Re: Future of Ivy and IvyDE

2023-12-04 Thread Stefan Bodewig
Hi Eric

On 2023-12-04, Eric Milles wrote:

> It sounds to me like Ivy and IvyDE -- even as a retired subproject -- should 
> move out from under Apache Ant.  Just for my clarity, is Apache Ivy a 
> top-level project or a subproject of Apache Ant?

The top level ASF project here is "Apache Ant" and the corresponding PMC
oversees the Ant build tool, Apache Ivy, a few "Antlibs" and up to their
retirement IvyDE, EasyAnt and Antidote.

You may be aware of ASF discussions on the term "subproject" in other
places. We've called Ivy and IvyDE "projects", but that's just a
word. They are/have been components with releases the Ant PMC voted on -
just like the Ant build tool. Technically the Ant top-level project has
a single set of committers who are committers to all Ant "projects" and
release votes have always involved the full PMC.

Does that help?

Cheers

Stefan

-
To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org
For additional commands, e-mail: dev-h...@ant.apache.org



Re: Future of Ivy and IvyDE

2023-12-04 Thread Craig Hunt
If this happens I will donate and admin a new MySDK.org website for the ASF
FOSS user group community. I am a major fan of ANT and see IVY and Eclipse
IDE bridge as critical. I will set up an email contact for me tonight at
r...@mysdk.org if you to reach me in the future. Kind regards.
m...@craighunt.us



On Mon, Dec 4, 2023, 10:15 AM Eric Milles  wrote:

> Hello,
> I was just made aware of this discussion and thought I would share a bit.
> We use Ant+Ivy and Eclipse+IvyDE here (Thomson Reuters) to support dozens
> of java projects.  IvyDE has been working very well for the past many years
> and I have only minor issues with it form time to time.  Mostly an eclipse
> restart and ivy refresh fixes it.  So a big "thank you" to all the
> maintainers over the years.  Ant+Ivy has kept us out of Maven or Gradle
> tangles.
>
> In terms of ongoing maintenance, I have picked up the Groovy Eclipse tools
> (https://github.com/groovy/groovy-eclipse) and the Microsoft Team
> Explorer tools (https://github.com/microsoft/team-explorer-everywhere),
> so I do have experience with Eclipse IDE development.  If someone wants
> help getting builds run and update sites created and verified, I can help
> with that.  If there are bugs in IvyDE that need attention, I could help
> with that as well.
>
> It sounds to me like Ivy and IvyDE -- even as a retired subproject --
> should move out from under Apache Ant.  Just for my clarity, is Apache Ivy
> a top-level project or a subproject of Apache Ant?
>
> Eric Milles
> ASF member/contributor
> Apache Groovy PMC member
>
> On 2023/09/05 16:52:38 Nicolas Lalevée wrote:
> > Hi there,
> >
> > I used to be involved, especially in IvyDE, and as many, my build tools
> and my IDE changed (for the IDE I am glad, not for the build tools…). So I
> had no particular interest of doing any maintenance, so much that lost
> track of the last releases of Ivy, where I could help. Many many thanks for
> those still around keep things not completely stalled, especially for those
> who doesn’t know the code base.
> >
> > For IvyDE, we wanted to retire it some years ago. The community raised
> some interests, so we didn’t proceed. But many years later, the proof is
> that is not maintained. Me too, I think it should be retired now.
> >
> > For the current IvyDE users, it shouldn’t be a concern that IvyDE is
> retired as an Apache project. You will still be able to continue to use the
> plugin. The released artifacts of the updatesite are archived [1] and won’t
> disappear. We would just announcing officially what in practice happens: it
> is not maintained anymore.
> >
> > And we tried our best to be opened on how to build and release the
> plugin and the updatesite, it is documented [2]. On my machine which just
> have Ant and Java installed, I just tried and I have been able to build of
> the updatesite with the last release of Ivy without much effort. Doing a
> proper Apache release of that is another subject, there are signatures, at
> least verify that it actually works in a real Eclipse, votes, and so on.
> And adding features and even fixing bugs is a very big step to get
> involved, it requires a complete Eclipse SDK setup. But at least headless,
> if it is required, I think anybody motivated enough should be able to re
> build it locally, the updatesite too. It wouldn’t be as much user friendly
> as it is today, but you should be able to work with your preferred IDE and
> dependency manager for as long as Eclipse is having 4.x versions.
> >
> > Due to my particular former involvement in IvyDE (I know it well), and
> my lack of involvement in the Ant community lately (I don’t read all
> mailinglists), if you have issues with the build or the code of IvyDE, you
> can mail on ant-dev@ and CC me directly.
> >
> > That’s for IvyDE. For Ivy, it kind of feels different due to the general
> usage which continues to exists, as we can see people are searching
> vulnerabilities in it.
> >
> > I am very sorry to read about missed opportunities to help new
> contributors, I didn’t saw them, very sorry about that.
> >
> > Then, acknowledging that even fixing vulnerabilities is painful to the
> community, I think we should accept to declare that we officially stop the
> maintenance, stop the burden on people involved in the Ant project.
> >
> > I hear the user community that we should still try our best to keep
> maintaining it, it is still worth it, I understand.
> >
> > So maybe we can declare a last call. The last maintenance window where
> only vulnerabilities will be fixed. Months ? 6 ? And hope that before that
> deadline, there are some interested parties that are willing to do proper
> maintenance over the project, here at Apache or elsewhere.
> >
> > Nicolas
> >
> > [1] https://archive.apache.org/dist/ant/ivyde/updatesite/
> > [2] https://ant.apache.org/ivy/ivyde/history/latest-milestone/dev.html
> >
> > > Le 22 août 2023 à 18:02, Stefan Bodewig  a écrit :
> > >
> > > Hi all
> > >
> > > before I get 

Re: Future of Ivy and IvyDE

2023-12-04 Thread Eric Milles
Hello,
I was just made aware of this discussion and thought I would share a bit.  We 
use Ant+Ivy and Eclipse+IvyDE here (Thomson Reuters) to support dozens of java 
projects.  IvyDE has been working very well for the past many years and I have 
only minor issues with it form time to time.  Mostly an eclipse restart and ivy 
refresh fixes it.  So a big "thank you" to all the maintainers over the years.  
Ant+Ivy has kept us out of Maven or Gradle tangles.

In terms of ongoing maintenance, I have picked up the Groovy Eclipse tools 
(https://github.com/groovy/groovy-eclipse) and the Microsoft Team Explorer 
tools (https://github.com/microsoft/team-explorer-everywhere), so I do have 
experience with Eclipse IDE development.  If someone wants help getting builds 
run and update sites created and verified, I can help with that.  If there are 
bugs in IvyDE that need attention, I could help with that as well.

It sounds to me like Ivy and IvyDE -- even as a retired subproject -- should 
move out from under Apache Ant.  Just for my clarity, is Apache Ivy a top-level 
project or a subproject of Apache Ant?

