[
https://issues.apache.org/jira/browse/MSHARED-683?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16368186#comment-16368186
]
Chris West (Faux) commented on MSHARED-683:
-------------------------------------------
First of all: Sorry, I acknowledge I have no real understanding of what this
library does, I'm just here to dump patches and hope someone competent reviews
them. :) It sounds like perhaps you would like the code to support aether-api
and eclipse-aether-api, and use the maven-resolver implementations (i.e. the
util packages)? I get the feeling that that would be quite a risky change.
The problem I'm trying to address here is that Linux distributions (such as
Debian), and security-conscious organisations, try and build their entire
ecosystem from source, ensuring that only supported (or, even, not-blacklisted)
libraries are used.
Currently, maven-common-artifact-filters is the only thing which depends on
either "aether", and the aethers depend on lots of scary old libraries, like
async-http-client-1.x and netty-3.x, both of which are out of support, and
considered a security problem. If maven-common-artifact-filters moves to
maven-resolver, then those libraries drop out of my source tree, and I'm
happier.
I also realise that, due to the old binaries being available on maven central,
this isn't a big problem for most Java projects, but you should be aware that
you probably don't want to be using aether->async-http->netty3.x's SSL/HTTPS
code going forwards, as it's probably got some scary problems in, for example.
This is the same problem the distros are trying to address.
> Use maven-resolver instead of (eclipse-)aether
> ----------------------------------------------
>
> Key: MSHARED-683
> URL: https://issues.apache.org/jira/browse/MSHARED-683
> Project: Maven Shared Components
> Issue Type: Dependency upgrade
> Components: maven-common-artifact-filters
> Reporter: Chris West (Faux)
> Priority: Major
>
> PR: https://github.com/apache/maven-common-artifact-filters/pull/1
> Stop using the old `aether` and `eclipse-aether` libraries, who's code is now
> part of `maven-resolver`, under the `org.eclipse` package. The old libraries
> are very abandoned, to the point that their websites have gone missing. They
> depend on some scarily broken libraries, which is a problem for distros like
> Debian.
> Tests green. Only non-find-and-replace changes is to add some properties:
> * `<javaVersion>7` as `maven-resolver` uses 7 and otherwise enforcer gets
> angry, and
> * `<maven.version>3.5.2`, as pre-3.5 maven used aether for other reasons, so
> it still ends up polluting the tree.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
