[
https://issues.apache.org/jira/browse/FINERACT-761?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Vorburger.ch updated FINERACT-761:
------------------------------------------
Description:
Raising an issue for a discussing dedicated to the mess that is blocking
FINERACT-700 from proceeding:
[https://lists.apache.org/thread.html/3fade23ba553a248481bd6e066cea1548d800be1454da16bb5d2c038@%3Cdev.fineract.apache.org%3E]
Also see https://github.com/flyway/flyway/issues/2332
The TL;DR is that the Apache Fineract project is stuck on very ancient versions
of a number of 3rd party tools and libraries, including the Gradle Build tools,
JDBC driver, automated code quality tools like FindBugs (which has security
related impacts; more recent versions would permit switching to SpotBugs and
add automated SQL injection vulnerability scanning and the like).
It's a long tail of depencies, but ultimately it boils down to having to talk
to a MariaDB server using the bygone obsolete Drizzle JDBC driver which is can
be seen on https://github.com/krummas/DrizzleJDBC is simply dead -
unmaintained. The obvious solution is to switch to using the current
MariaDB.org (but not Oracle.com...) Connector/J JDBC driver, see
https://downloads.mariadb.org/connector-java/. But there are hesitations to do
this due to legal concerns, see FINCN-26 (which is for Fineract CN not for
Fineract "Classic", but same story).
Not entirely sure how to proceed here. In theory, I guess the options are:
1. Asking the Fineract project to somehow step up to maintain Drizzle? Seems
unreasonable.
2. See if there is any way that the impasse on the legal side could be
resolved? Perhaps at least for a build time tool which is not shipped there
could be an exception? I've opened LEGAL-462 to get an official viewpoint from
the Apache.org Legal Affairs Committee...
was:
Raising an issue for a discussing dedicated to the mess that is blocking
FINERACT-700 from proceeding:
[https://lists.apache.org/thread.html/3fade23ba553a248481bd6e066cea1548d800be1454da16bb5d2c038@%3Cdev.fineract.apache.org%3E]
The TL;DR is that the Apache Fineract project is stuck on very ancient versions
of a number of 3rd party tools and libraries, including the Gradle Build tools,
JDBC driver, automated code quality tools like FindBugs (which has security
related impacts; more recent versions would permit switching to SpotBugs and
add automated SQL injection vulnerability scanning and the like).
It's a long tail of depencies, but ultimately it boils down to having to talk
to a MariaDB server using the bygone obsolete Drizzle JDBC driver which is can
be seen on https://github.com/krummas/DrizzleJDBC is simply dead -
unmaintained. The obvious solution is to switch to using the current
MariaDB.org (but not Oracle.com...) Connector/J JDBC driver, see
https://downloads.mariadb.org/connector-java/. But there are hesitations to do
this due to legal concerns, see FINCN-26 (which is for Fineract CN not for
Fineract "Classic", but same story).
Not entirely sure how to proceed here. In theory, I guess the options are:
1. Asking the Fineract project to somehow step up to maintain Drizzle? Seems
unreasonable.
2. See if there is any way that the impasse on the legal side could be
resolved? Perhaps at least for a build time tool which is not shipped there
could be an exception? I've opened LEGAL-462 to get an official viewpoint from
the Apache.org Legal Affairs Committee...
> Use of (unmaintained) Drizzle JDBC driver in Fineract Build (not run-time)
> prevents upgrading Flyway <- Gradle
> --------------------------------------------------------------------------------------------------------------
>
> Key: FINERACT-761
> URL: https://issues.apache.org/jira/browse/FINERACT-761
> Project: Apache Fineract
> Issue Type: Bug
> Components: Build
> Reporter: Michael Vorburger.ch
> Assignee: Michael Vorburger.ch
> Priority: Critical
>
> Raising an issue for a discussing dedicated to the mess that is blocking
> FINERACT-700 from proceeding:
>
> [https://lists.apache.org/thread.html/3fade23ba553a248481bd6e066cea1548d800be1454da16bb5d2c038@%3Cdev.fineract.apache.org%3E]
> Also see https://github.com/flyway/flyway/issues/2332
> The TL;DR is that the Apache Fineract project is stuck on very ancient
> versions of a number of 3rd party tools and libraries, including the Gradle
> Build tools, JDBC driver, automated code quality tools like FindBugs (which
> has security related impacts; more recent versions would permit switching to
> SpotBugs and add automated SQL injection vulnerability scanning and the
> like).
> It's a long tail of depencies, but ultimately it boils down to having to talk
> to a MariaDB server using the bygone obsolete Drizzle JDBC driver which is
> can be seen on https://github.com/krummas/DrizzleJDBC is simply dead -
> unmaintained. The obvious solution is to switch to using the current
> MariaDB.org (but not Oracle.com...) Connector/J JDBC driver, see
> https://downloads.mariadb.org/connector-java/. But there are hesitations to
> do this due to legal concerns, see FINCN-26 (which is for Fineract CN not for
> Fineract "Classic", but same story).
> Not entirely sure how to proceed here. In theory, I guess the options are:
> 1. Asking the Fineract project to somehow step up to maintain Drizzle? Seems
> unreasonable.
> 2. See if there is any way that the impasse on the legal side could be
> resolved? Perhaps at least for a build time tool which is not shipped there
> could be an exception? I've opened LEGAL-462 to get an official viewpoint
> from the Apache.org Legal Affairs Committee...
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