Eric Milles
ASF member/contributor
Apache Groovy PMC member

On 2023/09/05 16:52:38 Nicolas Lalevée wrote:
> Hi there,
> 
> I used to be involved, especially in IvyDE, and as many, my build tools and 
> my IDE changed (for the IDE I am glad, not for the build tools…). So I had no 
> particular interest of doing any maintenance, so much that lost track of the 
> last releases of Ivy, where I could help. Many many thanks for those still 
> around keep things not completely stalled, especially for those who doesn’t 
> know the code base.
> 
> For IvyDE, we wanted to retire it some years ago. The community raised some 
> interests, so we didn’t proceed. But many years later, the proof is that is 
> not maintained. Me too, I think it should be retired now.
> 
> For the current IvyDE users, it shouldn’t be a concern that IvyDE is retired 
> as an Apache project. You will still be able to continue to use the plugin. 
> The released artifacts of the updatesite are archived [1] and won’t 
> disappear. We would just announcing officially what in practice happens: it 
> is not maintained anymore.
> 
> And we tried our best to be opened on how to build and release the plugin and 
> the updatesite, it is documented [2]. On my machine which just have Ant and 
> Java installed, I just tried and I have been able to build of the updatesite 
> with the last release of Ivy without much effort. Doing a proper Apache 
> release of that is another subject, there are signatures, at least verify 
> that it actually works in a real Eclipse, votes, and so on. And adding 
> features and even fixing bugs is a very big step to get involved, it requires 
> a complete Eclipse SDK setup. But at least headless, if it is required, I 
> think anybody motivated enough should be able to re build it locally, the 
> updatesite too. It wouldn’t be as much user friendly as it is today, but you 
> should be able to work with your preferred IDE and dependency manager for as 
> long as Eclipse is having 4.x versions.
> 
> Due to my particular former involvement in IvyDE (I know it well), and my 
> lack of involvement in the Ant community lately (I don’t read all 
> mailinglists), if you have issues with the build or the code of IvyDE, you 
> can mail on ant-dev@ and CC me directly.
> 
> That’s for IvyDE. For Ivy, it kind of feels different due to the general 
> usage which continues to exists, as we can see people are searching 
> vulnerabilities in it.
> 
> I am very sorry to read about missed opportunities to help new contributors, 
> I didn’t saw them, very sorry about that.
> 
> Then, acknowledging that even fixing vulnerabilities is painful to the 
> community, I think we should accept to declare that we officially stop the 
> maintenance, stop the burden on people involved in the Ant project.
> 
> I hear the user community that we should still try our best to keep 
> maintaining it, it is still worth it, I understand.
> 
> So maybe we can declare a last call. The last maintenance window where only 
> vulnerabilities will be fixed. Months ? 6 ? And hope that before that 
> deadline, there are some interested parties that are willing to do proper 
> maintenance over the project, here at Apache or elsewhere.
> 
> Nicolas
> 
> [1] https://archive.apache.org/dist/ant/ivyde/updatesite/
> [2] https://ant.apache.org/ivy/ivyde/history/latest-milestone/dev.html
> 
> > Le 22 août 2023 à 18:02, Stefan Bodewig  a écrit :
> > 
> > Hi all
> > 
> > before I get to the actual content of this mail:
> > 
> > * I'm cross-posting to three lists but I ask you to keep responses to
> >  dev@ant only (and join the list if necessary) if you want to respond.
> > 
> > * what I write is my personal opinion and not shared by the PMC as a
> >  whole. The people on the PMC know I'd be writing a mail like this
> >  sooner or later, though.
> > 
> > * this is a discussion, not a 

Re: Trying my hands at an ivy-updatesite (was Re: Future of Ivy and IvyDE)

2023-11-20 Thread Jason Guild

Hi Stefan:

Thanks for trying this out.
I can confirm that I was able to just now update my version of the ivy 
lib+ant tasks to latest 2.5.2 with Eclipse 2022-03, using the updatesite 
you published at the URL you linked in the last message.


However, the updatesite you generated contained only info for ivy and 
not the latest released IvyDE version. If you were able to build (or at 
lease stage the artifacts for) that last IvyDE version, maybe re-running 
that ant target would create an updatesite for both together like it 
used to be. Maybe Nicolas can chime in on this so we can have one last 
complete ivy-updatesite. I can confirm that ivy 2.5.2 works just fine 
with IvyDE 2.2.0-final.


Also, either way the final URL for whatever we end up with should be 
published to just (which I believe is the documented URL):

https://dist.apache.org/repos/dist/dev/ant/ivyde/updatesite/


Really appreciate your efforts here.

Thanks,
Jason

On 11/19/2023 8:16 AM, Stefan Bodewig wrote:

CAUTION: This email originated from outside the State of Alaska mail system. Do 
not click links or open attachments unless you recognize the sender and know 
the content is safe.

On 2023-09-05, Nicolas Lalevée wrote:


And we tried our best to be opened on how to build and release the
plugin and the updatesite, it is documented [2]. On my machine which
just have Ant and Java installed, I just tried and I have been able to
build of the updatesite with the last release of Ivy without much
effort.

Many thanks for the pointer, Nicolas.

In my case it immediately stopped with

,
| eclipse-startup-check:
|
| BUILD FAILED
| /home/stefan/devel/ASF/ivy-updatesite/build.xml:39: An Eclipse install is 
needed to run the build. Set your Eclipse install dir into the baseLocation 
property.
`

and I haven't got any idea of which version of Eclipse I'd need to
install. So I went with 202309 and kept my fingers crossed. At least the
build proceeded.

https://dist.apache.org/repos/dist/dev/ant/ivyde/updatesite/ivy-2.5.2.final_20230817170011/
is what I created. TBH I have no idea what I have created and signed -
nor do I have any way of verifying it works.

If anybody wants - and is able - to check what I've created, I'd be
grateful. Even then I don't really feel comfortable calling for a vote
on something I don't even trust myself.

Cheers

 Stefan


[2]https://ant.apache.org/ivy/ivyde/history/latest-milestone/dev.html

-
To unsubscribe, e-mail:dev-unsubscr...@ant.apache.org
For additional commands, e-mail:dev-h...@ant.apache.org



--
Jason Guild
Systems Programmer
Alaska Department of Transportation & Public Facilities
Program Management and Administration
820 E. 15th Ave.
Anchorage, Alaska 99501


Re: Trying my hands at an ivy-updatesite (was Re: Future of Ivy and IvyDE)

2023-11-20 Thread Nicolas Lalevée



> Le 19 nov. 2023 à 18:16, Stefan Bodewig  a écrit :
> 
> On 2023-09-05, Nicolas Lalevée wrote:
> 
>> And we tried our best to be opened on how to build and release the
>> plugin and the updatesite, it is documented [2]. On my machine which
>> just have Ant and Java installed, I just tried and I have been able to
>> build of the updatesite with the last release of Ivy without much
>> effort.
> 
> Many thanks for the pointer, Nicolas.
> 
> In my case it immediately stopped with
> 
> ,
> | eclipse-startup-check:
> | 
> | BUILD FAILED
> | /home/stefan/devel/ASF/ivy-updatesite/build.xml:39: An Eclipse install is 
> needed to run the build. Set your Eclipse install dir into the baseLocation 
> property.
> `
> 
> and I haven't got any idea of which version of Eclipse I'd need to
> install. So I went with 202309 and kept my fingers crossed. At least the
> build proceeded.
> 
> https://dist.apache.org/repos/dist/dev/ant/ivyde/updatesite/ivy-2.5.2.final_20230817170011/
> is what I created. TBH I have no idea what I have created and signed -
> nor do I have any way of verifying it works.
> 
> If anybody wants - and is able - to check what I've created, I'd be
> grateful. Even then I don't really feel comfortable calling for a vote
> on something I don't even trust myself.

Thank you Stefan to have tried, and successfully build an Eclipse updatesite ! 
(I admit I didn’t validated them functionally, I just looked at the files).

