I agree with what Stefan notes in his mail. Some years back when I
started contributing to Ivy, I realized that the documentation (formal
or informal) related to the internal implementation details of Ivy is
non-existent. Sometimes I had to select a file, go over its commit
history then go read all JIRAs that were part of those commit logs and
even then, a lot of the information was either missing or outdated. At
that time, I used to use Ivy in some of our projects, so I could keep
refreshing with the code base and relate to it, so that whenever I had
to fix a bug or add something, I had the previous collected knowledge of
the Ivy code already fresh (to some extent) in my mind. It's now been
some years since I have used Ivy and I no longer have the Ivy codebase
knowledge in my mind. Like Stefan noted, these recent vulnerability
fixes took the Ant team a lot of time and energy to fix because of these
issues. Personally, I don't expect myself to have the ability to
continue contributing to Ivy.
As for IvyDE, on the development front, it has seen no movement. I am
not even sure if it builds with the current Eclipse versions. I hadn't
contributed to it, but I remember that when releasing Ivy 2.5.0, it was
struggle to update the IvyDE update site.
-Jaikiran
On 22/08/23 9:32 pm, Stefan Bodewig wrote:
Hi all
before I get to the actual content of this mail:
* I'm cross-posting to three lists but I ask you to keep responses to
dev@ant only (and join the list if necessary) if you want to respond.
* what I write is my personal opinion and not shared by the PMC as a
whole. The people on the PMC know I'd be writing a mail like this
sooner or later, though.
* this is a discussion, not a vote.
phew
I'm not quite sure what I hope to achieve with this email, but I'd like
to share my thoughts - and raise the awareness of an elephant being in
the room.
Over the past year we've had three security vulnerabilities discovered
in Ivy and it took us much too long to get them fixed. The reason for
this is there are no people left around who are familiar with the Ivy
code base. Most of the remaining developers around Ant are not even
users of Ivy - I know I am not and have never been.
When it comes to IvyDE things are probably even worse as nobody of us
uses Eclipse, either. But then again I've not managed to create an
Eclipse update site for the last two Ivy releases so maybe nobody is
using IvyDE anymore anyway.
At least *I* don't see myself digging deeper into the Ivy code base in
order to fix non-critical bugs. And even for the critical ones I feel we
are not doing an adequate job. To me it looks as if Ivy and in
particilar IvyDE are no longer really supported by the Ant project.
TBH I'm not quite sure what to do about this. Even if people stepped up
to maintain Ivy, the rest of the Ant devs would probably be unable to
verify the changes they want to make. At least I certainly am not
willing to review bigger PRs/patches to a code base I don't understand
well.
Personally I believe we should send IvyDE to the Apache Attic
immediately, and this likely should be the destination for Ivy sooner or
later as well. In the case of Ivy we know there are people who depend on
it (hi, Groovy folks) so maybe we should give a date in the future until
which we are providing security bug fixes to give people time to move
off.
There may be the need for a dependency management system inside of Ant,
I'm not sure. If so, then this should be driven by people who feel the
actual need IMO. There may already be alternatives to Ivy I am not aware
of.
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org
For additional commands, e-mail: dev-h...@ant.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org
For additional commands, e-mail: dev-h...@ant.apache.org
