[jira] [Resolved] (FINERACT-761) Use of (unmaintained) Drizzle JDBC driver in Fineract Build (not run-time) prevents upgrading Flyway <- Gradle

Thu, 13 Jun 2019 00:49:22 -0700 


     [ 
https://issues.apache.org/jira/browse/FINERACT-761?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Michael Vorburger.ch resolved FINERACT-761.
-------------------------------------------
    Resolution: Fixed

> Use of (unmaintained) Drizzle JDBC driver in Fineract Build (not run-time) 
> prevents upgrading Flyway <- Gradle
> --------------------------------------------------------------------------------------------------------------
>
>                 Key: FINERACT-761
>                 URL: https://issues.apache.org/jira/browse/FINERACT-761
>             Project: Apache Fineract
>          Issue Type: Bug
>          Components: Build
>            Reporter: Michael Vorburger.ch
>            Assignee: Michael Vorburger.ch
>            Priority: Critical
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Raising an issue for a discussing dedicated to the mess that is blocking 
> FINERACT-700 from proceeding:
>  
> [https://lists.apache.org/thread.html/3fade23ba553a248481bd6e066cea1548d800be1454da16bb5d2c038@%3Cdev.fineract.apache.org%3E]
> Also see https://github.com/flyway/flyway/issues/2332
> The TL;DR is that the Apache Fineract project is stuck on very ancient 
> versions of a number of 3rd party tools and libraries, including the Gradle 
> Build tools, JDBC driver, automated code quality tools like FindBugs (which 
> has security related impacts; more recent versions would permit switching to 
> SpotBugs and add automated SQL injection vulnerability scanning and the 
> like). 
> It's a long tail of depencies, but ultimately it boils down to having to talk 
> to a MariaDB server using the bygone obsolete Drizzle JDBC driver which is 
> can be seen on https://github.com/krummas/DrizzleJDBC is simply dead - 
> unmaintained.  The obvious solution is to switch to using the current 
> MariaDB.org (but not Oracle.com...) Connector/J JDBC driver, see 
> https://downloads.mariadb.org/connector-java/. But there are hesitations to 
> do this due to legal concerns, see FINCN-26 (which is for Fineract CN not for 
> Fineract "Classic", but same story).
> Not entirely sure how to proceed here. In theory, I guess the options are:
> 1. Asking the Fineract project to somehow step up to maintain Drizzle? Seems 
> unreasonable.
> 2. See if there is any way that the impasse on the legal side could be 
> resolved? Perhaps at least for a build time tool which is not shipped there 
> could be an exception? I've opened LEGAL-462 to get an official viewpoint 
> from the Apache.org Legal Affairs Committee...



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to