SNAPSHOT dependencies despite this.

It seems like the dependencies that mvn dependency:list is resolving to SNAPSHOTS all seem to have versions numbers that look like 1.0-20190327.160432-3, like those created by mvn versions:lock-snapshots.