I also feel like this is what docker is for? It should be relatively
straightforward to start from a golang Dockerfile, add the files you need,
generate the docs and copy the result back out?

-Joey

On Wed, Apr 30, 2025 at 10:14 AM Chris Lohfink <clohfin...@gmail.com> wrote:

> Cassandra's rube goldberg build system is so incredibly painful to
> integrate inside corporate CI environments already... maybe docker
> containers so you dont actually install random tools on the host computer
> it might not have privileges to do?
>
> On Wed, Apr 30, 2025 at 6:13 AM Josh McKenzie <jmcken...@apache.org>
> wrote:
>
>> So while it would be nice to keep things such that someone just runs ant
>> and gets everything built, given this does not seem to be a standard method
>> of dealing with a go install in build scripts, I would suggest we stop
>> doing it.  It looks to be very simple to install  Go, so maybe switch to
>> telling someone how to install it if it is not found, as well as giving
>> them the setting to disable that artifact.
>>
>> +1 to Jeremiah's thoughts here.
>>
>> Passing thought - maybe introduce an "ant install-deps" target that'll
>> install deps if not found?
>>
>> On Tue, Apr 29, 2025, at 7:30 AM, Maxim Muzafarov wrote:
>>
>> Hey,
>>
>> I've prepared a python script that generates the same docs (no go
>> dependency). I use the jinja2 dependency, not sure if it's optimal
>> because I had to google how to use it though (also not sure if it has
>> to be run in docker).
>> I haven't tested the generated files with the website, but I've
>> compared the results with the same files in the trunk, and they look
>> similar (almost).
>>
>>
>> https://github.com/apache/cassandra/compare/trunk...Mmuzaf:cassandra:generate-cqlprotodocs-python
>>
>> On Tue, 29 Apr 2025 at 10:10, Benedict <bened...@apache.org> wrote:
>> >
>> > We should never download and install software via adhoc scripts without
>> user consent. Was this ever discussed on this mailing list? If not, it’s a
>> clear breach of policy (introducing a new dependency) and a severe one in
>> my opinion, as it seems to introduce a new supply chain attack vector for
>> all developers of Cassandra.
>> >
>> >
>> >
>> > On 29 Apr 2025, at 08:17, Mick Semb Wever <m...@apache.org> wrote:
>> >
>> > 
>> >
>> >   .
>> >
>> >
>> >>
>> >> But that doesn’t seem to be the case here, the script checks for arm
>> vs amd64, Linux vs Mac, and then fetches and untars the go distro into tmp.
>> There is no verification of the download.  The only check is if curl
>> returned non 0.
>> >
>> >
>> >
>> > Thanks for catching this, the sha256 check should always have been in
>> place.  Adding this is just a one-liner, so that alone shouldn't force the
>> decision.
>> >
>> >
>> >
>> >> It looks to be very simple to install  Go
>> >
>> >
>> >
>> > It takes a bit to ensure all build and CI systems are updated, and we
>> never catch everything (esp what's downstream).
>> >
>> >
>> > While it's "simple", multiplied by everyone (and every system) it adds
>> up to be a significant time demand.
>> >
>> > Again, this too shouldn't be forcing the decision either way on what we
>> want to do.
>> >
>> >
>> >
>>
>>
>>

Reply via email to