[jira] [Commented] (HADOOP-16210) Update guava to 27.0-jre in hadoop-project trunk

Sun, 26 May 2019 14:09:25 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-16210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16848532#comment-16848532
 ] 

Steve Loughran commented on HADOOP-16210:
-----------------------------------------

That Preconditions one is a real PITA. Because they added some new methods, 
when you compile against it with the new library, you end up with .class files 
which don't link, even if you don't use new methods.

I am really sorry, and feel the same pain myself. Enough to think: why do we 
use Guava so much? I could write my own Preconditions class which wouldn't be 
so brittle and which we could adopt in our code (Same for commons-lang 
stringutils.isEmpty BTW). Otherwise, I don't know what to do.

bq. Generally speaking, what would be the best path moving forward when such 
updates are introduced to the trunk? 

We've tried to put off forcing guava updates because it was transitively 
traumatic, and even though we shipped with 11.x we moved off all classes 
removed by 17.x so you could update. But we'd reached the limit with: java lang 
support, outstanding CVEs. And things we were starting to depend on were built 
on later stuff...it wasn't sustainable.

bq. How can we carry that update seamlessly to open source products as well?

I don't think we can do it without: shading or java 9 packaging. I'd personally 
love to see how well we can do with java 9 modules, as shading is its own mess.

> Update guava to 27.0-jre in hadoop-project trunk
> ------------------------------------------------
>
>                 Key: HADOOP-16210
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16210
>             Project: Hadoop Common
>          Issue Type: Sub-task
>    Affects Versions: 3.3.0
>            Reporter: Gabor Bota
>            Assignee: Gabor Bota
>            Priority: Critical
>             Fix For: 3.3.0
>
>         Attachments: HADOOP-16210.001.patch, 
> HADOOP-16210.002.findbugsfix.wip.patch, HADOOP-16210.002.patch, 
> HADOOP-16210.003.patch
>
>
> com.google.guava:guava should be upgraded to 27.0-jre due to new CVE's found 
> CVE-2018-10237.
> This is a sub-task for trunk from HADOOP-15960 to track issues with that 
> particular branch.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to