JLBP and Vendoring

[elharo]

JLBP-18 only discusses shading. Consider what, if anything, to say about "vendoring" as used by the Beam project. Per Aaron Dixon on the beam developer list:

With SHADING you have your project (e.g., Beam) depend directly on Guava and its public package names. Your build will then compile and link to these package names and only after-the-fact [1] rewrite the byte-code to rename the guava package. This entails both byte-code rewriting the Guava class files (to rename the packages of the Guava code itself) and byte-code rewriting all of your project class files that import Guava (to change the import to use the new package name). With VENDORING you release a renamed Guava ("vendor") JAR and depend on that directly from your project. So your project's source code itself imports the (repackaged) vendor JAR and depends on the renamed packages directly. Your project build then has no need for shading or byte code rewriting of its own classes. I see vendoring making it very clear what is going on when looking at a project's source code and its dependencies, and there are likely other tangible brass-tacks benefits to vendoring besides the conceptual clarity over shading.

[suztomo]

Vendoring uses shading, and thus has all the problems described in JLBP-18. Yet, I feel vendoring is slightly better approach than mere shading, because the shaded classes are maintained in a different Maven package and, for Beam's case, the Java package contains its version. For example org.apache.beam.vendor.guava.v26_0_jre.com.google.common.base.Preconditions.checkArgument.