[
https://issues.apache.org/jira/browse/HADOOP-13386?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17598291#comment-17598291
]
ASF GitHub Bot commented on HADOOP-13386:
-----------------------------------------
steveloughran commented on PR #761:
URL: https://github.com/apache/hadoop/pull/761#issuecomment-1232726858
> If not can you please prioritize on updating the version to 1.11.0? We
are using hadoop-common in our project and getting flagged for dependency on
Avro version 1.7.7
this is a troublesome topic, one i [wrote up
recently](https://steveloughran.blogspot.com/2022/08/transitive-issues.html)
and called out avro as an example
Yes, we could change the Avro release version by changing a single file in
one of our POMS and cutting a new release.
However, this would break every single application with JARs which contained
compiled classes generated buy a previous avro release. All of them.
everywhere. Which means people would not touch it, which means that point
releases needed to get our own CVEs fixed would not be adopted. Your concerns
would go from "flagged as an issue" to "our program doesn't work"
If you want to do a release with all dependencies patched you are free to do
so; within a single organisation may be able to
rebuild everything. If you are trying to provide Hadoop apps/libraries which
need to be compatible at the binary level with code you can't control then I
think it would be good for you to get involved in the hadoop project to help
work with us on better solutions. For the case of Avro we are going to have to
replicate what we do with parquet and guava; have our own private copy with all
our generated Avro classes modified to refer exclusively to that.
This is not a be dismissive "yes we know", more a "yes, but how can we fix
it?" response. if someone was to work full time on this, it would be great. but
it will be work, which is why it's been neglected until now
> Upgrade Avro to 1.9.2
> ---------------------
>
> Key: HADOOP-13386
> URL: https://issues.apache.org/jira/browse/HADOOP-13386
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: build
> Reporter: Ben McCann
> Assignee: PJ Fanning
> Priority: Major
> Labels: pull-request-available
> Fix For: 3.4.0
>
> Time Spent: 7h
> Remaining Estimate: 0h
>
> Avro 1.8.x makes generated classes serializable which makes them much easier
> to use with Spark. It would be great to upgrade Avro to 1.8.x
> Fix CVE-2021-43045
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
