You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@fineract.apache.org by "Michael Vorburger (Jira)" <ji...@apache.org> on 2020/05/11 19:23:00 UTC

[jira] [Commented] (FINERACT-761) Use of (unmaintained) Drizzle JDBC driver in Fineract Build (not run-time) prevents upgrading Flyway <- Gradle

    [ https://issues.apache.org/jira/browse/FINERACT-761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17104778#comment-17104778 ] 

Michael Vorburger commented on FINERACT-761:
--------------------------------------------

For the record: Through pixie dust and fairy magic, we actually did finally manage to upgrade Flyway in FINERACT-810.

> Use of (unmaintained) Drizzle JDBC driver in Fineract Build (not run-time) prevents upgrading Flyway <- Gradle
> --------------------------------------------------------------------------------------------------------------
>
>                 Key: FINERACT-761
>                 URL: https://issues.apache.org/jira/browse/FINERACT-761
>             Project: Apache Fineract
>          Issue Type: Bug
>          Components: Build
>            Reporter: Michael Vorburger
>            Assignee: Michael Vorburger
>            Priority: Critical
>             Fix For: 1.4.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Raising an issue for a discussing dedicated to the mess that is blocking FINERACT-700 from proceeding:
>  
> [https://lists.apache.org/thread.html/3fade23ba553a248481bd6e066cea1548d800be1454da16bb5d2c038@%3Cdev.fineract.apache.org%3E]
> Also see https://github.com/flyway/flyway/issues/2332
> The TL;DR is that the Apache Fineract project is stuck on very ancient versions of a number of 3rd party tools and libraries, including the Gradle Build tools, JDBC driver, automated code quality tools like FindBugs (which has security related impacts; more recent versions would permit switching to SpotBugs and add automated SQL injection vulnerability scanning and the like). 
> It's a long tail of depencies, but ultimately it boils down to having to talk to a MariaDB server using the bygone obsolete Drizzle JDBC driver which is can be seen on https://github.com/krummas/DrizzleJDBC is simply dead - unmaintained.  The obvious solution is to switch to using the current MariaDB.org (but not Oracle.com...) Connector/J JDBC driver, see https://downloads.mariadb.org/connector-java/. But there are hesitations to do this due to legal concerns, see FINCN-26 (which is for Fineract CN not for Fineract "Classic", but same story).
> Not entirely sure how to proceed here. In theory, I guess the options are:
> 1. Asking the Fineract project to somehow step up to maintain Drizzle? Seems unreasonable.
> 2. See if there is any way that the impasse on the legal side could be resolved? Perhaps at least for a build time tool which is not shipped there could be an exception? I've opened LEGAL-462 to get an official viewpoint from the Apache.org Legal Affairs Committee...



--
This message was sent by Atlassian Jira
(v8.3.4#803005)