Most of the discussion has happened in the PR: https://github.com/apache/cassandra/pull/1725
Leaving this thread open over the weekend to gather input. > On Jul 20, 2022, at 10:40 AM, emmanuel warreng <emmanuel.warr...@gmail.com> > wrote: > > Unsubscribe > > On Tue, Jul 19, 2022, 21:20 Abe Ratnofsky <a...@aber.io > <mailto:a...@aber.io>> wrote: > Hello all, > > We currently depend on Maven Ant Tasks (MAT) during build, for declaring > dependencies and generating POM files from within build.xml. MAT has long > been retired (no commits since maintenance in 2015), has registered CVEs in > its dependencies (CVE-2017-1000487), and encourages migration to its > successor, Maven Artifact Resolver Ant Tasks (MARAT). More detail in the > Jira: https://issues.apache.org/jira/browse/CASSANDRA-17750 > <https://issues.apache.org/jira/browse/CASSANDRA-17750> > > I have a PR up to remove our dependency on MAT, with discussion from David > Capwell and Mick Semb Wever: https://github.com/apache/cassandra/pull/1725 > <https://github.com/apache/cassandra/pull/1725> > > There are two main items for wider discussion: > > 1. Is it worth addressing this CVE and retired dependency with changes to our > build system, or should we suppress it? > > 2. Are there more alternatives to Maven Ant Tasks that should be considered, > like Ivy? > > My stance, summarized from the PR comments, is that a retired dependency that > does not receive security updates (current CVE or not) should be replaced by > a maintained project, and that the general approach in the PR (give or take > minor changes to POM packaging) is the one most compatible with our current > approach, and does not preclude any build system changes in the near or > distant future. > > Curious to hear from others. > > — > Abe
