SbloodyS commented on code in PR #16352:
URL:
https://github.com/apache/dolphinscheduler/pull/16352#discussion_r1805997321
##########
dolphinscheduler-dist/release-docs/LICENSE:
##########
@@ -572,11 +572,23 @@ The text of each license is also included at
licenses/LICENSE-[project].txt.
tea-rpc-util 0.1.3.jar
https://github.com/aliyun/aliyun-openapi-java-sdk/blob/master/README.md#license
Apache 2.0
tea-util 0.2.13.jar
https://github.com/aliyun/aliyun-openapi-java-sdk/blob/master/README.md#license
Apache 2.0
delight-nashorn-sandbox 0.3.2
https://github.com/javadelight/delight-nashorn-sandbox/blob/master/README.md#license
Apache 2.0
-
-
-
-
-
+ jraft-core 1.3.14:
https://mvnrepository.com/artifact/com.alipay.sofa/jraft-core/1.3.14 Apache 2.0
+ jctools-core 2.1.1:
https://mvnrepository.com/artifact/org.jctools/jctools-core/2.1.1 Apache 2.0
+ commons-lang 2.6
https://mvnrepository.com/artifact/commons-lang/commons-lang/2.6 Apache 2.0
+ hessian 3.3.6:
https://mvnrepository.com/artifact/com.alipay.sofa/hessian/3.3.6 Apache 2.0
+ metrics-core 4.2.11:
https://mvnrepository.com/artifact/io.dropwizard.metrics/metrics-core/4.2.11
Apache 2.0
+ affinity 3.1.7:
https://mvnrepository.com/artifact/net.openhft/affinity/3.1.7, Apache 2.0
+ disruptor 3.3.7:
https://mvnrepository.com/artifact/com.lmax/disruptor/3.3.7, Apache 2.0
+ commons-compress 1.21:
https://mvnrepository.com/artifact/org.apache.commons/commons-compress/1.21
Apache 2.0
+ bolt 1.6.4: https://mvnrepository.com/artifact/com.alipay.sofa/bolt/1.6.4,
Apache 2.0
+ rocksdbjni 8.8.1:
https://mvnrepository.com/artifact/org.rocksdb/rocksdbjni/8.8.1, Apache 2.0
+ jraft-rheakv-core 1.3.14:
https://mvnrepository.com/artifact/com.alipay.sofa/jraft-rheakv-core/1.3.14,
Apache 2.0
+ sofa-common-tools 1.0.12:
https://mvnrepository.com/artifact/com.alipay.sofa.common/sofa-common-tools/1.0.12
Apache 2.0
+ annotations 12.0:
https://mvnrepository.com/artifact/com.intellij/annotations/12.0 Apache 2.0
+ protostuff-core 1.7.2:
https://mvnrepository.com/artifact/io.protostuff/protostuff-core/1.7.2 Apache
2.0
+ protostuff-api 1.7.2:
https://mvnrepository.com/artifact/io.protostuff/protostuff-api/1.7.2 Apache 2.0
+ protostuff-runtime 1.7.2:
https://mvnrepository.com/artifact/io.protostuff/protostuff-runtime/1.7.2
Apache 2.0
+ protostuff-collectionschema 1.7.2:
https://mvnrepository.com/artifact/io.protostuff/protostuff-collectionschema/1.7.2
Apache 2.0
Review Comment:
> The raft plugin depends on alipay jraft's rheakv, and other raft
implementations do not have this kv store, if can't rely on alipay's jar, then
this pr can't be continued, do you want to terminate this pr?
Open source projects are submitted to PR voluntarily and free of charge.
Please notice that not all PR will be accepted and must be merged.
> Why not accept Alipay's dependency?
Registry is the core component of DS. So that it must be robust and
maintainable. The alipay's `jraft-rheakv-core` dependency obviously do not have
these conditions and it has a lot of CVE. After using this dependency, every
time you fix a problem and CVE in the future, you need to rely on its upgrade,
and there may be incompatible updates during the upgrade process. This is
unacceptable for the core components.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
