module-info hygiene

Robert Scholte rfscholte at apache.org
Sun Oct 16 18:52:02 UTC 2016 

Hi,

with the introduction of the module-info something interesting is  
happening. Up until now the scope of a Java project was limited to the  
compilation of the classes. In case of Maven the end-user was in full  
control regarding the classpath and the order of entries. With the order  
of the dependencies you can control the order of classpath entries. You  
could add your own dependencies but could also exclude them. The exclude  
is especially powerful in those cases where library builders have made  
mistakes (e.g. junit without test-scope) or simply forgot to remove  
dependencies when refactoring code.
The first project poms are often quite clean, but it requires discipline  
to keep cleaning up your pom, e.g. removing unused dependencies. However,  
you're not really punished if you don't do this.

With the shift to module-info, suddenly every library-builder gets  
control. If the module-info of that library "requires A.B", it means that  
every project using this library MUST have A.B on its module-path. As  
end-user you cannot exclude A.B, nor can you say "B.A replaces A.B for  
x.y.z" in case of duplicate classes as allowed on the classpath. In short:  
the end-users must rely on the discipline of library builders.

This loss of control for the end-user will have huge impact. Maven has a  
analyze-goal in the maven-dependency-plugin which show both unused  
declared dependencies and used undeclared dependencies (which means pulled  
in as transitive dependency, even though the code directly uses it).  
Almost every time I run this goal on any project it detects dependencies  
in one of both groups.

To enforce the discipline, the java compiler should IMHO at least check if  
all required modules are indeed required and if the transitive required  
modules are indeed transitive. The role of the module-info is way too  
important to simply allow all content. The scope is not just about the  
classes anymore; the complete module tree is now locked into the jar. Any  
mis-configured module-info down the tree can never be fixed by the  
end-user, which could block the end-user to use the modulepath.

just sharing my concerns,
Robert

More information about the jigsaw-dev mailing list