Thanks Yi! On Thu, Aug 3, 2023 at 7:44 AM Yi Hu <ya...@google.com> wrote:
> Hi Hong, > > Thanks for bringing this up. Sure, I would like to volunteer to work as > release manager [1] to vendor guava 32.1.2-jre. Created GitHub Issue for > tracking [2]. > > Regards, > Yi > > [1] https://s.apache.org/beam-release-vendored-artifacts > [2] https://github.com/apache/beam/issues/27801 > > > On Mon, Jul 31, 2023 at 1:08 PM Ahmet Altay via dev <dev@beam.apache.org> > wrote: > >> Hi Hong, >> >> Thank you for reaching out and thank you for offering to help. If you can >> start the PR and do the testing, one of the committers could help with the >> process. >> >> Thank you! >> Ahmet >> >> On Mon, Jul 31, 2023 at 9:13 AM Hong Teoh <hlteo...@gmail.com> wrote: >> >>> Hi all, >>> >>> The current version of guava that is vended in Beam is >>> com.google.guava:guava:26.0-jre. >>> >>> This version is really old, and has active vulnerabilities [1] [2] >>> [1] https://mvnrepository.com/artifact/com.google.guava/guava/26.0-jre >>> [2] CVE-2023-2976 >>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2976 >>> [3] CVE-2020-8908 >>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908 >>> >>> Is there anyone else keen on upgrading the vended guava version to match >>> the guava version of 32.1.1-jre ? [4] >>> [4] >>> https://github.com/apache/beam/blame/df6964aac62a521081481b21c96ecd506ea3c503/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy#L542 >>> >>> I am happy to contribute the PR to upgrade the guava dependencies in the >>> Beam repository, but I would need a committer to drive the release of the >>> vended version first! [5] >>> [5] >>> https://docs.google.com/document/d/1ztEoyGkqq9ie5riQxRtMuBu3vb6BUO91mSMn1PU0pDA/edit#heading=h.vhcuqlttpnog >>> >>> >>> Side question: Does anyone know why we have libraries that use the >>> non-vended guava version? [6] >>> [6] >>> https://github.com/search?q=repo%3Aapache%2Fbeam%20library.java.guava&type=code >>> >> >> @Kenneth Knowles <k...@google.com> - might know. >> >> >>> >>> >>> >>> Regards, >>> Hong >>> >>
