Ivy is actually how we got to MAT: https://issues.apache.org/jira/browse/CASSANDRA-2017
Kind Regards, Brandon On Tue, Jul 19, 2022 at 3:33 PM Derek Chen-Becker <de...@chen-becker.org> wrote: > > Sorry, I put a comment about this in the PR before seeing this. I think if > Ivy fits better with Ant, is more compact, and can do everything that we were > using MAT for, then that's a reasonable path forward. I don't think Ivy > syntax for dependencies will be foreign to anyone familiar with Maven. > > Derek > > On Tue, Jul 19, 2022 at 2:03 PM Mick Semb Wever <m...@apache.org> wrote: >> >> >> >> Rehashing some of the aspects raised by the PR… >> >> >>> >>> 1. Is it worth addressing this CVE and retired dependency with changes to >>> our build system, or should we suppress it? >> >> >> >> If we are not exposed to the CVE then it should be considered suppressed. >> While this might address (remove) the urgency of the matter, it is not an >> argument against replacing and improving a deprecated and unmaintained >> dependency. >> >> >> >>> >>> 2. Are there more alternatives to Maven Ant Tasks that should be >>> considered, like Ivy? >> >> >> >> The question here is… If we are to replace MARAT, then *what* dependency >> framework/format do we want to work with moving forward? >> >> The choices are: >> - maven >> - ivy >> - gradle >> >> Note this is ONLY for dependency management, and is only about the >> replacement for this section: >> https://github.com/apache/cassandra/blob/315a1a7/build.xml#L507-L873 >> >> It is a requirement that whatever framework/format we choose it can >> generated into the pom(s) we publish via repository.apache.org >> For example maven pom files would be used directly, ivy could use the >> `makepom` command and gradle the `maven-publish` plugin. >> >> Ivy and Gradle provide more compact dependency declarations, Ivy fits in >> better with Ant, and most are familiar with Maven (and it would avoid the >> generation step). >> >> What is the best fit for us moving forward? >> >> >> >> > > > > -- > +---------------------------------------------------------------+ > | Derek Chen-Becker | > | GPG Key available at https://keybase.io/dchenbecker and | > | https://pgp.mit.edu/pks/lookup?search=derek%40chen-becker.org | > | Fngrprnt: EB8A 6480 F0A3 C8EB C1E7 7F42 AFC5 AFEE 96E4 6ACC | > +---------------------------------------------------------------+ >
