nao-it commented on PR #5435: URL: https://github.com/apache/hadoop/pull/5435#issuecomment-1446141140
> Right, > > I have just done the x86 RC this weekend and I am doing the arm64 one right now, and with a goal of putting the RC2 out for a vote buy about 17:00 UTC. > > Is the CVE something to which Hadoop is actually vulnerable to? > > Because we have lots of other issues and trying to keep every single transient jar up to date is a losing battle. If I hold off it will cost time and then something else will come up and I absolutely want to get this up for a vote by tomorrow. Also, last minute JAR updates are incredibly dangerous nobody will have any time to have tested the release for regressions. I am scared of them. > > I want to get this release out the way and then we can start worrying about what we do in a follow up in a few months time -which can absolutely take this update as it gives us the time to make sure this update works. > > So, please make the case for why this CVE should force the cancelling of the in-progress RC. Otherwise given all the other pressing issues we have to fix in this release I really want to say no. I don't have to jump on the outgoing train, you can put a fix in the next release, since the RC for the current one is already available. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