It reassures me that the scripts are still working, not only on my machine, 
even for someone not used to this very particular build system.

Considering the ongoing vote on IvyDE retirement, I don’t think we need to make 
them official Apache release artifacts. Anyone actually interested to have this 
plugin installed in his Eclipse should be able to be rebuild it. If in the 
future there is a newer version of Ivy, the situation will be the same.

Nicolas

> 
> Cheers
> 
>Stefan
> 
>> [2] https://ant.apache.org/ivy/ivyde/history/latest-milestone/dev.html
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org
> For additional commands, e-mail: dev-h...@ant.apache.org
> 


-
To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org
For additional commands, e-mail: dev-h...@ant.apache.org



Trying my hands at an ivy-updatesite (was Re: Future of Ivy and IvyDE)

2023-11-19 Thread Stefan Bodewig
On 2023-09-05, Nicolas Lalevée wrote:

> And we tried our best to be opened on how to build and release the
> plugin and the updatesite, it is documented [2]. On my machine which
> just have Ant and Java installed, I just tried and I have been able to
> build of the updatesite with the last release of Ivy without much
> effort.

Many thanks for the pointer, Nicolas.

In my case it immediately stopped with

,
| eclipse-startup-check:
| 
| BUILD FAILED
| /home/stefan/devel/ASF/ivy-updatesite/build.xml:39: An Eclipse install is 
needed to run the build. Set your Eclipse install dir into the baseLocation 
property.
`

and I haven't got any idea of which version of Eclipse I'd need to
install. So I went with 202309 and kept my fingers crossed. At least the
build proceeded.

https://dist.apache.org/repos/dist/dev/ant/ivyde/updatesite/ivy-2.5.2.final_20230817170011/
is what I created. TBH I have no idea what I have created and signed -
nor do I have any way of verifying it works.

If anybody wants - and is able - to check what I've created, I'd be
grateful. Even then I don't really feel comfortable calling for a vote
on something I don't even trust myself.

Cheers

Stefan

> [2] https://ant.apache.org/ivy/ivyde/history/latest-milestone/dev.html

-
To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org
For additional commands, e-mail: dev-h...@ant.apache.org



Re: Future of Ivy and IvyDE

2023-09-05 Thread Nicolas Lalevée
Hi there,

I used to be involved, especially in IvyDE, and as many, my build tools and my 
IDE changed (for the IDE I am glad, not for the build tools…). So I had no 
particular interest of doing any maintenance, so much that lost track of the 
last releases of Ivy, where I could help. Many many thanks for those still 
around keep things not completely stalled, especially for those who doesn’t 
know the code base.

For IvyDE, we wanted to retire it some years ago. The community raised some 
interests, so we didn’t proceed. But many years later, the proof is that is not 
maintained. Me too, I think it should be retired now.

For the current IvyDE users, it shouldn’t be a concern that IvyDE is retired as 
an Apache project. You will still be able to continue to use the plugin. The 
released artifacts of the updatesite are archived [1] and won’t disappear. We 
would just announcing officially what in practice happens: it is not maintained 
anymore.

And we tried our best to be opened on how to build and release the plugin and 
the updatesite, it is documented [2]. On my machine which just have Ant and 
Java installed, I just tried and I have been able to build of the updatesite 
with the last release of Ivy without much effort. Doing a proper Apache release 
of that is another subject, there are signatures, at least verify that it 
actually works in a real Eclipse, votes, and so on. And adding features and 
even fixing bugs is a very big step to get involved, it requires a complete 
Eclipse SDK setup. But at least headless, if it is required, I think anybody 
motivated enough should be able to re build it locally, the updatesite too. It 
wouldn’t be as much user friendly as it is today, but you should be able to 
work with your preferred IDE and dependency manager for as long as Eclipse is 
having 4.x versions.

Due to my particular former involvement in IvyDE (I know it well), and my lack 
of involvement in the Ant community lately (I don’t read all mailinglists), if 
you have issues with the build or the code of IvyDE, you can mail on ant-dev@ 
and CC me directly.

That’s for IvyDE. For Ivy, it kind of feels different due to the general usage 
which continues to exists, as we can see people are searching vulnerabilities 
in it.

I am very sorry to read about missed opportunities to help new contributors, I 
didn’t saw them, very sorry about that.

Then, acknowledging that even fixing vulnerabilities is painful to the 
community, I think we should accept to declare that we officially stop the 
maintenance, stop the burden on people involved in the Ant project.

I hear the user community that we should still try our best to keep maintaining 
it, it is still worth it, I understand.

So maybe we can declare a last call. The last maintenance window where only 
vulnerabilities will be fixed. Months ? 6 ? And hope that before that deadline, 
there are some interested parties that are willing to do proper maintenance 
over the project, here at Apache or elsewhere.

Nicolas

[1] https://archive.apache.org/dist/ant/ivyde/updatesite/
[2] https://ant.apache.org/ivy/ivyde/history/latest-milestone/dev.html

> Le 22 août 2023 à 18:02, Stefan Bodewig  a écrit :
> 
> Hi all
> 
> before I get to the actual content of this mail:
> 
> * I'm cross-posting to three lists but I ask you to keep responses to
>  dev@ant only (and join the list if necessary) if you want to respond.
> 
> * what I write is my personal opinion and not shared by the PMC as a
>  whole. The people on the PMC know I'd be writing a mail like this
>  sooner or later, though.
> 
> * this is a discussion, not a vote.
> 
> phew
> 
> I'm not quite sure what I hope to achieve with this email, but I'd like
> to share my thoughts - and raise the awareness of an elephant being in
> the room.
> 
> Over the past year we've had three security vulnerabilities discovered
> in Ivy and it took us much too long to get them fixed. The reason for
> this is there are no people left around who are familiar with the Ivy
> code base. Most of the remaining developers around Ant are not even
> users of Ivy - I know I am not and have never been.
> 
> When it comes to IvyDE things are probably even worse as nobody of us
> uses Eclipse, either. But then again I've not managed to create an
> Eclipse update site for the last two Ivy releases so maybe nobody is
> using IvyDE anymore anyway.
> 
> At least *I* don't see myself digging deeper into the Ivy code base in
> order to fix non-critical bugs. And even for the critical ones I feel we
> are not doing an adequate job. To me it looks as if Ivy and in
> particilar IvyDE are no longer really supported by the Ant project.
> 
> TBH I'm not quite sure what to do about this. Even if people stepped up
> to maintain Ivy, the rest of the Ant devs would probably be unable to
> verify the changes they want to make. At least I certainly am not
> willing to review bigger PRs/patches to a code base I don't understand
> well.
> 
> Personally I 

Re: Future of Ivy and IvyDE

2023-08-29 Thread Stefan Bodewig
On 2023-08-28, Cohen, Ross wrote:

> Perhaps someone from the Ant team can poke the Eclipse people and tell
> them that there are devs/teams that will simply move to another IDE
> rather than give up Ant/Ivy/IvyIDE; it might be very much in their
> best interest to put a dev part time on Ivy/IvyIDE.

My guess is the impact would be bigger if actual users of IvyDE told
them.

Stefan

-
To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org
For additional commands, e-mail: dev-h...@ant.apache.org



RE: Future of Ivy and IvyDE

2023-08-28 Thread Cohen, Ross
Hi,
Our shop uses Ivy/IvyIDE.   We decided against maven because it seemed 
verbose and unfriendly to our projects' customizations.  The whizzo integration 
with Eclipse was a big added bonus -- we'd tried to get Maven working with 
eclipse to compile our projects but it never really seemed to work properly 
(this was ~9 years ago).

