steveloughran commented on PR #761: URL: https://github.com/apache/hadoop/pull/761#issuecomment-1232726858
> If not can you please prioritize on updating the version to 1.11.0? We are using hadoop-common in our project and getting flagged for dependency on Avro version 1.7.7 this is a troublesome topic, one i [wrote up recently](https://steveloughran.blogspot.com/2022/08/transitive-issues.html) and called out avro as an example Yes, we could change the Avro release version by changing a single file in one of our POMS and cutting a new release. However, this would break every single application with JARs which contained compiled classes generated buy a previous avro release. All of them. everywhere. Which means people would not touch it, which means that point releases needed to get our own CVEs fixed would not be adopted. Your concerns would go from "flagged as an issue" to "our program doesn't work" If you want to do a release with all dependencies patched you are free to do so; within a single organisation may be able to rebuild everything. If you are trying to provide Hadoop apps/libraries which need to be compatible at the binary level with code you can't control then I think it would be good for you to get involved in the hadoop project to help work with us on better solutions. For the case of Avro we are going to have to replicate what we do with parquet and guava; have our own private copy with all our generated Avro classes modified to refer exclusively to that. This is not a be dismissive "yes we know", more a "yes, but how can we fix it?" response. if someone was to work full time on this, it would be great. but it will be work, which is why it's been neglected until now -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
