Cassandra's rube goldberg build system is so incredibly painful to
integrate inside corporate CI environments already... maybe docker
containers so you dont actually install random tools on the host computer
it might not have privileges to do?

On Wed, Apr 30, 2025 at 6:13 AM Josh McKenzie <jmcken...@apache.org> wrote:

> So while it would be nice to keep things such that someone just runs ant
> and gets everything built, given this does not seem to be a standard method
> of dealing with a go install in build scripts, I would suggest we stop
> doing it.  It looks to be very simple to install  Go, so maybe switch to
> telling someone how to install it if it is not found, as well as giving
> them the setting to disable that artifact.
>
> +1 to Jeremiah's thoughts here.
>
> Passing thought - maybe introduce an "ant install-deps" target that'll
> install deps if not found?
>
> On Tue, Apr 29, 2025, at 7:30 AM, Maxim Muzafarov wrote:
>
> Hey,
>
> I've prepared a python script that generates the same docs (no go
> dependency). I use the jinja2 dependency, not sure if it's optimal
> because I had to google how to use it though (also not sure if it has
> to be run in docker).
> I haven't tested the generated files with the website, but I've
> compared the results with the same files in the trunk, and they look
> similar (almost).
>
>
> https://github.com/apache/cassandra/compare/trunk...Mmuzaf:cassandra:generate-cqlprotodocs-python
>
> On Tue, 29 Apr 2025 at 10:10, Benedict <bened...@apache.org> wrote:
> >
> > We should never download and install software via adhoc scripts without
> user consent. Was this ever discussed on this mailing list? If not, it’s a
> clear breach of policy (introducing a new dependency) and a severe one in
> my opinion, as it seems to introduce a new supply chain attack vector for
> all developers of Cassandra.
> >
> >
> >
> > On 29 Apr 2025, at 08:17, Mick Semb Wever <m...@apache.org> wrote:
> >
> > 
> >
> >   .
> >
> >
> >>
> >> But that doesn’t seem to be the case here, the script checks for arm vs
> amd64, Linux vs Mac, and then fetches and untars the go distro into tmp.
> There is no verification of the download.  The only check is if curl
> returned non 0.
> >
> >
> >
> > Thanks for catching this, the sha256 check should always have been in
> place.  Adding this is just a one-liner, so that alone shouldn't force the
> decision.
> >
> >
> >
> >> It looks to be very simple to install  Go
> >
> >
> >
> > It takes a bit to ensure all build and CI systems are updated, and we
> never catch everything (esp what's downstream).
> >
> >
> > While it's "simple", multiplied by everyone (and every system) it adds
> up to be a significant time demand.
> >
> > Again, this too shouldn't be forcing the decision either way on what we
> want to do.
> >
> >
> >
>
>
>

Reply via email to