Re: [DISCUSS] CASSANDRA-17750: Security migration away from Maven Ant Tasks

2022-07-20 Thread Abe Ratnofsky
Most of the discussion has happened in the PR: https://github.com/apache/cassandra/pull/1725 Leaving this thread open over the weekend to gather input. > On Jul 20, 2022, at 10:40 AM, emmanuel warreng > wrote: > > Unsubscribe > > On Tue, Jul 19, 2022, 21:20 Abe Ratnofsky

Re: [DISCUSS] CASSANDRA-17750: Security migration away from Maven Ant Tasks

2022-07-20 Thread emmanuel warreng
Unsubscribe On Tue, Jul 19, 2022, 21:20 Abe Ratnofsky wrote: > Hello all, > > We currently depend on Maven Ant Tasks (MAT) during build, for declaring > dependencies and generating POM files from within build.xml. MAT has long > been retired (no commits since maintenance in 2015), has registered

Re: [DISCUSS] CASSANDRA-17750: Security migration away from Maven Ant Tasks

2022-07-20 Thread emmanuel warreng
Unsubscribe On Tue, Jul 19, 2022, 22:03 Mick Semb Wever wrote: > > > Rehashing some of the aspects raised by the PR… > > > >> 1. Is it worth addressing this CVE and retired dependency with changes to >> our build system, or should we suppress it? >> > > > If we are not exposed to the CVE then it

Re: [DISCUSS] CASSANDRA-17750: Security migration away from Maven Ant Tasks

2022-07-19 Thread Derek Chen-Becker
I guess dependency management is circular like fashion :) Are the concerns enumerated in that ticket still valid today? It looks like the makepom command can take a template for the POM, so that might be a way to deal with inconsistencies? Cheers, Derek On Tue, Jul 19, 2022 at 2:35 PM Brandon Wi

Re: [DISCUSS] CASSANDRA-17750: Security migration away from Maven Ant Tasks

2022-07-19 Thread Brandon Williams
Ivy is actually how we got to MAT: https://issues.apache.org/jira/browse/CASSANDRA-2017 Kind Regards, Brandon On Tue, Jul 19, 2022 at 3:33 PM Derek Chen-Becker wrote: > > Sorry, I put a comment about this in the PR before seeing this. I think if > Ivy fits better with Ant, is more compact, and

Re: [DISCUSS] CASSANDRA-17750: Security migration away from Maven Ant Tasks

2022-07-19 Thread Derek Chen-Becker
Sorry, I put a comment about this in the PR before seeing this. I think if Ivy fits better with Ant, is more compact, and can do everything that we were using MAT for, then that's a reasonable path forward. I don't think Ivy syntax for dependencies will be foreign to anyone familiar with Maven. De

Re: [DISCUSS] CASSANDRA-17750: Security migration away from Maven Ant Tasks

2022-07-19 Thread Mick Semb Wever
Rehashing some of the aspects raised by the PR… > 1. Is it worth addressing this CVE and retired dependency with changes to > our build system, or should we suppress it? > If we are not exposed to the CVE then it should be considered suppressed. While this might address (remove) the urgency of

[DISCUSS] CASSANDRA-17750: Security migration away from Maven Ant Tasks

2022-07-19 Thread Abe Ratnofsky
Hello all, We currently depend on Maven Ant Tasks (MAT) during build, for declaring dependencies and generating POM files from within build.xml. MAT has long been retired (no commits since maintenance in 2015), has registered CVEs in its dependencies (CVE-2017-1000487), and encourages migration