> So while it would be nice to keep things such that someone just runs ant and > gets everything built, given this does not seem to be a standard method of > dealing with a go install in build scripts, I would suggest we stop doing it. > It looks to be very simple to install Go, so maybe switch to telling > someone how to install it if it is not found, as well as giving them the > setting to disable that artifact. +1 to Jeremiah's thoughts here.
Passing thought - maybe introduce an "ant install-deps" target that'll install deps if not found? On Tue, Apr 29, 2025, at 7:30 AM, Maxim Muzafarov wrote: > Hey, > > I've prepared a python script that generates the same docs (no go > dependency). I use the jinja2 dependency, not sure if it's optimal > because I had to google how to use it though (also not sure if it has > to be run in docker). > I haven't tested the generated files with the website, but I've > compared the results with the same files in the trunk, and they look > similar (almost). > > https://github.com/apache/cassandra/compare/trunk...Mmuzaf:cassandra:generate-cqlprotodocs-python > > On Tue, 29 Apr 2025 at 10:10, Benedict <bened...@apache.org> wrote: > > > > We should never download and install software via adhoc scripts without > > user consent. Was this ever discussed on this mailing list? If not, it’s a > > clear breach of policy (introducing a new dependency) and a severe one in > > my opinion, as it seems to introduce a new supply chain attack vector for > > all developers of Cassandra. > > > > > > > > On 29 Apr 2025, at 08:17, Mick Semb Wever <m...@apache.org> wrote: > > > > > > > > . > > > > > >> > >> But that doesn’t seem to be the case here, the script checks for arm vs > >> amd64, Linux vs Mac, and then fetches and untars the go distro into tmp. > >> There is no verification of the download. The only check is if curl > >> returned non 0. > > > > > > > > Thanks for catching this, the sha256 check should always have been in > > place. Adding this is just a one-liner, so that alone shouldn't force the > > decision. > > > > > > > >> It looks to be very simple to install Go > > > > > > > > It takes a bit to ensure all build and CI systems are updated, and we never > > catch everything (esp what's downstream). > > > > > > While it's "simple", multiplied by everyone (and every system) it adds up > > to be a significant time demand. > > > > Again, this too shouldn't be forcing the decision either way on what we > > want to do. > > > > > > >
