dchenbecker commented on PR #1725: URL: https://github.com/apache/cassandra/pull/1725#issuecomment-1189507646
> If this is accurate… I think it's important to stress: that is that we can ignore the CVE. That this is an improvement to replace a deprecated and unmaintained dependency, but otherwise nothing urgent or broken today. I just want to point out that there are end users with compliance requirements that may preclude use of software with known vulnerabilities, even in test dependencies. Based on my own experience with compliance audits it may not be problematic for the majority of end users, but I don't think we can authoritatively say the current state is not broken for some. As for the patch itself, if we're already dealing with POM files as build artifacts, using a couple of well-defined POM files to generate others doesn't feel all that clunky if it means removing a known unsupported library with open CVEs. Or at least, no more clunky than the rest of the ANT-based build system. That's not a dig at ANT, just an admission that a sufficiently complex project will generally have a similar complexity in its build system. If we were using Maven, Gradle, or whatever else there would still be a lot of complex custom code to handle some of the existing build logic, it would just be in Maven XML or Groovy/Java/Kotlin. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
