I also feel like this is what docker is for? It should be relatively straightforward to start from a golang Dockerfile, add the files you need, generate the docs and copy the result back out?
-Joey On Wed, Apr 30, 2025 at 10:14 AM Chris Lohfink <clohfin...@gmail.com> wrote: > Cassandra's rube goldberg build system is so incredibly painful to > integrate inside corporate CI environments already... maybe docker > containers so you dont actually install random tools on the host computer > it might not have privileges to do? > > On Wed, Apr 30, 2025 at 6:13 AM Josh McKenzie <jmcken...@apache.org> > wrote: > >> So while it would be nice to keep things such that someone just runs ant >> and gets everything built, given this does not seem to be a standard method >> of dealing with a go install in build scripts, I would suggest we stop >> doing it. It looks to be very simple to install Go, so maybe switch to >> telling someone how to install it if it is not found, as well as giving >> them the setting to disable that artifact. >> >> +1 to Jeremiah's thoughts here. >> >> Passing thought - maybe introduce an "ant install-deps" target that'll >> install deps if not found? >> >> On Tue, Apr 29, 2025, at 7:30 AM, Maxim Muzafarov wrote: >> >> Hey, >> >> I've prepared a python script that generates the same docs (no go >> dependency). I use the jinja2 dependency, not sure if it's optimal >> because I had to google how to use it though (also not sure if it has >> to be run in docker). >> I haven't tested the generated files with the website, but I've >> compared the results with the same files in the trunk, and they look >> similar (almost). >> >> >> https://github.com/apache/cassandra/compare/trunk...Mmuzaf:cassandra:generate-cqlprotodocs-python >> >> On Tue, 29 Apr 2025 at 10:10, Benedict <bened...@apache.org> wrote: >> > >> > We should never download and install software via adhoc scripts without >> user consent. Was this ever discussed on this mailing list? If not, it’s a >> clear breach of policy (introducing a new dependency) and a severe one in >> my opinion, as it seems to introduce a new supply chain attack vector for >> all developers of Cassandra. >> > >> > >> > >> > On 29 Apr 2025, at 08:17, Mick Semb Wever <m...@apache.org> wrote: >> > >> > >> > >> > . >> > >> > >> >> >> >> But that doesn’t seem to be the case here, the script checks for arm >> vs amd64, Linux vs Mac, and then fetches and untars the go distro into tmp. >> There is no verification of the download. The only check is if curl >> returned non 0. >> > >> > >> > >> > Thanks for catching this, the sha256 check should always have been in >> place. Adding this is just a one-liner, so that alone shouldn't force the >> decision. >> > >> > >> > >> >> It looks to be very simple to install Go >> > >> > >> > >> > It takes a bit to ensure all build and CI systems are updated, and we >> never catch everything (esp what's downstream). >> > >> > >> > While it's "simple", multiplied by everyone (and every system) it adds >> up to be a significant time demand. >> > >> > Again, this too shouldn't be forcing the decision either way on what we >> want to do. >> > >> > >> > >> >> >>
