You are viewing a plain text version of this content. The canonical link for it is here.
Posted to pr@cassandra.apache.org by GitBox <gi...@apache.org> on 2022/07/14 21:44:36 UTC

[GitHub] [cassandra] dcapwell commented on pull request #1725: CASSANDRA-17750: Remove Maven Ant Tasks

dcapwell commented on PR #1725:
URL: https://github.com/apache/cassandra/pull/1725#issuecomment-1184922753

   > We define where we download the jar file from, so we can download a patched jar file from any other location (though we want the source open and verifiable).
   
   I am strongly against maintaining a patched jar for a project we do not maintain... that burden is much higher than working with pom files for dependencies in my option.
   
   > This makes dependency management harder for the committers and contributors, and it will introduce confusion having the pom.xml file present in the project. I'm not sure it is an approach we want to take (i think needs further clarification needed on dev@)
   
   I wouldn't say it makes things harder... right now you have to find all pom files we generate in ant and make sure you update the right one; I mess this up 100% of the time I try to touch our dependencies... Maven pom files are well known and well understood, so easier to reason about than our current model.  If you are new to this project, trying to reverse engineer how our dependencies work in our build is way more complex than just working with the pom files directly... 
   
   Now, can having the pom files confuse people?  Sure, some may think the existence of a `.pom` means we can *build* with maven so anyone who tries may be confused (though our docs always and only say to use `ant`).
   
   > Is there another way to immediately and quickly address https://github.com/advisories/GHSA-8vhq-qq4p-grq3 ?
   
   The only other thing I can think is to some how have a new ant task generate the pom files for us... we have a custom plugin in the code right now so a custom plugin to turn xml into... xml... might be reasonable?
   
   >  there's a separate issue (in my opinion) of depending on a build system that doesn't receive security updates, so I opted to follow the advice of Maven Ant Tasks and remove our dependency on the project.
   
   Dead project become a burden for us to maintain... one thing that bites us is when there is a new version of the JDK that requires our dependencies to update before we can update... when we rely on dead projects we then get forced to not support the latest LTS JDKs, or take the burden of replacing them...  Ekaterina and I have both attempted to get Apache Cassandra to use JDK 17 and that itself is now a large burden due to dependencies...


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: pr-unsubscribe@cassandra.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: pr-unsubscribe@cassandra.apache.org
For additional commands, e-mail: pr-help@cassandra.apache.org