HBASE-22728 addresses theoretical exposure to a Jackson CVE by us (via hbase-rest) or to our downstream by removing Jackson artifacts from our exported transitive dependencies, and by updating hbase-rest to use a safe Jackson version. These changes are arguably not suitable for patch releases because they can cause a transitive binary compatibility problem. For this reason I would like us to consider immediate EOL of 1.3 and 1.4 with a recommendation to upgrade to 1.5.0.
In order for that to happen, we need to commit HBASE-22728 to branch-1, then release 1.5.0 from head of branch-1, which I will do. Assuming test results are good I will propose a 1.5.0 release candidate in the next few days. Or would you find the HBASE-22728 change acceptable for a patch release? There are other good reasons to move on from 1.3 and 1.4, foremost a nice reduction in maintenance burden keeping up these old code lines. Are there any objections or concerns to this plan? -- Best regards, Andrew Words like orphans lost among the crosstalk, meaning torn from truth's decrepit hands - A23, Crosstalk
