[
https://issues.apache.org/jira/browse/HADOOP-12579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15097391#comment-15097391
]
Kai Zheng commented on HADOOP-12579:
------------------------------------
bq. Sure. We should probably remove the PB wrappers in a follow-on change
rather than dealing with it here.
Thanks for the confirm. I'd like to sort my quick trying out and provide a
patch for some comments.
bq. there are many more times when it's simpler and less error-prone just to
use the types directly. The translation code is very verbose, which makes it
inconvenient to add or change anything, and has been a source of bugs in the
past when someone forgets to manually copy a field.
I agree. The manual copy particularly for complex and deep structures is
error-prone with no mechanisms like tests to guard. Would explore some bit in
this direction, and probably find a small place for the initial prototype to
see the effect, considering the change and impact is overall large.
> Deprecate and remove WriteableRPCEngine
> ---------------------------------------
>
> Key: HADOOP-12579
> URL: https://issues.apache.org/jira/browse/HADOOP-12579
> Project: Hadoop Common
> Issue Type: Improvement
> Reporter: Haohui Mai
>
> The {{WriteableRPCEninge}} depends on Java's serialization mechanisms for RPC
> requests. Without proper checks, it has be shown that it can lead to security
> vulnerabilities such as remote code execution (e.g., COLLECTIONS-580,
> HADOOP-12577).
> The current implementation has migrated from {{WriteableRPCEngine}} to
> {{ProtobufRPCEngine}} now. This jira proposes to deprecate
> {{WriteableRPCEngine}} in branch-2 and to remove it in trunk.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
