[ 
https://issues.apache.org/jira/browse/HADOOP-13363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16928288#comment-16928288
 ] 

Vinayakumar B commented on HADOOP-13363:
----------------------------------------

bq. Release process: can it be issued by the ASF?
[~stack]/[~anu] any update on this from your end as you already have experience 
in this area?

bq. shading complicates CVE tracking. We need to have a process for listing 
what is shaded. Maybe by creating some manifest file, after agreeing with our 
peer projects what such a manifest could look like
Yes. There is a need of such manifest file. I will check what can be done. May 
be this is applicable for 'hadoop-client-runtime' shading as well. 

bq. at some point soon 2020? we will have to think about making java 9 the 
minimum version for branch-3. At which point we can all embrace java 9 modules. 
I don't want to box us in for maintaining a shaded JAR forever in that world
I didn't get the relation of shaded jar with Java 9 upgrade.  Can you please 
elaborate?

bq. As discussed above, Yetus-update is not required. I think we need to modify 
dev-support/docker/Dockerfile to install the correct version of protocol 
buffers, or protoc maven approach. Sorry for the late reply.
[~aajisaka], Yes, if only protobuf version upgrade, then changes will be in the 
docket file.
But as I explained above, shaded dependency jar can be maintained within 
Hadoop's repo as a submodule activated using a profile. In this case, changes 
in the build step will be required, to build shaded dependency first, before 
executing 'mvn compile' with patch. 
This is because, with patch, there is no "mvn install" executed on root. So 
latest shaded jar will not be available in local repo.

> Upgrade protobuf from 2.5.0 to something newer
> ----------------------------------------------
>
>                 Key: HADOOP-13363
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13363
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: build
>    Affects Versions: 3.0.0-alpha1, 3.0.0-alpha2
>            Reporter: Allen Wittenauer
>            Assignee: Vinayakumar B
>            Priority: Major
>              Labels: security
>         Attachments: HADOOP-13363.001.patch, HADOOP-13363.002.patch, 
> HADOOP-13363.003.patch, HADOOP-13363.004.patch, HADOOP-13363.005.patch
>
>
> Standard protobuf 2.5.0 does not work properly on many platforms.  (See, for 
> example, https://gist.github.com/BennettSmith/7111094 ).  In order for us to 
> avoid crazy work arounds in the build environment and the fact that 2.5.0 is 
> starting to slowly disappear as a standard install-able package for even 
> Linux/x86, we need to either upgrade or self bundle or something else.



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to