Are core maven plugins on the same release cycle as maven itself?

Question

In a variety of places online I have seen it discussed that for a maven build to be reproducible it is important to explicitly specify the version numbers of all the plugins used so that a newer plugin does not break the build. The recommend approach seemed to be to use the enforcer plugin. Below is a copy and pasted settings I found online.

<execution>
    <id>enforce-plugin-versions</id>
    <goals>
        <goal>enforce</goal>
    </goals>
    <configuration>
        <rules>
            <requirePluginVersions>
                <message>Best Practice is to always define plugin versions!</message>
                <banLatest>true</banLatest>
                <banRelease>true</banRelease>
                <banSnapshots>true</banSnapshots>
                <phases>clean,deploy,site</phases>
                <additionalPlugins>
                    <additionalPlugin>org.apache.maven.plugins:maven-eclipse-plugin</additionalPlugin>
                    <additionalPlugin>org.apache.maven.plugins:maven-reactor-plugin</additionalPlugin>
                </additionalPlugins>
                <unCheckedPluginList>org.apache.maven.plugins:maven-enforcer-plugin,org.apache.maven.plugins:maven-idea-plugin</unCheckedPluginList>
            </requirePluginVersions>
        </rules>
    </configuration>
</execution>

When I run the pom I get the following error from the enforcer plugin.

[INFO] --- maven-enforcer-plugin:1.1.1:enforce (enforce-plugin-versions) @ seedling ---
[WARNING] Rule 0: org.apache.maven.plugins.enforcer.RequirePluginVersions failed with message:
Some plugins are missing valid versions:(LATEST RELEASE SNAPSHOT are not allowed )
org.apache.maven.plugins:maven-clean-plugin.    The version currently in use is 2.4.1
org.apache.maven.plugins:maven-deploy-plugin.   The version currently in use is 2.7
org.apache.maven.plugins:maven-install-plugin.  The version currently in use is 2.3.1
org.apache.maven.plugins:maven-site-plugin.     The version currently in use is 3.0
org.apache.maven.plugins:maven-reactor-plugin.  The version currently in use is 1.0
org.apache.maven.plugins:maven-eclipse-plugin.  The version currently in use is 2.9
Best Practice is to always define plugin versions!

It seems to me that some plugins are such as maven-clean-plugin,maven-install-plugin,maven-reactor-plugin are a core central part of maven, and i should have the versions of these "core" plugins tied to the version of maven that I am using.

My questions:

1. Are plugin versions on the same release cycle as a maven itself?
2. Is there a group of core maven plugins that comprise a maven release? If yes, how to get a list of such plugins for a maven release?
3. When I see a maven release such as 3.0.4 is that version inclusive of some core plugins, or will it always get the latest plugins such as reactor that were released after maven 3.0.4 were released?
4. Is there a way to say to maven use plugins that were released at the time that 3.0.4 was released?
5. How is compatibility between different plugin versions indicated, is there some convention that is universally followed by plugins such as all minor 2.x are all compatible with each other but 3.x is not compatible with 2.x?
6. Is the practice of specifying plugin version numbers really a best pest practice or just overkill?

Answer 1

Maven binds some plugin to its lifecycle phases, e.g. the maven-compiler-plugin to the compile phase, the maven-install-plugin to the install phase and so on. These are the plugins that you mean by "a core central part of maven". However, these plugins have an individual release cycle. For example, take a look at the maven-deploy-plugin which is bound to maven's deploy lifecycle phase. The latest release (2.7) was in October 2011 whereas the latest Maven release (3.0.4) was in January 2012. Another example is the maven-compiler-plugin whose latest release was in June 2012, half a year after the release of Maven 3.0.4.

To answer your questions in particular:

1. No, they aren't. Each plugin has its own release cycle. See the examples above.
2. There are various plugins that are bound to Maven's package-specific lifecycle phases. You can consider these as "core maven plugins". Take a look at the maven book to get a complete list.
3. If you don't specify the plugin versions in your POM files, maven will use the latest release of each used plugin.
4. No. If this is a requirement for you, you can find the release dates of the plugins on http://search.maven.org and compare them to the latest release of Maven. But this shouldn't be necessary, if you specify the version of each used plugin in your POM file and maven produces the corrects artifacts for you.
5. There are no compatibility problems (at least no problems that I know of) between different maven plugins. For different version of the same plugin, you have to try it and see if your specific project works with a new version of a plugin.
6. If you want reproducible builds, it's a must.

Answer 2

Here the answers to the list of questions:

1. No
2. No. Maven itself has a small kernel but there are no plugins in the kernel. All plugins will be downloaded during the run if they needed. In Maven 2 there had been some parts of maven which are released with Maven itself (parts of the site generation) which has been changed with Maven 3.
3. No a Maven release includes a super pom which contains the definitions of some plugins versions etc. but only via the super pom.
4. No you can't define the time of a release only via the versions.
5. The different plugins are maintained by different communities / people and they have different opinions of versions and their relationship to the maven release. Usually the sites of the appropriate plugins will document that if it's documented (for example maven-site-plugin).
6. Yes it is and works for different Maven releases without any problems.