+1 for maintaining Java 6 support in branch-2. Hadoop continuing to support Java 6 is not an endorsement of Java 6. It's an acknowledgement that many users of Hadoop 2 have Java 6 embedded in their stack, and that upgrading is costly for some users and simply not an option for others. If a similar vulnerability were to be discovered in a recent version of RHEL, I don't think it would make sense for Hadoop to drop that version as a supported platform.
Assuming that we want to maintain Java 6 compatibility in branch-2, it seems to me that we should do the same in trunk until we start seriously planning a release of Hadoop 3. Since we released 2.2 GA, trunk has mainly been used as a staging area for changes that will go into branch-2. The larger the divergence between trunk and branch-2, the higher the overhead for developers writing patches that need to go into both. Eventually we'll need to stomach this, but is there an advantage to doing so while Hadoop 3 is still remote? -Sandy On Tue, Apr 8, 2014 at 2:00 AM, Ottenheimer, Davi <davi.ottenhei...@emc.com>wrote: > > From: Eli Collins [mailto:e...@cloudera.com] > > Sent: Monday, April 07, 2014 11:54 AM > > > > > > IMO we should not drop support for Java 6 in a minor update of a stable > > release (v2). I don't think the larger Hadoop user base would find it > > acceptable that upgrading to a minor update caused their systems to stop > > working because they didn't upgrade Java. There are people still getting > > support for Java 6. ... > > > > Thanks, > > Eli > > Hi Eli, > > Technically you are correct those with extended support get critical > security fixes for 6 until the end of 2016. I am curious whether many of > those are in the Hadoop user base. Do you know? My guess is the vast > majority are within Oracle's official public end of life, which was over 12 > months ago. Even Premier support ended Dec 2013: > > http://www.oracle.com/technetwork/java/eol-135779.html > > The end of Java 6 support carries much risk. It has to be considered in > terms of serious security vulnerabilities such as CVE-2013-2465 with CVSS > score 10.0. > > http://www.cvedetails.com/cve/CVE-2013-2465/ > > Since you mentioned "caused systems to stop" as an example of what would > be a concern to Hadoop users, please note the CVE-2013-2465 availability > impact: > > "Complete (There is a total shutdown of the affected resource. The > attacker can render the resource completely unavailable.)" > > This vulnerability was patched in Java 6 Update 51, but post end of life. > Apple pushed out the update specifically because of this vulnerability ( > http://support.apple.com/kb/HT5717) as did some other vendors privately, > but for the majority of people using Java 6 means they have a ticking time > bomb. > > Allowing it to stay should be considered in terms of accepting the whole > risk posture. > > Davi >