[
https://issues.apache.org/jira/browse/HADOOP-18033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17565986#comment-17565986
]
Ayush Saxena commented on HADOOP-18033:
---------------------------------------
[[email protected]] I have a PR which reverts the two commits here:
[https://github.com/apache/hadoop/pull/4544]
So, initial thought was to revert those commits and unblock the releases.
Then HADOOP-18332 came up with revert 2 + move to Jackson 2.12.7, so we don't
expose the CVE as well and remove the new jar which is creating problems. (Let
me know if need separate commits, like 2 different revert commits & one
upgrade, will do some CLI stuff with HADOOP-18332)
Both revert PR & the new PR have green builds, unfortunately I have a review
comment on the new one but that is no big stuff and to me that is the final
solution, unless other people come and block us. The plan was to try the Tez
stuff as well with that change & ask the other folks who flagged Spark issues
to try that as well, but considering the timelines, lets not spend too much
time there...
{*}So, in best case should unblock the release by day after{*}, considering the
build will take some 24 hours, if updated tomorrow.
Regarding trunk vs only branch-3.3, in favour of keeping all the branches in
sync for now, otherwise if some change comes in trunk which uses this new jar,
then we would be doing this revert exercise again and with new set of problems.
Moreover no point in keeping the trunk also in broken state.
[~vjasani] regarding the effort due to this revert activity and so. The best
offer I have is "I can help or worst get some help", may be with some rebase
effort, so this revert activity doesn't become an overhead for you.
> Upgrade fasterxml Jackson to 2.13.0
> -----------------------------------
>
> Key: HADOOP-18033
> URL: https://issues.apache.org/jira/browse/HADOOP-18033
> Project: Hadoop Common
> Issue Type: Improvement
> Components: build
> Reporter: Akira Ajisaka
> Assignee: Viraj Jasani
> Priority: Major
> Labels: pull-request-available
> Fix For: 3.4.0, 3.3.2
>
> Time Spent: 6.5h
> Remaining Estimate: 0h
>
> Spark 3.2.0 depends on Jackson 2.12.3. Let's upgrade to 2.12.5 (2.12.x latest
> as of now) or upper.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
