I think getting a 1.5.0 out with the Jackson change release noted is the way to go for fixing the CVE issue. I would also like to move the stable pointer to that release.
It seems to me that community effort on contorting the 1.4 or 1.3 line to keep having releases in the face of the Jackson CVE would be better spent on eliminating barriers to upgrade from those versions to 1.5.0, but I wouldn't necessarily vote against someone who wanted to show up and do that work (unless the proposed solution was to just ignore the problem). I think it's reasonable for us as a community to announce EOL for those branches upon release of 1.5.0 if we don't already have someone speaking up to maintain them. As with any EOL branch some set of contributors could seek to revive if they have a compelling-to-them use. On Wed, Aug 7, 2019, 14:16 Andrew Purtell <[email protected]> wrote: > The idea is to get a stable 1.5.0 out there and not necessarily release any > more 1.3 and 1.4, ideally, not - and explicitly not address the Jackson > issue in 1.3 and 1.4, unless like I asked you lot are ok with the patch as > proposed. The advice for concerned parties would be "upgrade to 1.5". > > On Wed, Aug 7, 2019 at 12:11 PM Zach York <[email protected]> > wrote: > > > I'm fine with eventually EOLing 1.3 and 1.4, but I don't think we can do > it > > until we know 1.5.0 is for sure coming out within a reasonable time and > > will be stable (the current stable pointer is 1.4.10 so what would we > move > > that to?). > > > > I'm always a fan of reducing maintenance burden, but let's hold off on > > officially EOLing until we know users have something to move to. > > > > On Wed, Aug 7, 2019 at 11:51 AM Andrew Purtell <[email protected]> > > wrote: > > > > > Changing subject line for visibility. > > > > > > On Wed, Aug 7, 2019 at 11:48 AM Stack <[email protected]> wrote: > > > > > > > EOL'ing 1.3+1.4 sounds good to me. > > > > S > > > > > > > > On Wed, Aug 7, 2019 at 10:46 AM Andrew Purtell <[email protected]> > > > > wrote: > > > > > > > > > HBASE-22728 addresses theoretical exposure to a Jackson CVE by us > > (via > > > > > hbase-rest) or to our downstream by removing Jackson artifacts from > > our > > > > > exported transitive dependencies, and by updating hbase-rest to > use a > > > > safe > > > > > Jackson version. These changes are arguably not suitable for patch > > > > releases > > > > > because they can cause a transitive binary compatibility problem. > For > > > > this > > > > > reason I would like us to consider immediate EOL of 1.3 and 1.4 > with > > a > > > > > recommendation to upgrade to 1.5.0. > > > > > > > > > > In order for that to happen, we need to commit HBASE-22728 to > > branch-1, > > > > > then release 1.5.0 from head of branch-1, which I will do. Assuming > > > test > > > > > results are good I will propose a 1.5.0 release candidate in the > next > > > few > > > > > days. > > > > > > > > > > Or would you find the HBASE-22728 change acceptable for a patch > > > release? > > > > > > > > > > There are other good reasons to move on from 1.3 and 1.4, foremost > a > > > nice > > > > > reduction in maintenance burden keeping up these old code lines. > > > > > > > > > > Are there any objections or concerns to this plan? > > > > > > > > > > -- > > > > > Best regards, > > > > > Andrew > > > > > > > > > > Words like orphans lost among the crosstalk, meaning torn from > > truth's > > > > > decrepit hands > > > > > - A23, Crosstalk > > > > > > > > > > > > > > > > > > -- > > > Best regards, > > > Andrew > > > > > > Words like orphans lost among the crosstalk, meaning torn from truth's > > > decrepit hands > > > - A23, Crosstalk > > > > > > > > -- > Best regards, > Andrew > > Words like orphans lost among the crosstalk, meaning torn from truth's > decrepit hands > - A23, Crosstalk >