I like Ivy, but I have trouble imagining using it without an IDE.  
Modern IDEs are simply too powerful to sideline.   Not sure which is worse: 
converting to maven (hopefully eclipse integration is better these days), or 
going back to directories filled with jars.

A third option appears to be IvyIDEA for IntelliJ, which has ~500,000 
downloads, and appears to be maintained.   Perhaps someone from the Ant team 
can poke the Eclipse people and tell them that there are devs/teams that will 
simply move to another IDE rather than give up Ant/Ivy/IvyIDE; it might be very 
much in their best interest to put a dev part time on Ivy/IvyIDE.

Anyways, the prospect of losing Ivy contributes to my general sense of 
deterioration in the Java dev space:  Java's best build/dependency tool goes 
belly-up.  I know at least half a dozen important/useful projects which appear 
to be on the brink of death.   Also been seeing some bizarre tooling decisions 
from the java people (after 20 years they got rid of the API doc's tree browser 
-- wtf?!).

Hoping for the best ...

Ross




-Original Message-
From: s.an...@infass.com.INVALID 
Sent: Tuesday, August 22, 2023 12:45 PM
To: ivy-u...@ant.apache.org; dev@ant.apache.org
Cc: u...@ant.apache.org
Subject: RE: Future of Ivy and IvyDE

 This email originated from outside of the organization. Use caution 
when replying, opening attachment(s), and/or clicking on URL's. 


Hi,

I can't really discuss how many developers use Ivy and how it is difficult to 
maintain this project if there is not enough maintainers...

But I can give hints about our usage in our companies:
* We love "ant", it's for us a clear language syntax that can achieve our build 
processes like we want (and we have a good expertise about it)
* We had need to move on more modern way to handle dependencies
* We use ivy for that
* We have a tight integration inside our custom CI chain and in our IDE. We 
didn't use IvyDE

For sure, we know that "ant" is an older daddy inside the building tools area

Ivy have their caveats but we are able to integrate it nicely inside our build 
chain.
We can have 2 orientations:
* Move to another build tool and don't use anymore ant
* Move to another dependency tool usable by ant (at this date, I'm not sure, we 
have real alternative to Ivy)
* Continue to use Ant + Ivy as long as we can

What I can say : we appreciate the couple of ant + ivy and if possible we would 
love to continue to use them !

Sébastien.



-Message d'origine-
De : Stefan Bodewig  Envoyé : mardi 22 août 2023 18:02 À : 
dev@ant.apache.org Cc : u...@ant.apache.org; ivy-u...@ant.apache.org Objet : 
Future of Ivy and IvyDE

Hi all

before I get to the actual content of this mail:

* I'm cross-posting to three lists but I ask you to keep responses to
  dev@ant only (and join the list if necessary) if you want to respond.

* what I write is my personal opinion and not shared by the PMC as a
  whole. The people on the PMC know I'd be writing a mail like this
  sooner or later, though.

* this is a discussion, not a vote.

phew

I'm not quite sure what I hope to achieve with this email, but I'd like to 
share my thoughts - and raise the awareness of an elephant being in the room.

Over the past year we've had three security vulnerabilities discovered in Ivy 
and it took us much too long to get them fixed. The reason for this is there 
are no people left around who are familiar with the Ivy code base.
Most of the remaining developers around Ant are not even users of Ivy - I know 
I am not and have never been.

When it comes to IvyDE things are probably even worse as nobody of us uses 
Eclipse, either. But then again I've not managed to create an Eclipse update 
site for the last two Ivy releases so maybe nobody is using IvyDE anymore 
anyway.

At least *I* don't see myself digging deeper into the Ivy code base in order to 
fix non-critical bugs. And even for the critical ones I feel we are not doing 
an adequate job. To me it looks as if Ivy and in particilar IvyDE are no longer 
really supported by the Ant project.

TBH I'm not quite sure what to do about this. Even if people stepped up to 
maintain Ivy, the rest of the Ant devs would probably be unable to verify the 
changes they want to make. At least I certainly am not willing to review bigger 
PRs/patches to a code base I don't understand well.

Personally I believe we should send IvyDE to the Apache Attic immediately, and 
this likely should be the destination for Ivy sooner or later as well.
In the case of Ivy we know there are people who depend on 

Re: Future of Ivy and IvyDE

2023-08-28 Thread Gary Gregory
I was a long-time Ant + Ivy and IvyDE. At work, we finally switched one of
our products to Maven. We have at least one other product that still uses
Ant + Ivy, I'm not sure what that team operates as an IDE.

>From my POV, you can't effectively and sanely develop using Ivy *without*
IDE support, in our case, that was Eclipse and IvyDE.

Gary



On Mon, Aug 28, 2023 at 9:23 AM Stefan Bodewig  wrote:

> Hi
>
> sorry for my bad timing sending out an email and then being unbale to
> answer for days. This is not what I intended.
>
> Let me try to answer what I've seen so far. And I'll try to keep my
> personal opinion out this time.
>
> It is pretty obvious Ivy is used today and maybe even loved by
> some. This is great for any project.
>
> As is probably true with all volunteer based open source projects people
> come and go as their interests and focus change.
>
> In the case of Ivy this unfortunately means it is not maintained well
> today and this is not going to change with the current set of Ant
> developers. All of us work on Ant in our spare time and we've picked
> developing Ant for several different reasons - none of these reasons
> seem to apply to Ivy for anybody of us.
>
> It is not my intention to kill Ivy. Not at all. But if maintenance of
> Ivy is left with the current set of Ant developers this is what is
> likely going to happen, eventually.
>
> It just seemed to be fair to inform Ivy's users about the current
> state.
>
> Cheers
>
> Stefan
>


Re: Future of Ivy and IvyDE

2023-08-28 Thread Stefan Bodewig
On 2023-08-22, Jason Guild wrote:

> I can confirm that in the not very distant past there were multiple
> people (including myself) who submitted pull requests for Ivy to both
> make improvements as well as address bugs. They were left to rot for
> far too long.

This is unfortunate. In a way this may have happened because nobody is
left around who'd be able to acually verify your changes. This is not
what it should have been, but it happened. And I'm not sure it wouldn't
happen again.

> It was frustrating to me that even a very simple patch required both a
> debate on its utility and then navigating pedantries on the coding
> approach before then taking nearly two years to get merged and
> incorporated into a release.

Ouch. And sorry for that.

> I feel that people who were trying to get started maintaining Ivy,
> like myself, were simply put off by unresponsive
> committers. Absolutely I understand there is a lacking in capacity of
> people to verify changes but the situation, at least with me, felt
> like simple gatekeeping.

It is good you say this, Jason. Believe me, it is not
gatekeeping. Nobody is around anymore who'd want to stand at the gate at
all.

And I'm not sure how to move forward. "giving the keys to people who
want them" sounds a lot simpler than it may be in the end.

> I would really appreciate an update site for Ivy though as I've
> wondered how I can upgrade my IDE, easily, to use Ivy 2.5.{1,2}.
> It would be great if the existing update site for IvyDE [0] could at
> least be updated for the artifacts we have.

I have built the 2.5.{1,2} releases. I have no idea what an update site
is and how to create one. OK, I do have a vague idea what it is, but
absolutely no idea how to create one.

