I was just made aware of this discussion and thought I would share a bit.  We 
use Ant+Ivy and Eclipse+IvyDE here (Thomson Reuters) to support dozens of java 
projects.  IvyDE has been working very well for the past many years and I have 
only minor issues with it form time to time.  Mostly an eclipse restart and ivy 
refresh fixes it.  So a big "thank you" to all the maintainers over the years.  
Ant+Ivy has kept us out of Maven or Gradle tangles.

In terms of ongoing maintenance, I have picked up the Groovy Eclipse tools 
(https://github.com/groovy/groovy-eclipse) and the Microsoft Team Explorer 
tools (https://github.com/microsoft/team-explorer-everywhere), so I do have 
experience with Eclipse IDE development.  If someone wants help getting builds 
run and update sites created and verified, I can help with that.  If there are 
bugs in IvyDE that need attention, I could help with that as well.

It sounds to me like Ivy and IvyDE -- even as a retired subproject -- should 
move out from under Apache Ant.  Just for my clarity, is Apache Ivy a top-level 
project or a subproject of Apache Ant?

Eric Milles
ASF member/contributor
Apache Groovy PMC member

On 2023/09/05 16:52:38 Nicolas Lalevée wrote:
> Hi there,
> I used to be involved, especially in IvyDE, and as many, my build tools and 
> my IDE changed (for the IDE I am glad, not for the build tools…). So I had no 
> particular interest of doing any maintenance, so much that lost track of the 
> last releases of Ivy, where I could help. Many many thanks for those still 
> around keep things not completely stalled, especially for those who doesn’t 
> know the code base.
> For IvyDE, we wanted to retire it some years ago. The community raised some 
> interests, so we didn’t proceed. But many years later, the proof is that is 
> not maintained. Me too, I think it should be retired now.
> For the current IvyDE users, it shouldn’t be a concern that IvyDE is retired 
> as an Apache project. You will still be able to continue to use the plugin. 
> The released artifacts of the updatesite are archived [1] and won’t 
> disappear. We would just announcing officially what in practice happens: it 
> is not maintained anymore.
> And we tried our best to be opened on how to build and release the plugin and 
> the updatesite, it is documented [2]. On my machine which just have Ant and 
> Java installed, I just tried and I have been able to build of the updatesite 
> with the last release of Ivy without much effort. Doing a proper Apache 
> release of that is another subject, there are signatures, at least verify 
> that it actually works in a real Eclipse, votes, and so on. And adding 
> features and even fixing bugs is a very big step to get involved, it requires 
> a complete Eclipse SDK setup. But at least headless, if it is required, I 
> think anybody motivated enough should be able to re build it locally, the 
> updatesite too. It wouldn’t be as much user friendly as it is today, but you 
> should be able to work with your preferred IDE and dependency manager for as 
> long as Eclipse is having 4.x versions.
> Due to my particular former involvement in IvyDE (I know it well), and my 
> lack of involvement in the Ant community lately (I don’t read all 
> mailinglists), if you have issues with the build or the code of IvyDE, you 
> can mail on ant-dev@ and CC me directly.
> That’s for IvyDE. For Ivy, it kind of feels different due to the general 
> usage which continues to exists, as we can see people are searching 
> vulnerabilities in it.
> I am very sorry to read about missed opportunities to help new contributors, 
> I didn’t saw them, very sorry about that.
> Then, acknowledging that even fixing vulnerabilities is painful to the 
> community, I think we should accept to declare that we officially stop the 
> maintenance, stop the burden on people involved in the Ant project.
> I hear the user community that we should still try our best to keep 
> maintaining it, it is still worth it, I understand.
> So maybe we can declare a last call. The last maintenance window where only 
> vulnerabilities will be fixed. Months ? 6 ? And hope that before that 
> deadline, there are some interested parties that are willing to do proper 
> maintenance over the project, here at Apache or elsewhere.
> Nicolas
> [1] https://archive.apache.org/dist/ant/ivyde/updatesite/
> [2] https://ant.apache.org/ivy/ivyde/history/latest-milestone/dev.html
> > Le 22 août 2023 à 18:02, Stefan Bodewig <bode...@apache.org> a écrit :
> > 
> > Hi all
> > 
> > before I get to the actual content of this mail:
> > 
> > * I'm cross-posting to three lists but I ask you to keep responses to
> >  dev@ant only (and join the list if necessary) if you want to respond.
> > 
> > * what I write is my personal opinion and not shared by the PMC as a
> >  whole. The people on the PMC know I'd be writing a mail like this
> >  sooner or later, though.
> > 
> > * this is a discussion, not a vote.
> > 
> > phew
> > 
> > I'm not quite sure what I hope to achieve with this email, but I'd like
> > to share my thoughts - and raise the awareness of an elephant being in
> > the room.
> > 
> > Over the past year we've had three security vulnerabilities discovered
> > in Ivy and it took us much too long to get them fixed. The reason for
> > this is there are no people left around who are familiar with the Ivy
> > code base. Most of the remaining developers around Ant are not even
> > users of Ivy - I know I am not and have never been.
> > 
> > When it comes to IvyDE things are probably even worse as nobody of us
> > uses Eclipse, either. But then again I've not managed to create an
> > Eclipse update site for the last two Ivy releases so maybe nobody is
> > using IvyDE anymore anyway.
> > 
> > At least *I* don't see myself digging deeper into the Ivy code base in
> > order to fix non-critical bugs. And even for the critical ones I feel we
> > are not doing an adequate job. To me it looks as if Ivy and in
> > particilar IvyDE are no longer really supported by the Ant project.
> > 
> > TBH I'm not quite sure what to do about this. Even if people stepped up
> > to maintain Ivy, the rest of the Ant devs would probably be unable to
> > verify the changes they want to make. At least I certainly am not
> > willing to review bigger PRs/patches to a code base I don't understand
> > well.
> > 
> > Personally I believe we should send IvyDE to the Apache Attic
> > immediately, and this likely should be the destination for Ivy sooner or
> > later as well. In the case of Ivy we know there are people who depend on
> > it (hi, Groovy folks) so maybe we should give a date in the future until
> > which we are providing security bug fixes to give people time to move
> > off.
> > 
> > There may be the need for a dependency management system inside of Ant,
> > I'm not sure. If so, then this should be driven by people who feel the
> > actual need IMO. There may already be alternatives to Ivy I am not aware
> > of.
> > 
> > Stefan
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org
> > For additional commands, e-mail: dev-h...@ant.apache.org
> > 

To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org
For additional commands, e-mail: dev-h...@ant.apache.org

Reply via email to