Rehashing some of the aspects raised by the PR…
> 1. Is it worth addressing this CVE and retired dependency with changes to > our build system, or should we suppress it? > If we are not exposed to the CVE then it should be considered suppressed. While this might address (remove) the urgency of the matter, it is not an argument against replacing and improving a deprecated and unmaintained dependency. > 2. Are there more alternatives to Maven Ant Tasks that should be > considered, like Ivy? > The question here is… If we are to replace MARAT, then *what* dependency framework/format do we want to work with moving forward? The choices are: - maven - ivy - gradle Note this is ONLY for dependency management, and is only about the replacement for this section: https://github.com/apache/cassandra/blob/315a1a7/build.xml#L507-L873 It is a requirement that whatever framework/format we choose it can generated into the pom(s) we publish via repository.apache.org For example maven pom files would be used directly, ivy could use the `makepom` command and gradle the `maven-publish` plugin. Ivy and Gradle provide more compact dependency declarations, Ivy fits in better with Ant, and most are familiar with Maven (and it would avoid the generation step). What is the best fit for us moving forward?
