Unsubscribe On Tue, Jul 19, 2022, 21:20 Abe Ratnofsky <a...@aber.io> wrote:
> Hello all, > > We currently depend on Maven Ant Tasks (MAT) during build, for declaring > dependencies and generating POM files from within build.xml. MAT has long > been retired (no commits since maintenance in 2015), has registered CVEs in > its dependencies (CVE-2017-1000487), and encourages migration to its > successor, Maven Artifact Resolver Ant Tasks (MARAT). More detail in the > Jira: https://issues.apache.org/jira/browse/CASSANDRA-17750 > > I have a PR up to remove our dependency on MAT, with discussion from David > Capwell and Mick Semb Wever: https://github.com/apache/cassandra/pull/1725 > > There are two main items for wider discussion: > > 1. Is it worth addressing this CVE and retired dependency with changes to > our build system, or should we suppress it? > > 2. Are there more alternatives to Maven Ant Tasks that should be > considered, like Ivy? > > My stance, summarized from the PR comments, is that a retired dependency > that does not receive security updates (current CVE or not) should be > replaced by a maintained project, and that the general approach in the PR > (give or take minor changes to POM packaging) is the one most compatible > with our current approach, and does not preclude any build system changes > in the near or distant future. > > Curious to hear from others. > > — > Abe
