On Tue, Oct 23, 2018 at 9:44 AM Sean Busbey <[email protected]> wrote:
> I can get behind more aggressively updating our dependencies to avoid > CVEs. I don't think we should do this in maintenance releases though. > Maintenance releases are meant to be extremely low risk for downstream > users. Despite our efforts to date upgrading a dependency is still > disruptive, especially when it's Hadoop. CVEs carry with them a needed > context for something to be an issue. That context almost never covers > all possible deployment scenarios and we should leave it to downstream > users to decide if the risk / reward trade off of justifies the > dependency update. Asking folks who think the risk is worth it to bump > up a minor HBase version or patch their deployment locally is a > reasonable trade off IMHO. > > This seems reasonable to me. I'd apply HBASE-20970 to branch-2.2 and skip adding it on branch-2.1 since we've pull a 2.1.0 from here already. Do we need to start our own little CVE poster board on the website? We could use it to also point at similar in our dependencies. S > I think I have the Hadoop PMC on board for publicizing impacted > versions on CVE-2018-8009 specifically. Give me a couple of days to > get that out in whatever form so that everyone in this discussion has > a more level field? > On Mon, Oct 22, 2018 at 9:07 PM 张铎(Duo Zhang) <[email protected]> > wrote: > > > > I believe if there is a CVE for any of the dependencies we should try to > > upgrade it, and IIRC there is an issue about finding these dependencies > out > > automatically. We haven't done this before does not mean ignoring a CVE > is > > the correct way, it is just because no one takes care of it... > > > > And the hadoop team has stated the versions which are vulnerable, all > > versions before 2.7.7, 2.8.5, 2.9.2(not released yet?), 3.0.3 and 3.1.1. > > Not sure if they have published this out to the public, but as you can > see > > the url provided by me above, it is already public, so it does not matter > > whether the hadoop team has published or not... > > > > Sean Busbey <[email protected]> 于2018年10月23日周二 上午9:50写道: > > > > > Has the Hadoop PMC put out a public notice on the impact of that CVE > yet? > > > Specifically have they stated what versions are vulnerable? Are we > flagging > > > all versions impacted by it as "HBase says keep away"? > > > > > > Is there some reason this particular CVE especially impacts users of > HBase? > > > I presume not since we're talking about this on dev@ and in JIRA > instead > > > of > > > on private@. > > > > > > Why are we reacting to this CVE when we don't seem to react to any > other > > > Hadoop CVEs? Or is this the start of a change wrt that? > > > > > > What about other dependencies with open CVEs? > > > > > > On Mon, Oct 22, 2018, 20:33 张铎(Duo Zhang) <[email protected]> > wrote: > > > > > > > See here: > > > > > > > > https://access.redhat.com/security/cve/cve-2018-8009 > > > > > > > > All 2.7.x releases before 2.7.7 have the problem. And for 2.6.x, the > > > hadoop > > > > team seems to drop the support as there is no release about two > years, so > > > > either we keep the original support versions, or we just drop the > support > > > > for the 2.6.x release line. > > > > > > > > Zach York <[email protected]> 于2018年10月23日周二 上午8:51写道: > > > > > > > > > What is the main reason for the change? Build time speedup? > > > > > > > > > > Any reason for testing all of the 2.6.x line, but not the 2.7.x > line? > > > We > > > > > don't check at all for 2.8.x? > > > > > > > > > > Can we be more consistent with how we test compatibility? (Do we > only > > > > care > > > > > about the latest patch release in a line?) > > > > > > > > > > Sorry If I'm missing some of the reasoning, but at a surface level > it > > > > seems > > > > > fairly arbitrary which releases we are cutting. > > > > > > > > > > On Mon, Oct 22, 2018 at 5:44 PM Sean Busbey <[email protected]> > wrote: > > > > > > > > > > > Please leave me time to review before it is committed. > > > > > > > > > > > > On Mon, Oct 22, 2018, 13:58 Stack <[email protected]> wrote: > > > > > > > > > > > > > Duo has a patch up on HBASE-20970 that changes the Hadoop > versions > > > we > > > > > > check > > > > > > > at build time. Any objections to committing to branch-2.1+? > > > > > > > > > > > > > > It makes following changes: > > > > > > > > > > > > > > 2.6.1 2.6.2 2.6.3 2.6.4 2.6.5 2.7.1 2.7.2 2.7.3 2.7.4 > > > > > > > > > > > > > > becomes > > > > > > > > > > > > > > 2.6.1 2.6.2 2.6.3 2.6.4 2.6.5 2.7.7 > > > > > > > > > > > > > > And... > > > > > > > > > > > > > > 3.0.0 > > > > > > > > > > > > > > goes to > > > > > > > > > > > > > > 3.0.3 > > > > > > > > > > > > > > Shout if you are against the change else will commit tomorrow. > > > > > > > > > > > > > > Thanks, > > > > > > > S > > > > > > > > > > > > > > > > > > > > > > > > > >
