I see you filed HADOOP-17083
<https://issues.apache.org/jira/browse/HADOOP-17083> for the same

I started a thread a while ago in the Hadoop dev mailing list to share my
experience adopting guava27.  Simply porting HADOOP-15960
<https://issues.apache.org/jira/browse/HADOOP-15960> to branch-2 will break
miserably because all downstream applications will not compile/run. It took
us half a year to get it harmonized across Cloudera's stack and I don't
want to see you spending time on that.

I feel the better approach is HADOOP-16924
<https://issues.apache.org/jira/browse/HADOOP-16924> where we shade and
then update guava. There is more work inside Hadoop to change references to
the shaded guava classpath, but it'll save you more time later.

On Tue, Jun 23, 2020 at 9:09 AM Ahmed Hussein <a...@ahussein.me> wrote:

> Hi folks,
> I was looking into upgrading guava to  27.0-jre on branch-2.10 in order to
> address the vulnerabilities reported as CVE-2018-10237
> <https://nvd.nist.gov/vuln/detail/CVE-2018-10237>.
> Since there are concerns using Java8, the plan is to stick to JDK7.
> Obviously, it is expected that the upgrade will break downstream projects.
> I opened this for discussion to get feedback and make sure that we have
> common ground to address the security of vulnerabilities.
> Let me know WDYT.
> --
> Best Regards,
> *Ahmed Hussein, PhD*

Reply via email to