Re: [ovirt-devel] commons-collections v4.0

> This kind of discrepancies might be found in other libraries as we do not > > synchronize our pom files with the JBoss current version dependencies. > > IMHO that could lead to some very difficult bugs that we won't be able to > > simulate in our unit tests. correct, but the java way to pull dependencies at will without being able to fix z-stream using central package management tools is more severe than unit tests not working/not working. for example, your application uses x.jar and actually delivers x.jar... so from release to eternity it is your responsibility to track x.jar for severe stability bugs and security bugs, and release your entire application each time found, now multiple it with the # of components application is using and see how much effort you have just to maintain stability and security if you embed 3rd party components without your application. > > Why do we avoid "to maintain our own packaging"? IMHO Ovirt own dependencies > > could be packed in the war, can't they? yes they could, but this is not suitable for enterprise grade implementations, mainly per what I described above.