You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Abe Ratnofsky (Jira)" <ji...@apache.org> on 2022/06/01 23:32:00 UTC
[jira] [Commented] (CASSANDRA-16391) Migrate dependency handling from maven-ant-tasks to resolver-ant-tasks
[ https://issues.apache.org/jira/browse/CASSANDRA-16391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17545199#comment-17545199 ]
Abe Ratnofsky commented on CASSANDRA-16391:
-------------------------------------------
[~mck] is there a reason why we didn't fully remove Maven Ant Tasks? It's still in use to create POMs, even though artifact resolution has been migrated to Maven Artifact Resolver Ant Tasks as part of this ticket.
I'm asking because MAT is fully retired, not receiving security updates, and has open CVEs in pinned dependency versions. I'm working on getting around this by migrating completely to MARAT, but it's lacking a few features we currently depend on in MAT. I'd love to just push a dependency update to MAT (update plexus-utils2); do you know if there's an avenue for that within Apache?
> Migrate dependency handling from maven-ant-tasks to resolver-ant-tasks
> ----------------------------------------------------------------------
>
> Key: CASSANDRA-16391
> URL: https://issues.apache.org/jira/browse/CASSANDRA-16391
> Project: Cassandra
> Issue Type: Task
> Components: Build, Dependencies
> Reporter: Michael Semb Wever
> Priority: High
> Fix For: 4.0-rc1, 4.0
>
>
> Cassandra resolves dependencies and generates maven pom files through the use of [maven-ant-tasks|http://maven.apache.org/ant-tasks/]. This is no longer a supported project.
> The recommended upgrade is to [resolver-ant-tasks|http://maven.apache.org/resolver-ant-tasks/]. It follows similar APIs so shouldn't be too impactful a change.
> The existing maven-ant-tasks has caused [some headaches already|https://issues.apache.org/jira/browse/CASSANDRA-16359] with internal super poms referencing insecure http:// central maven repository URLs that are no longer supported.
> We should also take the opportunity to
> - define the "test" scope (classpath) for those dependencies only used for tests (currently we are packaging test dependencies into the release binary artefact),
> - remove the jar files stored in the git repo under the "lib/" folder.
> These two above points have to happen in tandem, as the jar files under {{lib/}} are those that get bundled into the {{build/dist/lib/}} and hence the binary artefact. That is, all jar files under {{lib/}} are the project's "compile" scope, and all other dependencies defined in build.xml are either "provided" or "test" scope. These different scopes for dependencies are currently configured in different maven-ant-tasks poms. See https://github.com/apache/cassandra/commit/d43b9ce5092f8879a1a66afebab74d86e9e127fb#r45659668
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org