If you (or anybody else) can coach me through the process of creating an
update site starting with a jar and nothing else, then I'm game. Being
able to verify the thing actually works would be great. Bonus points if
I don't need to install anything I wouldn't use otherwise.

Stefan

-
To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org
For additional commands, e-mail: dev-h...@ant.apache.org



Re: Future of Ivy and IvyDE

2023-08-28 Thread Stefan Bodewig
Hi

sorry for my bad timing sending out an email and then being unbale to
answer for days. This is not what I intended.

Let me try to answer what I've seen so far. And I'll try to keep my
personal opinion out this time.

It is pretty obvious Ivy is used today and maybe even loved by
some. This is great for any project.

As is probably true with all volunteer based open source projects people
come and go as their interests and focus change.

In the case of Ivy this unfortunately means it is not maintained well
today and this is not going to change with the current set of Ant
developers. All of us work on Ant in our spare time and we've picked
developing Ant for several different reasons - none of these reasons
seem to apply to Ivy for anybody of us.

It is not my intention to kill Ivy. Not at all. But if maintenance of
Ivy is left with the current set of Ant developers this is what is
likely going to happen, eventually.

It just seemed to be fair to inform Ivy's users about the current
state.

Cheers

Stefan

-
To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org
For additional commands, e-mail: dev-h...@ant.apache.org



Re: [**EXTERNAL**] RE: Future of Ivy and IvyDE

2023-08-23 Thread LINUS FERNANDES
This is sad news.

Alarming? Perhaps.

I guess most people using Ivy will be interested in knowing what's the best
alternative to Ivy in the above scenario.

I think for Ivy to live on you will need backing from organisations that
are vested in using it in their critical projects and cannot afford to move
to a different dependency management solution that easily i.e., there's a
lock-in to it and additionally these orgs are willing to spare their own
developers to maintain the Ivy codebase.





On Tue, 22 Aug 2023, 23:52 Vladimir Grabarchuk, 
wrote:

> I'd like to second the first two opinions regarding Ant and Ivy.
>
> I can't say that I'm very familiar with Maven, but from what I know, Ivy is
> way superior to it (in my opinion, of course). At the expense of being more
> complex, it is terser, customizable and, generally, more capable.
> I've used it professionally and personally and am really hopeful it would
> not be sacked. I also use IveDE (yes, Eclipse!) and like it quite a lot.
> That said, if Ivy continues to live on, it will be pretty simple to use
> just it (no IvyDE).
>
> Sadly, to paraphrase the old adage - fashion over function...
>
> Regards,
> Vladimir
>
> On Tue, Aug 22, 2023 at 10:29 AM D'Anjou, Martin  >
> wrote:
>
> > Hi,
> >
> > I'd like to say that we're seriously considering migrating our dependency
> > management from Gradle to Ivy because of the lack of branch support in
> > Gradle's dependency management, and because we can't find a way to modify
> > Gradle's dependency management without also changing its core. We can
> > create a custom resolver in Ivy that supports our branch scenarios, and
> > apparently without touching its core.
> >
> > So I hope Ivy has a future.
> >
> > Martin
> >
> > -Original Message-
> > From: s.an...@infass.com.INVALID 
> > Sent: Tuesday, August 22, 2023 12:45 PM
> > To: ivy-u...@ant.apache.org; dev@ant.apache.org
> > Cc: u...@ant.apache.org
> > Subject: [**EXTERNAL**] RE: Future of Ivy and IvyDE
> >
> > Hi,
> >
> > I can't really discuss how many developers use Ivy and how it is
> difficult
> > to maintain this project if there is not enough maintainers...
> >
> > But I can give hints about our usage in our companies:
> > * We love "ant", it's for us a clear language syntax that can achieve our
> > build processes like we want (and we have a good expertise about it)
> > * We had need to move on more modern way to handle dependencies
> > * We use ivy for that
> > * We have a tight integration inside our custom CI chain and in our IDE.
> > We didn't use IvyDE
> >
> > For sure, we know that "ant" is an older daddy inside the building tools
> > area
> >
> > Ivy have their caveats but we are able to integrate it nicely inside our
> > build chain.
> > We can have 2 orientations:
> > * Move to another build tool and don't use anymore ant
> > * Move to another dependency tool usable by ant (at this date, I'm not
> > sure, we have real alternative to Ivy)
> > * Continue to use Ant + Ivy as long as we can
> >
> > What I can say : we appreciate the couple of ant + ivy and if possible we
> > would love to continue to use them !
> >
> > Sébastien.
> >
> >
> >
> > -Message d'origine-
> > De : Stefan Bodewig  Envoyé : mardi 22 août 2023
> > 18:02 À : dev@ant.apache.org Cc : u...@ant.apache.org;
> > ivy-u...@ant.apache.org Objet : Future of Ivy and IvyDE
> >
> > Hi all
> >
> > before I get to the actual content of this mail:
> >
> > * I'm cross-posting to three lists but I ask you to keep responses to
> >   dev@ant only (and join the list if necessary) if you want to respond.
> >
> > * what I write is my personal opinion and not shared by the PMC as a
> >   whole. The people on the PMC know I'd be writing a mail like this
> >   sooner or later, though.
> >
> > * this is a discussion, not a vote.
> >
> > phew
> >
> > I'm not quite sure what I hope to achieve with this email, but I'd like
> to
> > share my thoughts - and raise the awareness of an elephant being in the
> > room.
> >
> > Over the past year we've had three security vulnerabilities discovered in
> > Ivy and it took us much too long to get them fixed. The reason for this
> is
> > there are no people left around who are familiar with the Ivy code base.
> > Most of the remaining developers around Ant are not even users of Ivy - I
> > know I am not and have never been.
> >
> > When it comes to IvyDE things are probably e

Re: Future of Ivy and IvyDE

2023-08-23 Thread Jörn Guy Süß
Please read the following in full, as I am starting my argument not at Ivy
itself, but it is still the focus of this response.

I think the core shortcoming of Ant is its inability to bootstrap easily in
a portable manner. You cannot simply use a build file and say 'go build' as
you have to install Ant tasks to make that happen. I feel that ivy fixes
this and does it in a fairly flexible way. If anything, I would start
bundling ivy into ant and install it as default, including a prelude for
fetching tasks from Maven central. For very low cost this achieves three
things:

   1. Makes ant builds more portable.
   2. Gives Ivy more publicity and application.
   3. Moves two strongly related projects closer together.

As for IvyDE I would shelve it for the moment. Along the proposal above I
can see a future for it as backing for a more capable Ant environment.

