You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@fineract.apache.org by "Michael Vorburger.ch (JIRA)" <ji...@apache.org> on 2019/07/26 17:10:00 UTC

[jira] [Updated] (FINERACT-761) Use of (unmaintained) Drizzle JDBC driver in Fineract Build (not run-time) prevents upgrading Flyway <- Gradle

     [ https://issues.apache.org/jira/browse/FINERACT-761?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Michael Vorburger.ch updated FINERACT-761:
------------------------------------------
    Fix Version/s: 1.4.0

> Use of (unmaintained) Drizzle JDBC driver in Fineract Build (not run-time) prevents upgrading Flyway <- Gradle
> --------------------------------------------------------------------------------------------------------------
>
>                 Key: FINERACT-761
>                 URL: https://issues.apache.org/jira/browse/FINERACT-761
>             Project: Apache Fineract
>          Issue Type: Bug
>          Components: Build
>            Reporter: Michael Vorburger.ch
>            Assignee: Michael Vorburger.ch
>            Priority: Critical
>             Fix For: 1.4.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Raising an issue for a discussing dedicated to the mess that is blocking FINERACT-700 from proceeding:
>  
> [https://lists.apache.org/thread.html/3fade23ba553a248481bd6e066cea1548d800be1454da16bb5d2c038@%3Cdev.fineract.apache.org%3E]
> Also see https://github.com/flyway/flyway/issues/2332
> The TL;DR is that the Apache Fineract project is stuck on very ancient versions of a number of 3rd party tools and libraries, including the Gradle Build tools, JDBC driver, automated code quality tools like FindBugs (which has security related impacts; more recent versions would permit switching to SpotBugs and add automated SQL injection vulnerability scanning and the like). 
> It's a long tail of depencies, but ultimately it boils down to having to talk to a MariaDB server using the bygone obsolete Drizzle JDBC driver which is can be seen on https://github.com/krummas/DrizzleJDBC is simply dead - unmaintained.  The obvious solution is to switch to using the current MariaDB.org (but not Oracle.com...) Connector/J JDBC driver, see https://downloads.mariadb.org/connector-java/. But there are hesitations to do this due to legal concerns, see FINCN-26 (which is for Fineract CN not for Fineract "Classic", but same story).
> Not entirely sure how to proceed here. In theory, I guess the options are:
> 1. Asking the Fineract project to somehow step up to maintain Drizzle? Seems unreasonable.
> 2. See if there is any way that the impasse on the legal side could be resolved? Perhaps at least for a build time tool which is not shipped there could be an exception? I've opened LEGAL-462 to get an official viewpoint from the Apache.org Legal Affairs Committee...



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)