Uploaded image for project: 'Apache Fineract'
  1. Apache Fineract
  2. FINERACT-761

Use of (unmaintained) Drizzle JDBC driver in Fineract Build (not run-time) prevents upgrading Flyway <- Gradle

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.4.0
    • Component/s: Build
    • Labels:
      None

      Description

      Raising an issue for a discussing dedicated to the mess that is blocking FINERACT-700 from proceeding:
       
      https://lists.apache.org/thread.html/3fade23ba553a248481bd6e066cea1548d800be1454da16bb5d2c038@%3Cdev.fineract.apache.org%3E

      Also see https://github.com/flyway/flyway/issues/2332

      The TL;DR is that the Apache Fineract project is stuck on very ancient versions of a number of 3rd party tools and libraries, including the Gradle Build tools, JDBC driver, automated code quality tools like FindBugs (which has security related impacts; more recent versions would permit switching to SpotBugs and add automated SQL injection vulnerability scanning and the like).

      It's a long tail of depencies, but ultimately it boils down to having to talk to a MariaDB server using the bygone obsolete Drizzle JDBC driver which is can be seen on https://github.com/krummas/DrizzleJDBC is simply dead - unmaintained. The obvious solution is to switch to using the current MariaDB.org (but not Oracle.com...) Connector/J JDBC driver, see https://downloads.mariadb.org/connector-java/. But there are hesitations to do this due to legal concerns, see FINCN-26 (which is for Fineract CN not for Fineract "Classic", but same story).

      Not entirely sure how to proceed here. In theory, I guess the options are:

      1. Asking the Fineract project to somehow step up to maintain Drizzle? Seems unreasonable.

      2. See if there is any way that the impasse on the legal side could be resolved? Perhaps at least for a build time tool which is not shipped there could be an exception? I've opened LEGAL-462 to get an official viewpoint from the Apache.org Legal Affairs Committee...

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                vorburger Michael Vorburger
                Reporter:
                vorburger Michael Vorburger
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 10m
                  10m