Unsubscribe On Tue, Jul 19, 2022, 22:03 Mick Semb Wever <m...@apache.org> wrote:
> > > Rehashing some of the aspects raised by the PR… > > > >> 1. Is it worth addressing this CVE and retired dependency with changes to >> our build system, or should we suppress it? >> > > > If we are not exposed to the CVE then it should be considered suppressed. > While this might address (remove) the urgency of the matter, it is not an > argument against replacing and improving a deprecated and unmaintained > dependency. > > > > >> 2. Are there more alternatives to Maven Ant Tasks that should be >> considered, like Ivy? >> > > > The question here is… If we are to replace MARAT, then *what* dependency > framework/format do we want to work with moving forward? > > The choices are: > - maven > - ivy > - gradle > > Note this is ONLY for dependency management, and is only about the > replacement for this section: > https://github.com/apache/cassandra/blob/315a1a7/build.xml#L507-L873 > > It is a requirement that whatever framework/format we choose it can > generated into the pom(s) we publish via repository.apache.org > For example maven pom files would be used directly, ivy could use the > `makepom` command and gradle the `maven-publish` plugin. > > Ivy and Gradle provide more compact dependency declarations, Ivy fits in > better with Ant, and most are familiar with Maven (and it would avoid the > generation step). > > What is the best fit for us moving forward? > > > > >
