ITP: leiningen -- simple build system for Clojure

[Elana Hashman]

I mentioned this on IRC, but also wanted to send a message out to the bug list 
for posterity...

I've hit a bit of a snag with the libpomegranate-clojure packaging (#852246). 
While I did get the package to build, it doesn't actually work. I realized it 
relies on maven 3.0.4, which is only packaged in old-stable. Jessie packages 
version 3.0.5, and testing/unstable has 3.3.9. There are many breaking changes 
between Maven 3.0.4 and 3.3.9.

Maven 3.0.4 poses two problems: first, it is affected by a medium-severity 
CVE[1] and should be patched to 3.0.5. Second, it relies on an old version of 
Aether under org.sonotype. Aether moved from being maintained by Sonotype to 
being maintained by Eclipse in 2012, and then Eclipse archived the Aether 
project in 2016. The Aether changes are why pomegranate does not work against 
Maven 3.3.9; many classes have been renamed, refactored, and moved. The most 
recent Maven release, 3.5.0, covers the migration of the Aether code directly 
into the Maven project.[2] It was released very recently, at the beginning of 
April.

I see there's been some community effort to migrate pomegranate to Maven 3.3.9, 
but it has not yet succeeded.[3] I took a look at doing that last night, and it 
turns out to be quite complex. Hence, I see the following possible paths 
forward:

- Upgrade upstream (whether that involves changes in pomegranate or directly in 
  leiningen) to use Maven 3.5.0, and wait for Maven 3.5.0 to be packaged for 
  unstable.
- Upgrade upstream to use Maven 3.3.9.

I don't think that including a Maven 3.0.5 package just for leiningen is 
possible, and that would also just constitute a stopgap in my opinion.  
Upgrading to Maven 3.5.0 is, in my opinion, the best option, as 3.3.9 depends 
on orphaned versions of Aether.

Thoughts?

- e


[1]: https://maven.apache.org/security.html
[2]: https://maven.apache.org/docs/3.5.0/release-notes.html
[3]: https://github.com/cemerick/pomegranate/pull/80