Hi all:
IMO, it would be a shame to lose Ivy as a much simpler alternative to Maven.
It works well and I think there is very much still room for a dependency
management tool that focuses on just that and not all the other things
that Maven does. I am thankful for your work on it, Stefan.
I can confirm that in the not very distant past there were multiple
people (including myself) who submitted pull requests for Ivy to both
make improvements as well as address bugs. They were left to rot for far
too long. It was frustrating to me that even a very simple patch
required both a debate on its utility and then navigating pedantries on
the coding approach before then taking nearly two years to get merged
and incorporated into a release. I feel that people who were trying to
get started maintaining Ivy, like myself, were simply put off by
unresponsive committers. Absolutely I understand there is a lacking in
capacity of people to verify changes but the situation, at least with
me, felt like simple gatekeeping.
For users of Eclipse IDE, IvyDE is wonderful and works as advertised.
I've been using it successfully since 2010 or so and pretty much
considered it "finished". But given the lack of development on it over
the years though, I am actually surprised it's still functional in
current IDE releases and I've wondered when it will finally break. I
have looked at the IvyDE code in the past, it's not that much really,
and at one point I tried (rather half-heartedly) to get an IDE
development environment prepared and then just gave up...mostly because
developing for Eclipse was too much of a big moving target for me, and
also the code abstractions in place for such a modular and flexible IDE
were tough for me to follow concretely.
I would really appreciate an update site for Ivy though as I've wondered
how I can upgrade my IDE, easily, to use Ivy 2.5.{1,2}.
It would be great if the existing update site for IvyDE [0] could at
least be updated for the artifacts we have. There would very probably be
no issues with IvyDE 2.2.0 working just fine using the latest Ivy
release version.
I agree that it seems Ivy and IvyDE are not being supported adequately
by the Ant project.
And I wish that weren't the case because they are excellent tools.
Not sure what I hope to achieve either with my message above, but I felt
compelled to respond as a user who has appreciated Ivy and IvyDE for a
long time. Maybe I'm the only one left!
Jason
[0] |https://downloads.apache.org/ant/ivyde/updatesite/
<https://downloads.apache.org/ant/ivyde/updatesite/>
|On 8/22/2023 8:02 AM, Stefan Bodewig wrote:
CAUTION: This email originated from outside the State of Alaska mail system. Do
not click links or open attachments unless you recognize the sender and know
the content is safe.
Hi all
before I get to the actual content of this mail:
* I'm cross-posting to three lists but I ask you to keep responses to
dev@ant only (and join the list if necessary) if you want to respond.
* what I write is my personal opinion and not shared by the PMC as a
whole. The people on the PMC know I'd be writing a mail like this
sooner or later, though.
* this is a discussion, not a vote.
phew
I'm not quite sure what I hope to achieve with this email, but I'd like
to share my thoughts - and raise the awareness of an elephant being in
the room.
Over the past year we've had three security vulnerabilities discovered
in Ivy and it took us much too long to get them fixed. The reason for
this is there are no people left around who are familiar with the Ivy
code base. Most of the remaining developers around Ant are not even
users of Ivy - I know I am not and have never been.
When it comes to IvyDE things are probably even worse as nobody of us
uses Eclipse, either. But then again I've not managed to create an
Eclipse update site for the last two Ivy releases so maybe nobody is
using IvyDE anymore anyway.
At least *I* don't see myself digging deeper into the Ivy code base in
order to fix non-critical bugs. And even for the critical ones I feel we
are not doing an adequate job. To me it looks as if Ivy and in
particilar IvyDE are no longer really supported by the Ant project.
TBH I'm not quite sure what to do about this. Even if people stepped up
to maintain Ivy, the rest of the Ant devs would probably be unable to
verify the changes they want to make. At least I certainly am not
willing to review bigger PRs/patches to a code base I don't understand
well.
Personally I believe we should send IvyDE to the Apache Attic
immediately, and this likely should be the destination for Ivy sooner or
later as well. In the case of Ivy we know there are people who depend on
it (hi, Groovy folks) so maybe we should give a date in the future until
which we are providing security bug fixes to give people time to move
off.
There may be the need for a dependency management system inside of Ant,
I'm not sure. If so, then this should be driven by people who feel the
actual need IMO. There may already be alternatives to Ivy I am not aware
of.
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail:user-unsubscr...@ant.apache.org
For additional commands, e-mail:user-h...@ant.apache.org
--
Jason Guild
Systems Programmer
Alaska Department of Transportation & Public Facilities
Statewide Administrative Services
820 E. 15th Ave.
Anchorage, Alaska 99501
