EOL'ing 1.3+1.4 sounds good to me. S On Wed, Aug 7, 2019 at 10:46 AM Andrew Purtell <[email protected]> wrote:
> HBASE-22728 addresses theoretical exposure to a Jackson CVE by us (via > hbase-rest) or to our downstream by removing Jackson artifacts from our > exported transitive dependencies, and by updating hbase-rest to use a safe > Jackson version. These changes are arguably not suitable for patch releases > because they can cause a transitive binary compatibility problem. For this > reason I would like us to consider immediate EOL of 1.3 and 1.4 with a > recommendation to upgrade to 1.5.0. > > In order for that to happen, we need to commit HBASE-22728 to branch-1, > then release 1.5.0 from head of branch-1, which I will do. Assuming test > results are good I will propose a 1.5.0 release candidate in the next few > days. > > Or would you find the HBASE-22728 change acceptable for a patch release? > > There are other good reasons to move on from 1.3 and 1.4, foremost a nice > reduction in maintenance burden keeping up these old code lines. > > Are there any objections or concerns to this plan? > > -- > Best regards, > Andrew > > Words like orphans lost among the crosstalk, meaning torn from truth's > decrepit hands > - A23, Crosstalk >
