[ https://issues.apache.org/jira/browse/HADOOP-16485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16899654#comment-16899654 ]
Steve Loughran commented on HADOOP-16485: ----------------------------------------- It is tagged @Private/Evolving and mostly gets used for * conversion to from a map. This is something json can do. Uses, KMS, hadoop-azure, .. *in hadoop-aws ser/deser of the s3a committer .pendingset and _SUCCESS files. These (private) classes can be changed however we want; I'd prefer the persistence formats to stay the same but that's all. * hadoop-registry persistence of records in ZK. Again, whatever changes needed for gson are viable there. > Remove dependency on jackson > ---------------------------- > > Key: HADOOP-16485 > URL: https://issues.apache.org/jira/browse/HADOOP-16485 > Project: Hadoop Common > Issue Type: Improvement > Reporter: Wei-Chiu Chuang > Priority: Major > > Looking at git history, there were 5 commits related to updating jackson > versions due to various CVEs since 2018. And it seems to get worse more > recently. > File this jira to discuss the possibility of removing jackson dependency once > for all. I see that jackson is deeply integrated into Hadoop codebase, so not > a trivial task. However, if Hadoop is forced to make a new set of releases > because of Jackson vulnerabilities, it may start to look not so costly. > At the very least, consider stripping jackson-databind coode, since that's > where the majority of CVEs come from. -- This message was sent by Atlassian JIRA (v7.6.14#76016) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org