[
https://issues.apache.org/jira/browse/HADOOP-19830?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18062528#comment-18062528
]
Steve Loughran commented on HADOOP-19830:
-----------------------------------------
It's not shipped though; it's there to help people move from v1 plugins such as
credential providers to v2 equivalents, and the docs are explicit "add that v2
sdk". It's in the provided category.
https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-aws/3.4.3/dependencies
we could look at removing it off trunk/3.6 simply to make the codebase leaner.
Are you seeing it ending up on your classpath?
> AWS SDK v1 dependencies in hadoop-aws library
> ---------------------------------------------
>
> Key: HADOOP-19830
> URL: https://issues.apache.org/jira/browse/HADOOP-19830
> Project: Hadoop Common
> Issue Type: Improvement
> Components: hadoop-aws
> Affects Versions: 3.4.3
> Reporter: Mykyta Danylchenko
> Priority: Major
>
> The `hadoop-aws`
> [library|https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-aws]
> contains a dependency on the `com.amazonaws:aws-java-sdk-core` library, which
> AWS no longer patches, including for security vulnerabilities. This forces
> every downstream consumer, for example
> [spark-core|https://mvnrepository.com/artifact/org.apache.spark/spark-core],
> to carry an end-of-life dependency with no remediation path, resulting in
> unpatched vulnerabilities and compliance failures.
> It would be great to replace `aws-java-sdk-core` with the equivalent
> counterpart from AWS SDK for Java 2.x.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
