Re: Splitting up the main repo?
Ok im use this thread as proof of consent and request the new repo as soon as possible. Chris Gesendet von Outlook für Android<https://aka.ms/AAb9ysg> From: Jialin Qiao Sent: Monday, April 8, 2024 4:44:35 AM To: dev@iotdb.apache.org Subject: Re: Splitting up the main repo? +1 for moving these into extra repos. Jialin Qiao Xiangdong Huang 于2024年4月7日周日 09:40写道: > > > We surely also pull in a lot of potentially bad dependencies. > > and this may be a chance to re-check our dependencies and remove unnecessary.. > > --- > Xiangdong Huang > > Christofer Dutz 于2024年4月5日周五 19:13写道: > > > > Hi all, > > > > I just wanted to bring up one idea that we decided in the PLC4X project and > > seed the idea, if this would also be worth discussing here. > > > > So, we were seeing that our build kept on having sub-ideal CVE ratings as > > we had dependencies for which CVEs were reported. > > However, PLC4X itself has a very limited number of dependencies. The > > problem was that we had several “integration” modules, that pulled in > > Kafka, Calcite, Nifi and some Eclipse projects. > > Also did a lot of our examples pull in various third party libraries, for > > which also vulnerabilities were reported. > > > > We are currently in the process of splitting up our main repository into a > > main and an extras repository. > > The main contains the core of the project. The extras contains the > > examples, additional tools and integration modules (The ones with the many, > > many dependencies) > > This way we can get a much better secutity standing for the main repo. > > > > Would this also be a good idea for IoTDB? I know with our dependencies to: > > > > * Flink > > * Grafana > > * Hadoop > > * Hive > > * Spark > > * Zeppelin (this one is really bad when it comes to CVEs) > > * Pulsar (only examples) > > * RabbitMQ (only examples) > > * RocketMQ (only examples) > > > > We surely also pull in a lot of potentially bad dependencies. If we moved > > this out the same way we would probably have a much better CVE ranking. > > This might become problematic in the future as in Europe and in the US > > CRE/PLD and other initiatives are taking form. > > > > Chris
Re: Splitting up the main repo?
+1 for moving these into extra repos. Jialin Qiao Xiangdong Huang 于2024年4月7日周日 09:40写道: > > > We surely also pull in a lot of potentially bad dependencies. > > and this may be a chance to re-check our dependencies and remove unnecessary.. > > --- > Xiangdong Huang > > Christofer Dutz 于2024年4月5日周五 19:13写道: > > > > Hi all, > > > > I just wanted to bring up one idea that we decided in the PLC4X project and > > seed the idea, if this would also be worth discussing here. > > > > So, we were seeing that our build kept on having sub-ideal CVE ratings as > > we had dependencies for which CVEs were reported. > > However, PLC4X itself has a very limited number of dependencies. The > > problem was that we had several “integration” modules, that pulled in > > Kafka, Calcite, Nifi and some Eclipse projects. > > Also did a lot of our examples pull in various third party libraries, for > > which also vulnerabilities were reported. > > > > We are currently in the process of splitting up our main repository into a > > main and an extras repository. > > The main contains the core of the project. The extras contains the > > examples, additional tools and integration modules (The ones with the many, > > many dependencies) > > This way we can get a much better secutity standing for the main repo. > > > > Would this also be a good idea for IoTDB? I know with our dependencies to: > > > > * Flink > > * Grafana > > * Hadoop > > * Hive > > * Spark > > * Zeppelin (this one is really bad when it comes to CVEs) > > * Pulsar (only examples) > > * RabbitMQ (only examples) > > * RocketMQ (only examples) > > > > We surely also pull in a lot of potentially bad dependencies. If we moved > > this out the same way we would probably have a much better CVE ranking. > > This might become problematic in the future as in Europe and in the US > > CRE/PLD and other initiatives are taking form. > > > > Chris
Re: Splitting up the main repo?
> We surely also pull in a lot of potentially bad dependencies. and this may be a chance to re-check our dependencies and remove unnecessary.. --- Xiangdong Huang Christofer Dutz 于2024年4月5日周五 19:13写道: > > Hi all, > > I just wanted to bring up one idea that we decided in the PLC4X project and > seed the idea, if this would also be worth discussing here. > > So, we were seeing that our build kept on having sub-ideal CVE ratings as we > had dependencies for which CVEs were reported. > However, PLC4X itself has a very limited number of dependencies. The problem > was that we had several “integration” modules, that pulled in Kafka, Calcite, > Nifi and some Eclipse projects. > Also did a lot of our examples pull in various third party libraries, for > which also vulnerabilities were reported. > > We are currently in the process of splitting up our main repository into a > main and an extras repository. > The main contains the core of the project. The extras contains the examples, > additional tools and integration modules (The ones with the many, many > dependencies) > This way we can get a much better secutity standing for the main repo. > > Would this also be a good idea for IoTDB? I know with our dependencies to: > > * Flink > * Grafana > * Hadoop > * Hive > * Spark > * Zeppelin (this one is really bad when it comes to CVEs) > * Pulsar (only examples) > * RabbitMQ (only examples) > * RocketMQ (only examples) > > We surely also pull in a lot of potentially bad dependencies. If we moved > this out the same way we would probably have a much better CVE ranking. > This might become problematic in the future as in Europe and in the US > CRE/PLD and other initiatives are taking form. > > Chris
