Hi all before I get to the actual content of this mail:
* I'm cross-posting to three lists but I ask you to keep responses to dev@ant only (and join the list if necessary) if you want to respond. * what I write is my personal opinion and not shared by the PMC as a whole. The people on the PMC know I'd be writing a mail like this sooner or later, though. * this is a discussion, not a vote. phew I'm not quite sure what I hope to achieve with this email, but I'd like to share my thoughts - and raise the awareness of an elephant being in the room. Over the past year we've had three security vulnerabilities discovered in Ivy and it took us much too long to get them fixed. The reason for this is there are no people left around who are familiar with the Ivy code base. Most of the remaining developers around Ant are not even users of Ivy - I know I am not and have never been. When it comes to IvyDE things are probably even worse as nobody of us uses Eclipse, either. But then again I've not managed to create an Eclipse update site for the last two Ivy releases so maybe nobody is using IvyDE anymore anyway. At least *I* don't see myself digging deeper into the Ivy code base in order to fix non-critical bugs. And even for the critical ones I feel we are not doing an adequate job. To me it looks as if Ivy and in particilar IvyDE are no longer really supported by the Ant project. TBH I'm not quite sure what to do about this. Even if people stepped up to maintain Ivy, the rest of the Ant devs would probably be unable to verify the changes they want to make. At least I certainly am not willing to review bigger PRs/patches to a code base I don't understand well. Personally I believe we should send IvyDE to the Apache Attic immediately, and this likely should be the destination for Ivy sooner or later as well. In the case of Ivy we know there are people who depend on it (hi, Groovy folks) so maybe we should give a date in the future until which we are providing security bug fixes to give people time to move off. There may be the need for a dependency management system inside of Ant, I'm not sure. If so, then this should be driven by people who feel the actual need IMO. There may already be alternatives to Ivy I am not aware of. Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@ant.apache.org For additional commands, e-mail: user-h...@ant.apache.org
