I have a closed-source project that I would like to build using Maven. It has a dependency on two java libraries which are not available in any public repository that I've been able to find (libGoogleAnalytics.jar and FlurryAgent.jar in this case, but the question applies to any closed-source dependency).
I would like anyone in my organization to be able to build the application using the exact same versions of the dependencies that I use to build the application. This includes my colleagues and our build-server.
How do I manage closed-source dependencies that maven doesn't know how to resolve?
Obviously, I could go to each person's machine and manually execute "mvn install:install-file" to get the binary into their maven repository, but manually managing dependencies like that defeats the purpose of a dependency manager.
As per maven's Internal Repositories documentation, I could set up a repository server somewhere and put the binaries there, which all the developers would then access. But that means I have a new server to maintain (or at least a new website on an existing server). It also means I have to worry about permissions to ensure that outside parties can't access the repository. It also means I have to worry about backups and availability now so that developers don't run into hiccoughs if the repository is unavailable.
All of these problems would go away for me if I could somehow use our existing scm (hg in this case, but it could be git or svn or whatever) to store the dependencies. Our source control repository is backed up already, it will basically always be available to developers doing builds, and its permissions have already been dealt with.
But I haven't been able to figure out how to manage maven dependencies using hg yet, if this is even possible.
It turns out that Manfred's answer didn't quite work for me. The app compiled, but it did not run on my Android device because the required google analytics classes were missing.
Following the links he supplied, I discovered this solution which is actually a little cleaner and worked properly.
In summary, I added the following dependencies to my pom.xml. The groupId, artifactId, and version were all made up by me using reasonable values:
<dependencies>
...
<dependency>
<groupId>com.google.android.apps.analytics</groupId>
<artifactId>libGoogleAnalytics</artifactId>
<version>1.1</version>
</dependency>
<dependency>
<groupId>com.flurry</groupId>
<artifactId>FlurryAgent</artifactId>
<version>1.24</version>
</dependency>
</dependencies>
I then added a repository definition for where I'm storing the third party dependencies in my project's source tree:
<repository>
<id>third.party.closed.source.repo</id>
<url>file://${basedir}/../maven_repo_3rd_party</url>
</repository>
I then moved the jar files to the following location:
./maven_repo_3rd_party/com/google/android/apps/analytics/libGoogleAnalytics/1.1/libGoogleAnalytics-1.1.jar
./maven_repo_3rd_party/com/flurry/FlurryAgent/1.24/FlurryAgent-1.24.jar
Once I did that, my project compiled and ran exactly as if the third party dependencies were resolved from an official maven repo.