+1 for moving these into extra repos. Jialin Qiao
Xiangdong Huang <saint...@gmail.com> 于2024年4月7日周日 09:40写道: > > > We surely also pull in a lot of potentially bad dependencies. > > and this may be a chance to re-check our dependencies and remove unnecessary.. > > ----------------------------------- > Xiangdong Huang > > Christofer Dutz <christofer.d...@c-ware.de> 于2024年4月5日周五 19:13写道: > > > > Hi all, > > > > I just wanted to bring up one idea that we decided in the PLC4X project and > > seed the idea, if this would also be worth discussing here. > > > > So, we were seeing that our build kept on having sub-ideal CVE ratings as > > we had dependencies for which CVEs were reported. > > However, PLC4X itself has a very limited number of dependencies. The > > problem was that we had several “integration” modules, that pulled in > > Kafka, Calcite, Nifi and some Eclipse projects. > > Also did a lot of our examples pull in various third party libraries, for > > which also vulnerabilities were reported. > > > > We are currently in the process of splitting up our main repository into a > > main and an extras repository. > > The main contains the core of the project. The extras contains the > > examples, additional tools and integration modules (The ones with the many, > > many dependencies) > > This way we can get a much better secutity standing for the main repo. > > > > Would this also be a good idea for IoTDB? I know with our dependencies to: > > > > * Flink > > * Grafana > > * Hadoop > > * Hive > > * Spark > > * Zeppelin (this one is really bad when it comes to CVEs) > > * Pulsar (only examples) > > * RabbitMQ (only examples) > > * RocketMQ (only examples) > > > > We surely also pull in a lot of potentially bad dependencies. If we moved > > this out the same way we would probably have a much better CVE ranking. > > This might become problematic in the future as in Europe and in the US > > CRE/PLD and other initiatives are taking form. > > > > Chris