JG

On Wed, 23 Aug 2023 at 11:20, Jaikiran Pai  wrote:

> I agree with what Stefan notes in his mail. Some years back when I
> started contributing to Ivy, I realized that the documentation (formal
> or informal) related to the internal implementation details of Ivy is
> non-existent. Sometimes I had to select a file, go over its commit
> history then go read all JIRAs that were part of those commit logs and
> even then, a lot of the information was either missing or outdated. At
> that time, I used to use Ivy in some of our projects, so I could keep
> refreshing with the code base and relate to it, so that whenever I had
> to fix a bug or add something, I had the previous collected knowledge of
> the Ivy code already fresh (to some extent) in my mind. It's now been
> some years since I have used Ivy and I no longer have the Ivy codebase
> knowledge in my mind. Like Stefan noted, these recent vulnerability
> fixes took the Ant team a lot of time and energy to fix because of these
> issues. Personally, I don't expect myself to have the ability to
> continue contributing to Ivy.
>
> As for IvyDE, on the development front, it has seen no movement. I am
> not even sure if it builds with the current Eclipse versions. I hadn't
> contributed to it, but I remember that when releasing Ivy 2.5.0, it was
> struggle to update the IvyDE update site.
>
> -Jaikiran
>
> On 22/08/23 9:32 pm, Stefan Bodewig wrote:
> > Hi all
> >
> > before I get to the actual content of this mail:
> >
> > * I'm cross-posting to three lists but I ask you to keep responses to
> >dev@ant only (and join the list if necessary) if you want to respond.
> >
> > * what I write is my personal opinion and not shared by the PMC as a
> >whole. The people on the PMC know I'd be writing a mail like this
> >sooner or later, though.
> >
> > * this is a discussion, not a vote.
> >
> > phew
> >
> > I'm not quite sure what I hope to achieve with this email, but I'd like
> > to share my thoughts - and raise the awareness of an elephant being in
> > the room.
> >
> > Over the past year we've had three security vulnerabilities discovered
> > in Ivy and it took us much too long to get them fixed. The reason for
> > this is there are no people left around who are familiar with the Ivy
> > code base. Most of the remaining developers around Ant are not even
> > users of Ivy - I know I am not and have never been.
> >
> > When it comes to IvyDE things are probably even worse as nobody of us
> > uses Eclipse, either. But then again I've not managed to create an
> > Eclipse update site for the last two Ivy releases so maybe nobody is
> > using IvyDE anymore anyway.
> >
> > At least *I* don't see myself digging deeper into the Ivy code base in
> > order to fix non-critical bugs. And even for the critical ones I feel we
> > are not doing an adequate job. To me it looks as if Ivy and in
> > particilar IvyDE are no longer really supported by the Ant project.
> >
> > TBH I'm not quite sure what to do about this. Even if people stepped up
> > to maintain Ivy, the rest of the Ant devs would probably be unable to
> > verify the changes they want to make. At least I certainly am not
> > willing to review bigger PRs/patches to a code base I don't understand
> > well.
> >
> > Personally I believe we should send IvyDE to the Apache Attic
> > immediately, and this likely should be the destination for Ivy sooner or
> > later as well. In the case of Ivy we know there are people who depend on
> > it (hi, Groovy folks) so maybe we should give a date in the future until
> > which we are providing security bug fixes to give people time to move
> > off.
> >
> > There may be the need for a dependency management system inside of Ant,
> > I'm not sure. If so, then this should be driven by people who feel the
> > actual need IMO. There may already be alternatives to Ivy I am not aware
> > of.
> >
> > Stefan
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org
> > For additional commands, e-mail: dev-h...@ant.apache.org
> >
>
> 

Re: Future of Ivy and IvyDE

2023-08-22 Thread Jaikiran Pai
I agree with what Stefan notes in his mail. Some years back when I 
started contributing to Ivy, I realized that the documentation (formal 
or informal) related to the internal implementation details of Ivy is 
non-existent. Sometimes I had to select a file, go over its commit 
history then go read all JIRAs that were part of those commit logs and 
even then, a lot of the information was either missing or outdated. At 
that time, I used to use Ivy in some of our projects, so I could keep 
refreshing with the code base and relate to it, so that whenever I had 
to fix a bug or add something, I had the previous collected knowledge of 
the Ivy code already fresh (to some extent) in my mind. It's now been 
some years since I have used Ivy and I no longer have the Ivy codebase 
knowledge in my mind. Like Stefan noted, these recent vulnerability 
fixes took the Ant team a lot of time and energy to fix because of these 
issues. Personally, I don't expect myself to have the ability to 
continue contributing to Ivy.


As for IvyDE, on the development front, it has seen no movement. I am 
not even sure if it builds with the current Eclipse versions. I hadn't 
contributed to it, but I remember that when releasing Ivy 2.5.0, it was 
struggle to update the IvyDE update site.


-Jaikiran

On 22/08/23 9:32 pm, Stefan Bodewig wrote:

Hi all

before I get to the actual content of this mail:

* I'm cross-posting to three lists but I ask you to keep responses to
   dev@ant only (and join the list if necessary) if you want to respond.

* what I write is my personal opinion and not shared by the PMC as a
   whole. The people on the PMC know I'd be writing a mail like this
   sooner or later, though.

* this is a discussion, not a vote.

phew

I'm not quite sure what I hope to achieve with this email, but I'd like
to share my thoughts - and raise the awareness of an elephant being in
the room.

Over the past year we've had three security vulnerabilities discovered
in Ivy and it took us much too long to get them fixed. The reason for
this is there are no people left around who are familiar with the Ivy
code base. Most of the remaining developers around Ant are not even
users of Ivy - I know I am not and have never been.

When it comes to IvyDE things are probably even worse as nobody of us
uses Eclipse, either. But then again I've not managed to create an
Eclipse update site for the last two Ivy releases so maybe nobody is
using IvyDE anymore anyway.

At least *I* don't see myself digging deeper into the Ivy code base in
order to fix non-critical bugs. And even for the critical ones I feel we
are not doing an adequate job. To me it looks as if Ivy and in
particilar IvyDE are no longer really supported by the Ant project.

TBH I'm not quite sure what to do about this. Even if people stepped up
to maintain Ivy, the rest of the Ant devs would probably be unable to
verify the changes they want to make. At least I certainly am not
willing to review bigger PRs/patches to a code base I don't understand
well.

Personally I believe we should send IvyDE to the Apache Attic
immediately, and this likely should be the destination for Ivy sooner or
later as well. In the case of Ivy we know there are people who depend on
it (hi, Groovy folks) so maybe we should give a date in the future until
which we are providing security bug fixes to give people time to move
off.

There may be the need for a dependency management system inside of Ant,
I'm not sure. If so, then this should be driven by people who feel the
actual need IMO. There may already be alternatives to Ivy I am not aware
of.

Stefan

-
To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org
For additional commands, e-mail: dev-h...@ant.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org
For additional commands, e-mail: dev-h...@ant.apache.org



Re: [**EXTERNAL**] RE: Future of Ivy and IvyDE

2023-08-22 Thread Vladimir Grabarchuk
I'd like to second the first two opinions regarding Ant and Ivy.

I can't say that I'm very familiar with Maven, but from what I know, Ivy is
way superior to it (in my opinion, of course). At the expense of being more
complex, it is terser, customizable and, generally, more capable.
I've used it professionally and personally and am really hopeful it would
not be sacked. I also use IveDE (yes, Eclipse!) and like it quite a lot.
That said, if Ivy continues to live on, it will be pretty simple to use
just it (no IvyDE).

Sadly, to paraphrase the old adage - fashion over function...

