I guess dependency management is circular like fashion :) Are the concerns enumerated in that ticket still valid today? It looks like the makepom command can take a template for the POM, so that might be a way to deal with inconsistencies?
Cheers, Derek On Tue, Jul 19, 2022 at 2:35 PM Brandon Williams <dri...@gmail.com> wrote: > Ivy is actually how we got to MAT: > https://issues.apache.org/jira/browse/CASSANDRA-2017 > > Kind Regards, > Brandon > > On Tue, Jul 19, 2022 at 3:33 PM Derek Chen-Becker <de...@chen-becker.org> > wrote: > > > > Sorry, I put a comment about this in the PR before seeing this. I think > if Ivy fits better with Ant, is more compact, and can do everything that we > were using MAT for, then that's a reasonable path forward. I don't think > Ivy syntax for dependencies will be foreign to anyone familiar with Maven. > > > > Derek > > > > On Tue, Jul 19, 2022 at 2:03 PM Mick Semb Wever <m...@apache.org> wrote: > >> > >> > >> > >> Rehashing some of the aspects raised by the PR… > >> > >> > >>> > >>> 1. Is it worth addressing this CVE and retired dependency with changes > to our build system, or should we suppress it? > >> > >> > >> > >> If we are not exposed to the CVE then it should be considered > suppressed. > >> While this might address (remove) the urgency of the matter, it is not > an argument against replacing and improving a deprecated and unmaintained > dependency. > >> > >> > >> > >>> > >>> 2. Are there more alternatives to Maven Ant Tasks that should be > considered, like Ivy? > >> > >> > >> > >> The question here is… If we are to replace MARAT, then *what* > dependency framework/format do we want to work with moving forward? > >> > >> The choices are: > >> - maven > >> - ivy > >> - gradle > >> > >> Note this is ONLY for dependency management, and is only about the > replacement for this section: > https://github.com/apache/cassandra/blob/315a1a7/build.xml#L507-L873 > >> > >> It is a requirement that whatever framework/format we choose it can > generated into the pom(s) we publish via repository.apache.org > >> For example maven pom files would be used directly, ivy could use the > `makepom` command and gradle the `maven-publish` plugin. > >> > >> Ivy and Gradle provide more compact dependency declarations, Ivy fits > in better with Ant, and most are familiar with Maven (and it would avoid > the generation step). > >> > >> What is the best fit for us moving forward? > >> > >> > >> > >> > > > > > > > > -- > > +---------------------------------------------------------------+ > > | Derek Chen-Becker | > > | GPG Key available at https://keybase.io/dchenbecker and | > > | https://pgp.mit.edu/pks/lookup?search=derek%40chen-becker.org | > > | Fngrprnt: EB8A 6480 F0A3 C8EB C1E7 7F42 AFC5 AFEE 96E4 6ACC | > > +---------------------------------------------------------------+ > > > -- +---------------------------------------------------------------+ | Derek Chen-Becker | | GPG Key available at https://keybase.io/dchenbecker and | | https://pgp.mit.edu/pks/lookup?search=derek%40chen-becker.org | | Fngrprnt: EB8A 6480 F0A3 C8EB C1E7 7F42 AFC5 AFEE 96E4 6ACC | +---------------------------------------------------------------+