On Thu, 2016-01-28 at 16:26 +0100, Andreas Tille wrote: > As far as I understand its renamed by the same author. You're right. I didn't realize this. > I perfectly agree - but I have no idea how to find the according > source > code. I feel a bit unsafe to checkout the new repository and > checkout > the last commit with the old name. Based on the history of the repo, it appears to be the same project by the same author. I don't think it's too much of a stretch to use this new repo. If you want to be extra cautious, you could compare source of the sources.jar in maven central to one of the old tags in github to see if there are any significant changes. In fact, I believe most debian projects use a slightly different version of plugins than what is called for in the project so that we can deploy a single version in debian. Sometimes this means security fixes. Other times, there is no benefit. > Or may be I should write a d/watch > file containing > > > https://github.com/davidB/scala-maven-plugin/releases?after=3.1.1 > .*/archive/v*(2\.[\d.-]+)\.(?:tar(?:\.gz|\.bz2)?|tgz) > > > which is a bit weak but fetches (at least at this point in time) the > latest version of scala-maven-plugin 2.x - which seems to be the old > version you were suggesting to use. The purpose of the watch file is to check for new releases. I believe github releases are ordered by date, so you'll have to remove the ?after=3.1.1. If the author happens create a hotfix 2.x branch and another release, you'll miss it since the new release would be before (date ordered) 3.1.1. I don't have any better ideas for you. It sounds like a good approach to me. You could also send a patch upstream to upgrade to the latest scala-maven-plugin which means less smoke and mirrors in the future. Andrew
Attachment:
signature.asc
Description: This is a digitally signed message part