Please read the following in full, as I am starting my argument not at Ivy itself, but it is still the focus of this response.
I think the core shortcoming of Ant is its inability to bootstrap easily in a portable manner. You cannot simply use a build file and say 'go build' as you have to install Ant tasks to make that happen. I feel that ivy fixes this and does it in a fairly flexible way. If anything, I would start bundling ivy into ant and install it as default, including a prelude for fetching tasks from Maven central. For very low cost this achieves three things: 1. Makes ant builds more portable. 2. Gives Ivy more publicity and application. 3. Moves two strongly related projects closer together. As for IvyDE I would shelve it for the moment. Along the proposal above I can see a future for it as backing for a more capable Ant environment. JG On Wed, 23 Aug 2023 at 11:20, Jaikiran Pai <jaiki...@apache.org> wrote: > I agree with what Stefan notes in his mail. Some years back when I > started contributing to Ivy, I realized that the documentation (formal > or informal) related to the internal implementation details of Ivy is > non-existent. Sometimes I had to select a file, go over its commit > history then go read all JIRAs that were part of those commit logs and > even then, a lot of the information was either missing or outdated. At > that time, I used to use Ivy in some of our projects, so I could keep > refreshing with the code base and relate to it, so that whenever I had > to fix a bug or add something, I had the previous collected knowledge of > the Ivy code already fresh (to some extent) in my mind. It's now been > some years since I have used Ivy and I no longer have the Ivy codebase > knowledge in my mind. Like Stefan noted, these recent vulnerability > fixes took the Ant team a lot of time and energy to fix because of these > issues. Personally, I don't expect myself to have the ability to > continue contributing to Ivy. > > As for IvyDE, on the development front, it has seen no movement. I am > not even sure if it builds with the current Eclipse versions. I hadn't > contributed to it, but I remember that when releasing Ivy 2.5.0, it was > struggle to update the IvyDE update site. > > -Jaikiran > > On 22/08/23 9:32 pm, Stefan Bodewig wrote: > > Hi all > > > > before I get to the actual content of this mail: > > > > * I'm cross-posting to three lists but I ask you to keep responses to > > dev@ant only (and join the list if necessary) if you want to respond. > > > > * what I write is my personal opinion and not shared by the PMC as a > > whole. The people on the PMC know I'd be writing a mail like this > > sooner or later, though. > > > > * this is a discussion, not a vote. > > > > phew > > > > I'm not quite sure what I hope to achieve with this email, but I'd like > > to share my thoughts - and raise the awareness of an elephant being in > > the room. > > > > Over the past year we've had three security vulnerabilities discovered > > in Ivy and it took us much too long to get them fixed. The reason for > > this is there are no people left around who are familiar with the Ivy > > code base. Most of the remaining developers around Ant are not even > > users of Ivy - I know I am not and have never been. > > > > When it comes to IvyDE things are probably even worse as nobody of us > > uses Eclipse, either. But then again I've not managed to create an > > Eclipse update site for the last two Ivy releases so maybe nobody is > > using IvyDE anymore anyway. > > > > At least *I* don't see myself digging deeper into the Ivy code base in > > order to fix non-critical bugs. And even for the critical ones I feel we > > are not doing an adequate job. To me it looks as if Ivy and in > > particilar IvyDE are no longer really supported by the Ant project. > > > > TBH I'm not quite sure what to do about this. Even if people stepped up > > to maintain Ivy, the rest of the Ant devs would probably be unable to > > verify the changes they want to make. At least I certainly am not > > willing to review bigger PRs/patches to a code base I don't understand > > well. > > > > Personally I believe we should send IvyDE to the Apache Attic > > immediately, and this likely should be the destination for Ivy sooner or > > later as well. In the case of Ivy we know there are people who depend on > > it (hi, Groovy folks) so maybe we should give a date in the future until > > which we are providing security bug fixes to give people time to move > > off. > > > > There may be the need for a dependency management system inside of Ant, > > I'm not sure. If so, then this should be driven by people who feel the > > actual need IMO. There may already be alternatives to Ivy I am not aware > > of. > > > > Stefan > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org > > For additional commands, e-mail: dev-h...@ant.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org > For additional commands, e-mail: dev-h...@ant.apache.org > > -- 730 Hawkesbury Road Anstead, QLD 4070 Australia email: jgsu...@gmail.com
