[
https://issues.apache.org/jira/browse/CASSANDRA-18877?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17769164#comment-17769164
]
Stefan Miklosovic commented on CASSANDRA-18877:
-----------------------------------------------
_I disagree with this statement. build/lib/jars it not production code_
yet people can just commit the sources not meant for the production code and we
ship it. If byteman was not Apache 2.0 licensed, since we ship that, we just
violated the licencing, is not that true? Nobody cares it is not invoked.
> remove bytebuddy / byteman from production classpath and remove compress-lzf
> dependency from build deps
> -------------------------------------------------------------------------------------------------------
>
> Key: CASSANDRA-18877
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18877
> Project: Cassandra
> Issue Type: Task
> Components: Build
> Reporter: Stefan Miklosovic
> Assignee: Stefan Miklosovic
> Priority: Normal
> Fix For: 4.0.x, 4.1.x, 5.x
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> I was digging in the project deps and if you compare all libs in "libs" dir
> and all libs in "build/lib/jars", there are indeed some differences which are
> OK however in build/lib/jars there are also libraries for byteman and
> byte-buddy. This is clearly wrong as these dependecies should not be
> accessible from the production code, only from tests.
> The reason they are accessible in prod code is that there is the class
> TestRateLimiter (1). I do not have a clue why that class is in the prod code
> in the first place. The only place it is referenced in is here (2) but that
> byteman script is not loaded anywhere in tests. I was also checking Python
> dtests.
> I think this is some leftover or something like "I will keep it here when I
> need it", but as nobody seems to do, I strongly advocate for removing it and
> making bytebuddy and byteman only test scoped dependencies as it should be.
> A reader who pays attention notices that these dependencies are of provided
> scope which is a trick to have it compilable but not among the libraries in
> the production runtime and it does not do any harm as it is never invoked
> from the production code (if it was, it would fail on missing imports)
> neverthless this is still an issue which should be addressed. We were doing
> something similar with assertj dependency recently.
> The second issue is that there is a dependency on compress-lzf in build
> dependencies. This is not necessary either as that library was removed from
> the repository in (3) but it still somehow leaked to the build process again.
> (1)
> https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/utils/TestRateLimiter.java
> (2)
> https://github.com/apache/cassandra/blob/trunk/test/resources/byteman/mutation_limiter.btm
> (3)
> https://github.com/apache/cassandra/commit/fc92db2b9b56c143516026ba29cecdec37e286bb
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
