> So while it would be nice to keep things such that someone just runs ant and 
> gets everything built, given this does not seem to be a standard method of 
> dealing with a go install in build scripts, I would suggest we stop doing it. 
>  It looks to be very simple to install  Go, so maybe switch to telling 
> someone how to install it if it is not found, as well as giving them the 
> setting to disable that artifact.
+1 to Jeremiah's thoughts here.

Passing thought - maybe introduce an "ant install-deps" target that'll install 
deps if not found?

On Tue, Apr 29, 2025, at 7:30 AM, Maxim Muzafarov wrote:
> Hey,
> 
> I've prepared a python script that generates the same docs (no go
> dependency). I use the jinja2 dependency, not sure if it's optimal
> because I had to google how to use it though (also not sure if it has
> to be run in docker).
> I haven't tested the generated files with the website, but I've
> compared the results with the same files in the trunk, and they look
> similar (almost).
> 
> https://github.com/apache/cassandra/compare/trunk...Mmuzaf:cassandra:generate-cqlprotodocs-python
> 
> On Tue, 29 Apr 2025 at 10:10, Benedict <bened...@apache.org> wrote:
> >
> > We should never download and install software via adhoc scripts without 
> > user consent. Was this ever discussed on this mailing list? If not, it’s a 
> > clear breach of policy (introducing a new dependency) and a severe one in 
> > my opinion, as it seems to introduce a new supply chain attack vector for 
> > all developers of Cassandra.
> >
> >
> >
> > On 29 Apr 2025, at 08:17, Mick Semb Wever <m...@apache.org> wrote:
> >
> > 
> >
> >   .
> >
> >
> >>
> >> But that doesn’t seem to be the case here, the script checks for arm vs 
> >> amd64, Linux vs Mac, and then fetches and untars the go distro into tmp. 
> >> There is no verification of the download.  The only check is if curl 
> >> returned non 0.
> >
> >
> >
> > Thanks for catching this, the sha256 check should always have been in 
> > place.  Adding this is just a one-liner, so that alone shouldn't force the 
> > decision.
> >
> >
> >
> >> It looks to be very simple to install  Go
> >
> >
> >
> > It takes a bit to ensure all build and CI systems are updated, and we never 
> > catch everything (esp what's downstream).
> >
> >
> > While it's "simple", multiplied by everyone (and every system) it adds up 
> > to be a significant time demand.
> >
> > Again, this too shouldn't be forcing the decision either way on what we 
> > want to do.
> >
> >
> >
> 

Reply via email to