Regards,
Vladimir

On Tue, Aug 22, 2023 at 10:29 AM D'Anjou, Martin 
wrote:

> Hi,
>
> I'd like to say that we're seriously considering migrating our dependency
> management from Gradle to Ivy because of the lack of branch support in
> Gradle's dependency management, and because we can't find a way to modify
> Gradle's dependency management without also changing its core. We can
> create a custom resolver in Ivy that supports our branch scenarios, and
> apparently without touching its core.
>
> So I hope Ivy has a future.
>
> Martin
>
> -Original Message-
> From: s.an...@infass.com.INVALID 
> Sent: Tuesday, August 22, 2023 12:45 PM
> To: ivy-u...@ant.apache.org; dev@ant.apache.org
> Cc: u...@ant.apache.org
> Subject: [**EXTERNAL**] RE: Future of Ivy and IvyDE
>
> Hi,
>
> I can't really discuss how many developers use Ivy and how it is difficult
> to maintain this project if there is not enough maintainers...
>
> But I can give hints about our usage in our companies:
> * We love "ant", it's for us a clear language syntax that can achieve our
> build processes like we want (and we have a good expertise about it)
> * We had need to move on more modern way to handle dependencies
> * We use ivy for that
> * We have a tight integration inside our custom CI chain and in our IDE.
> We didn't use IvyDE
>
> For sure, we know that "ant" is an older daddy inside the building tools
> area
>
> Ivy have their caveats but we are able to integrate it nicely inside our
> build chain.
> We can have 2 orientations:
> * Move to another build tool and don't use anymore ant
> * Move to another dependency tool usable by ant (at this date, I'm not
> sure, we have real alternative to Ivy)
> * Continue to use Ant + Ivy as long as we can
>
> What I can say : we appreciate the couple of ant + ivy and if possible we
> would love to continue to use them !
>
> Sébastien.
>
>
>
> -Message d'origine-
> De : Stefan Bodewig  Envoyé : mardi 22 août 2023
> 18:02 À : dev@ant.apache.org Cc : u...@ant.apache.org;
> ivy-u...@ant.apache.org Objet : Future of Ivy and IvyDE
>
> Hi all
>
> before I get to the actual content of this mail:
>
> * I'm cross-posting to three lists but I ask you to keep responses to
>   dev@ant only (and join the list if necessary) if you want to respond.
>
> * what I write is my personal opinion and not shared by the PMC as a
>   whole. The people on the PMC know I'd be writing a mail like this
>   sooner or later, though.
>
> * this is a discussion, not a vote.
>
> phew
>
> I'm not quite sure what I hope to achieve with this email, but I'd like to
> share my thoughts - and raise the awareness of an elephant being in the
> room.
>
> Over the past year we've had three security vulnerabilities discovered in
> Ivy and it took us much too long to get them fixed. The reason for this is
> there are no people left around who are familiar with the Ivy code base.
> Most of the remaining developers around Ant are not even users of Ivy - I
> know I am not and have never been.
>
> When it comes to IvyDE things are probably even worse as nobody of us uses
> Eclipse, either. But then again I've not managed to create an Eclipse
> update site for the last two Ivy releases so maybe nobody is using IvyDE
> anymore anyway.
>
> At least *I* don't see myself digging deeper into the Ivy code base in
> order to fix non-critical bugs. And even for the critical ones I feel we
> are not doing an adequate job. To me it looks as if Ivy and in particilar
> IvyDE are no longer really supported by the Ant project.
>
> TBH I'm not quite sure what to do about this. Even if people stepped up to
> maintain Ivy, the rest of the Ant devs would probably be unable to verify
> the changes they want to make. At least I certainly am not willing to
> review bigger PRs/patches to a code base I don't understand well.
>
> Personally I believe we should send IvyDE to the Apache Attic immediately,
> and this likely should be the destination for Ivy sooner or later as well.
> In the case of Ivy we know there are people who depend on it (hi, Groovy
> 

Re: Future of Ivy and IvyDE

2023-08-22 Thread Jason Guild

Hi all:

IMO, it would be a shame to lose Ivy as a much simpler alternative to Maven.
It works well and I think there is very much still room for a dependency 
management tool that focuses on just that and not all the other things 
that Maven does. I am thankful for your work on it, Stefan.


I can confirm that in the not very distant past there were multiple 
people (including myself) who submitted pull requests for Ivy to both 
make improvements as well as address bugs. They were left to rot for far 
too long. It was frustrating to me that even a very simple patch 
required both a debate on its utility and then navigating pedantries on 
the coding approach before then taking nearly two years to get merged 
and incorporated into a release. I feel that people who were trying to 
get started maintaining Ivy, like myself, were simply put off by 
unresponsive committers. Absolutely I understand there is a lacking in 
capacity of people to verify changes but the situation, at least with 
me, felt like simple gatekeeping.


For users of Eclipse IDE, IvyDE is wonderful and works as advertised. 
I've been using it successfully since 2010 or so and pretty much 
considered it "finished". But given the lack of development on it over 
the years though, I am actually surprised it's still functional in 
current IDE releases and I've wondered when it will finally break. I 
have looked at the IvyDE code in the past, it's not that much really, 
and at one point I tried (rather half-heartedly) to get an IDE 
development environment prepared and then just gave up...mostly because 
developing for Eclipse was too much of a big moving target for me, and 
also the code abstractions in place for such a modular and flexible IDE 
were tough for me to follow concretely.


I would really appreciate an update site for Ivy though as I've wondered 
how I can upgrade my IDE, easily, to use Ivy 2.5.{1,2}.
It would be great if the existing update site for IvyDE [0] could at 
least be updated for the artifacts we have. There would very probably be 
no issues with IvyDE 2.2.0 working just fine using the latest Ivy 
release version.


I agree that it seems Ivy and IvyDE are not being supported adequately 
by the Ant project.

And I wish that weren't the case because they are excellent tools.

Not sure what I hope to achieve either with my message above, but I felt 
compelled to respond as a user who has appreciated Ivy and IvyDE for a 
long time. Maybe I'm the only one left!


Jason

[0] |https://downloads.apache.org/ant/ivyde/updatesite/ 



|On 8/22/2023 8:02 AM, Stefan Bodewig wrote:

CAUTION: This email originated from outside the State of Alaska mail system. Do 
not click links or open attachments unless you recognize the sender and know 
the content is safe.

Hi all

before I get to the actual content of this mail:

* I'm cross-posting to three lists but I ask you to keep responses to
   dev@ant only (and join the list if necessary) if you want to respond.

* what I write is my personal opinion and not shared by the PMC as a
   whole. The people on the PMC know I'd be writing a mail like this
   sooner or later, though.

* this is a discussion, not a vote.

phew

I'm not quite sure what I hope to achieve with this email, but I'd like
to share my thoughts - and raise the awareness of an elephant being in
the room.

Over the past year we've had three security vulnerabilities discovered
in Ivy and it took us much too long to get them fixed. The reason for
this is there are no people left around who are familiar with the Ivy
code base. Most of the remaining developers around Ant are not even
users of Ivy - I know I am not and have never been.

When it comes to IvyDE things are probably even worse as nobody of us
uses Eclipse, either. But then again I've not managed to create an
Eclipse update site for the last two Ivy releases so maybe nobody is
using IvyDE anymore anyway.

At least *I* don't see myself digging deeper into the Ivy code base in
order to fix non-critical bugs. And even for the critical ones I feel we
are not doing an adequate job. To me it looks as if Ivy and in
particilar IvyDE are no longer really supported by the Ant project.

TBH I'm not quite sure what to do about this. Even if people stepped up
to maintain Ivy, the rest of the Ant devs would probably be unable to
verify the changes they want to make. At least I certainly am not
willing to review bigger PRs/patches to a code base I don't understand
well.

Personally I believe we should send IvyDE to the Apache Attic
immediately, and this likely should be the destination for Ivy sooner or
later as well. In the case of Ivy we know there are people who depend on
it (hi, Groovy folks) so maybe we should give a date in the future until
which we are providing security bug fixes to give people time to move
off.

