Thank you for all your years of work on Ivy. Ivy is the only dependency resolver that I know that supports branches during resolution. Even Gradle does not have first class support for branches.
Martin ________________________________ From: Jaikiran Pai <jaiki...@apache.org> Sent: October 8, 2024 10:56 AM To: Ant Developers List <d...@ant.apache.org> Cc: user@ant.apache.org <user@ant.apache.org>; ivy-u...@ant.apache.org <ivy-u...@ant.apache.org> Subject: [**EXTERNAL**] Re: Future of Ivy and IvyDE Hello everyone, Here's an update to this discussion - for reasons noted in this discussion, the Ant PMC no longer has the ability to maintain Ivy project. This thread was started more than a year back and we were hoping that if there was enough interest then there would be some proposals to fork the project or maintain the project outside of the Ant PMC by people who have the ability to provide continued maintenance to the Ivy project. Given the current status, the Ant PMC is considering initiating a vote to retire the Ivy project (like we did for the IvyDE project). We plan to initiate the vote next month (November) just to allow a few more weeks for anyone to step forward if they would like to maintain the project. -Jaikiran On 22/08/23 9:32 pm, Stefan Bodewig wrote: > Hi all > > before I get to the actual content of this mail: > > * I'm cross-posting to three lists but I ask you to keep responses to > dev@ant only (and join the list if necessary) if you want to respond. > > * what I write is my personal opinion and not shared by the PMC as a > whole. The people on the PMC know I'd be writing a mail like this > sooner or later, though. > > * this is a discussion, not a vote. > > phew > > I'm not quite sure what I hope to achieve with this email, but I'd like > to share my thoughts - and raise the awareness of an elephant being in > the room. > > Over the past year we've had three security vulnerabilities discovered > in Ivy and it took us much too long to get them fixed. The reason for > this is there are no people left around who are familiar with the Ivy > code base. Most of the remaining developers around Ant are not even > users of Ivy - I know I am not and have never been. > > When it comes to IvyDE things are probably even worse as nobody of us > uses Eclipse, either. But then again I've not managed to create an > Eclipse update site for the last two Ivy releases so maybe nobody is > using IvyDE anymore anyway. > > At least *I* don't see myself digging deeper into the Ivy code base in > order to fix non-critical bugs. And even for the critical ones I feel we > are not doing an adequate job. To me it looks as if Ivy and in > particilar IvyDE are no longer really supported by the Ant project. > > TBH I'm not quite sure what to do about this. Even if people stepped up > to maintain Ivy, the rest of the Ant devs would probably be unable to > verify the changes they want to make. At least I certainly am not > willing to review bigger PRs/patches to a code base I don't understand > well. > > Personally I believe we should send IvyDE to the Apache Attic > immediately, and this likely should be the destination for Ivy sooner or > later as well. In the case of Ivy we know there are people who depend on > it (hi, Groovy folks) so maybe we should give a date in the future until > which we are providing security bug fixes to give people time to move > off. > > There may be the need for a dependency management system inside of Ant, > I'm not sure. If so, then this should be driven by people who feel the > actual need IMO. There may already be alternatives to Ivy I am not aware > of. > > Stefan > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org > For additional commands, e-mail: dev-h...@ant.apache.org
