divijvaidya commented on PR #16295: URL: https://github.com/apache/kafka/pull/16295#issuecomment-2173096690
I am not a big fan of taking a dependency on a project maintained by a single developer as it's a huge supply chain risk (cue: https://xkcd.com/2347/)  Our dependency on zstd-jni falls in the same category which makes me nervous. Nevertheless, coming back to the topic, I agree that releases on https://github.com/johnrengelman/shadow seems to have stalled and hence, it makes sense to use an alternative in the short term. Using https://github.com/Goooler/shadow sounds good to me. Alternatively, can we get rid of usage of the shadow plugin? I observe that the use case for this plugin is to create a fat jar for `jmh-benchmarks`. I haven't explored this option, but from a quick look, it looks like we could use a few lines of vanilla gradle to achieve the same result (instead of relying on a dependency)? (see https://www.baeldung.com/gradle-fat-jar) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