There may be the need for a dependency management system inside of Ant,
I'm not sure. If so, then this should be 

RE: [**EXTERNAL**] RE: Future of Ivy and IvyDE

2023-08-22 Thread D'Anjou, Martin
Hi,

I'd like to say that we're seriously considering migrating our dependency 
management from Gradle to Ivy because of the lack of branch support in Gradle's 
dependency management, and because we can't find a way to modify Gradle's 
dependency management without also changing its core. We can create a custom 
resolver in Ivy that supports our branch scenarios, and apparently without 
touching its core.

So I hope Ivy has a future.

Martin

-Original Message-
From: s.an...@infass.com.INVALID  
Sent: Tuesday, August 22, 2023 12:45 PM
To: ivy-u...@ant.apache.org; dev@ant.apache.org
Cc: u...@ant.apache.org
Subject: [**EXTERNAL**] RE: Future of Ivy and IvyDE

Hi,

I can't really discuss how many developers use Ivy and how it is difficult to 
maintain this project if there is not enough maintainers...

But I can give hints about our usage in our companies:
* We love "ant", it's for us a clear language syntax that can achieve our build 
processes like we want (and we have a good expertise about it)
* We had need to move on more modern way to handle dependencies
* We use ivy for that
* We have a tight integration inside our custom CI chain and in our IDE. We 
didn't use IvyDE

For sure, we know that "ant" is an older daddy inside the building tools area

Ivy have their caveats but we are able to integrate it nicely inside our build 
chain.
We can have 2 orientations:
* Move to another build tool and don't use anymore ant
* Move to another dependency tool usable by ant (at this date, I'm not sure, we 
have real alternative to Ivy)
* Continue to use Ant + Ivy as long as we can 

What I can say : we appreciate the couple of ant + ivy and if possible we would 
love to continue to use them !

Sébastien.



-Message d'origine-
De : Stefan Bodewig  Envoyé : mardi 22 août 2023 18:02 À : 
dev@ant.apache.org Cc : u...@ant.apache.org; ivy-u...@ant.apache.org Objet : 
Future of Ivy and IvyDE

Hi all

before I get to the actual content of this mail:

* I'm cross-posting to three lists but I ask you to keep responses to
  dev@ant only (and join the list if necessary) if you want to respond.

* what I write is my personal opinion and not shared by the PMC as a
  whole. The people on the PMC know I'd be writing a mail like this
  sooner or later, though.

* this is a discussion, not a vote.

phew

I'm not quite sure what I hope to achieve with this email, but I'd like to 
share my thoughts - and raise the awareness of an elephant being in the room.

Over the past year we've had three security vulnerabilities discovered in Ivy 
and it took us much too long to get them fixed. The reason for this is there 
are no people left around who are familiar with the Ivy code base.
Most of the remaining developers around Ant are not even users of Ivy - I know 
I am not and have never been.

When it comes to IvyDE things are probably even worse as nobody of us uses 
Eclipse, either. But then again I've not managed to create an Eclipse update 
site for the last two Ivy releases so maybe nobody is using IvyDE anymore 
anyway.

At least *I* don't see myself digging deeper into the Ivy code base in order to 
fix non-critical bugs. And even for the critical ones I feel we are not doing 
an adequate job. To me it looks as if Ivy and in particilar IvyDE are no longer 
really supported by the Ant project.

TBH I'm not quite sure what to do about this. Even if people stepped up to 
maintain Ivy, the rest of the Ant devs would probably be unable to verify the 
changes they want to make. At least I certainly am not willing to review bigger 
PRs/patches to a code base I don't understand well.

Personally I believe we should send IvyDE to the Apache Attic immediately, and 
this likely should be the destination for Ivy sooner or later as well.
In the case of Ivy we know there are people who depend on it (hi, Groovy
folks) so maybe we should give a date in the future until which we are 
providing security bug fixes to give people time to move off.

There may be the need for a dependency management system inside of Ant, I'm not 
sure. If so, then this should be driven by people who feel the actual need IMO. 
There may already be alternatives to Ivy I am not aware of.

Stefan


-
To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org
For additional commands, e-mail: dev-h...@ant.apache.org



RE: Future of Ivy and IvyDE

2023-08-22 Thread s.andre
Hi,

I can't really discuss how many developers use Ivy and how it is difficult
to maintain this project if there is not enough maintainers...

But I can give hints about our usage in our companies:
* We love "ant", it's for us a clear language syntax that can achieve our
build processes like we want (and we have a good expertise about it)
* We had need to move on more modern way to handle dependencies
* We use ivy for that
* We have a tight integration inside our custom CI chain and in our IDE. We
didn't use IvyDE

For sure, we know that "ant" is an older daddy inside the building tools
area

Ivy have their caveats but we are able to integrate it nicely inside our
build chain.
We can have 2 orientations:
* Move to another build tool and don’t use anymore ant
* Move to another dependency tool usable by ant (at this date, I'm not sure,
we have real alternative to Ivy)
* Continue to use Ant + Ivy as long as we can 

What I can say : we appreciate the couple of ant + ivy and if possible we
would love to continue to use them !

Sébastien.



-Message d'origine-
De : Stefan Bodewig  
Envoyé : mardi 22 août 2023 18:02
À : dev@ant.apache.org
Cc : u...@ant.apache.org; ivy-u...@ant.apache.org
Objet : Future of Ivy and IvyDE

Hi all

before I get to the actual content of this mail:

* I'm cross-posting to three lists but I ask you to keep responses to
  dev@ant only (and join the list if necessary) if you want to respond.

* what I write is my personal opinion and not shared by the PMC as a
  whole. The people on the PMC know I'd be writing a mail like this
  sooner or later, though.

* this is a discussion, not a vote.

phew

I'm not quite sure what I hope to achieve with this email, but I'd like to
share my thoughts - and raise the awareness of an elephant being in the
room.

Over the past year we've had three security vulnerabilities discovered in
Ivy and it took us much too long to get them fixed. The reason for this is
there are no people left around who are familiar with the Ivy code base.
Most of the remaining developers around Ant are not even users of Ivy - I
know I am not and have never been.

When it comes to IvyDE things are probably even worse as nobody of us uses
Eclipse, either. But then again I've not managed to create an Eclipse update
site for the last two Ivy releases so maybe nobody is using IvyDE anymore
anyway.

At least *I* don't see myself digging deeper into the Ivy code base in order
to fix non-critical bugs. And even for the critical ones I feel we are not
doing an adequate job. To me it looks as if Ivy and in particilar IvyDE are
no longer really supported by the Ant project.

TBH I'm not quite sure what to do about this. Even if people stepped up to
maintain Ivy, the rest of the Ant devs would probably be unable to verify
the changes they want to make. At least I certainly am not willing to review
bigger PRs/patches to a code base I don't understand well.

Personally I believe we should send IvyDE to the Apache Attic immediately,
and this likely should be the destination for Ivy sooner or later as well.
In the case of Ivy we know there are people who depend on it (hi, Groovy
folks) so maybe we should give a date in the future until which we are
providing security bug fixes to give people time to move off.

There may be the need for a dependency management system inside of Ant, I'm
not sure. If so, then this should be driven by people who feel the actual
need IMO. There may already be alternatives to Ivy I am not aware of.

Stefan


-
To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org
For additional commands, e-mail: dev-h...@ant.apache.org