Re: [DISCUSS] CASSANDRA-17750: Security migration away from Maven Ant Tasks

2022-07-20 Thread Abe Ratnofsky
Most of the discussion has happened in the PR: https://github.com/apache/cassandra/pull/1725 Leaving this thread open over the weekend to gather input. > On Jul 20, 2022, at 10:40 AM, emmanuel warreng > wrote: > > Unsubscribe > > On Tue, Jul 19, 2022, 21:20 Abe Ratnofsky

Re: [DISCUSS] CASSANDRA-17750: Security migration away from Maven Ant Tasks

2022-07-20 Thread emmanuel warreng
Unsubscribe On Tue, Jul 19, 2022, 21:20 Abe Ratnofsky wrote: > Hello all, > > We currently depend on Maven Ant Tasks (MAT) during build, for declaring > dependencies and generating POM files from within build.xml. MAT has long > been retired (no commits since maintenance in 2015), has registered

Re: [DISCUSS] CASSANDRA-17750: Security migration away from Maven Ant Tasks

2022-07-20 Thread emmanuel warreng
Unsubscribe On Tue, Jul 19, 2022, 22:03 Mick Semb Wever wrote: > > > Rehashing some of the aspects raised by the PR… > > > >> 1. Is it worth addressing this CVE and retired dependency with changes to >> our build system, or should we suppress it? >> > > > If we are not exposed to the CVE then it

Re: [DISCUSS] CASSANDRA-17750: Security migration away from Maven Ant Tasks

2022-07-19 Thread Derek Chen-Becker
I guess dependency management is circular like fashion :) Are the concerns enumerated in that ticket still valid today? It looks like the makepom command can take a template for the POM, so that might be a way to deal with inconsistencies? Cheers, Derek On Tue, Jul 19, 2022 at 2:35 PM Brandon Wi

Re: [DISCUSS] CASSANDRA-17750: Security migration away from Maven Ant Tasks

2022-07-19 Thread Brandon Williams
Ivy is actually how we got to MAT: https://issues.apache.org/jira/browse/CASSANDRA-2017 Kind Regards, Brandon On Tue, Jul 19, 2022 at 3:33 PM Derek Chen-Becker wrote: > > Sorry, I put a comment about this in the PR before seeing this. I think if > Ivy fits better with Ant, is more compact, and

Re: [DISCUSS] CASSANDRA-17750: Security migration away from Maven Ant Tasks

2022-07-19 Thread Derek Chen-Becker
Sorry, I put a comment about this in the PR before seeing this. I think if Ivy fits better with Ant, is more compact, and can do everything that we were using MAT for, then that's a reasonable path forward. I don't think Ivy syntax for dependencies will be foreign to anyone familiar with Maven. De

Re: [DISCUSS] CASSANDRA-17750: Security migration away from Maven Ant Tasks

2022-07-19 Thread Mick Semb Wever
Rehashing some of the aspects raised by the PR… > 1. Is it worth addressing this CVE and retired dependency with changes to > our build system, or should we suppress it? > If we are not exposed to the CVE then it should be considered suppressed. While this might address (remove) the urgency of