Hi there, I used to be involved, especially in IvyDE, and as many, my build tools and my IDE changed (for the IDE I am glad, not for the build tools…). So I had no particular interest of doing any maintenance, so much that lost track of the last releases of Ivy, where I could help. Many many thanks for those still around keep things not completely stalled, especially for those who doesn’t know the code base.
For IvyDE, we wanted to retire it some years ago. The community raised some interests, so we didn’t proceed. But many years later, the proof is that is not maintained. Me too, I think it should be retired now. For the current IvyDE users, it shouldn’t be a concern that IvyDE is retired as an Apache project. You will still be able to continue to use the plugin. The released artifacts of the updatesite are archived [1] and won’t disappear. We would just announcing officially what in practice happens: it is not maintained anymore. And we tried our best to be opened on how to build and release the plugin and the updatesite, it is documented [2]. On my machine which just have Ant and Java installed, I just tried and I have been able to build of the updatesite with the last release of Ivy without much effort. Doing a proper Apache release of that is another subject, there are signatures, at least verify that it actually works in a real Eclipse, votes, and so on. And adding features and even fixing bugs is a very big step to get involved, it requires a complete Eclipse SDK setup. But at least headless, if it is required, I think anybody motivated enough should be able to re build it locally, the updatesite too. It wouldn’t be as much user friendly as it is today, but you should be able to work with your preferred IDE and dependency manager for as long as Eclipse is having 4.x versions. Due to my particular former involvement in IvyDE (I know it well), and my lack of involvement in the Ant community lately (I don’t read all mailinglists), if you have issues with the build or the code of IvyDE, you can mail on ant-dev@ and CC me directly. That’s for IvyDE. For Ivy, it kind of feels different due to the general usage which continues to exists, as we can see people are searching vulnerabilities in it. I am very sorry to read about missed opportunities to help new contributors, I didn’t saw them, very sorry about that. Then, acknowledging that even fixing vulnerabilities is painful to the community, I think we should accept to declare that we officially stop the maintenance, stop the burden on people involved in the Ant project. I hear the user community that we should still try our best to keep maintaining it, it is still worth it, I understand. So maybe we can declare a last call. The last maintenance window where only vulnerabilities will be fixed. Months ? 6 ? And hope that before that deadline, there are some interested parties that are willing to do proper maintenance over the project, here at Apache or elsewhere. Nicolas [1] https://archive.apache.org/dist/ant/ivyde/updatesite/ [2] https://ant.apache.org/ivy/ivyde/history/latest-milestone/dev.html > Le 22 août 2023 à 18:02, Stefan Bodewig <bode...@apache.org> a écrit : > > Hi all > > before I get to the actual content of this mail: > > * I'm cross-posting to three lists but I ask you to keep responses to > dev@ant only (and join the list if necessary) if you want to respond. > > * what I write is my personal opinion and not shared by the PMC as a > whole. The people on the PMC know I'd be writing a mail like this > sooner or later, though. > > * this is a discussion, not a vote. > > phew > > I'm not quite sure what I hope to achieve with this email, but I'd like > to share my thoughts - and raise the awareness of an elephant being in > the room. > > Over the past year we've had three security vulnerabilities discovered > in Ivy and it took us much too long to get them fixed. The reason for > this is there are no people left around who are familiar with the Ivy > code base. Most of the remaining developers around Ant are not even > users of Ivy - I know I am not and have never been. > > When it comes to IvyDE things are probably even worse as nobody of us > uses Eclipse, either. But then again I've not managed to create an > Eclipse update site for the last two Ivy releases so maybe nobody is > using IvyDE anymore anyway. > > At least *I* don't see myself digging deeper into the Ivy code base in > order to fix non-critical bugs. And even for the critical ones I feel we > are not doing an adequate job. To me it looks as if Ivy and in > particilar IvyDE are no longer really supported by the Ant project. > > TBH I'm not quite sure what to do about this. Even if people stepped up > to maintain Ivy, the rest of the Ant devs would probably be unable to > verify the changes they want to make. At least I certainly am not > willing to review bigger PRs/patches to a code base I don't understand > well. > > Personally I believe we should send IvyDE to the Apache Attic > immediately, and this likely should be the destination for Ivy sooner or > later as well. In the case of Ivy we know there are people who depend on > it (hi, Groovy folks) so maybe we should give a date in the future until > which we are providing security bug fixes to give people time to move > off. > > There may be the need for a dependency management system inside of Ant, > I'm not sure. If so, then this should be driven by people who feel the > actual need IMO. There may already be alternatives to Ivy I am not aware > of. > > Stefan > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org > For additional commands, e-mail: dev-h...@ant.apache.org >
