while I agree that the main repo should have releases that update jackson to address that CVE, please keep that discussion out of this VOTE thread since jackson is not one of the dependencies we manage through the hbase-thirdparty repo.
On Wed, Sep 25, 2019 at 9:17 AM 张铎(Duo Zhang) <[email protected]> wrote: > > Both 2.2.x and 2.1.x, and there is a CVE for jackson now, so let's roll new > releases soon... > > https://issues.apache.org/jira/browse/HBASE-23075 > > Stack <[email protected]> 于2019年9月25日周三 下午10:14写道: > > > (Thanks Ankit) > > > > What is plan then for HBase core releases? Will next 2.2 release use gson > > in new location? > > > > S > > > > On Wed, Sep 25, 2019 at 4:15 AM Sean Busbey <[email protected]> wrote: > > > > > Ankit's got it. The reason I made this a major version bump instead of a > > > minor is that existing use can't just change the version number to > > upgrade. > > > Instead you have to add the shaded-gson dependency if you use gson. > > > > > > On Wed, Sep 25, 2019, 01:22 Ankit Singhal <[email protected]> > > > wrote: > > > > > > > @Stack, it seems gson is excluded from miscellaneous[1] so you may > > > require > > > > new hbase-shaded-gson dependency in hbase-common/pom.xml to get it > > > actually > > > > working. > > > > > > > > [1] > > > > > > > > > > > > > https://github.com/apache/hbase-thirdparty/blame/master/hbase-shaded-miscellaneous/pom.xml#L107 > > > > > > > > On Tue, Sep 24, 2019 at 8:18 PM Stack <[email protected]> wrote: > > > > > > > > > I tried to build against the thirdparty pom but got the below > > failure: > > > > > > > > > > Here is how I changed pom: > > > > > > > > > > [INFO] > > > > > > > > ------------------------------------------------------------------------ > > > > > [INFO] BUILD FAILURE > > > > > [INFO] > > > > > > > > ------------------------------------------------------------------------ > > > > > [INFO] Total time: 44.578 s > > > > > [INFO] Finished at: 2019-09-24T20:15:51-07:00 > > > > > [INFO] > > > > > > > > ------------------------------------------------------------------------ > > > > > [ERROR] Failed to execute goal > > > > > org.apache.maven.plugins:maven-compiler-plugin:3.8.0:compile > > > > > (default-compile) on project hbase-common: Compilation failure: > > > > Compilation > > > > > failure: > > > > > [ERROR] > > > > > > > > > > > > > > > > > > > /Users/stack/checkouts/hbase.apache.git/hbase-common/src/main/java/org/apache/hadoop/hbase/util/GsonUtil.java:[24,51] > > > > > package org.apache.hbase.thirdparty.com.google.gson does not exist > > > > > [ERROR] > > > > > > > > > > > > > > > > > > > /Users/stack/checkouts/hbase.apache.git/hbase-common/src/main/java/org/apache/hadoop/hbase/util/GsonUtil.java:[25,51] > > > > > package org.apache.hbase.thirdparty.com.google.gson does not exist > > > > > [ERROR] > > > > > > > > > > > > > > > > > > > /Users/stack/checkouts/hbase.apache.git/hbase-common/src/main/java/org/apache/hadoop/hbase/util/GsonUtil.java:[26,51] > > > > > package org.apache.hbase.thirdparty.com.google.gson does not exist > > > > > [ERROR] > > > > > > > > > > > > > > > > > > > /Users/stack/checkouts/hbase.apache.git/hbase-common/src/main/java/org/apache/hadoop/hbase/util/GsonUtil.java:[27,58] > > > > > package org.apache.hbase.thirdparty.com.google.gson.stream does not > > > exist > > > > > [ERROR] > > > > > > > > > > > > > > > > > > > /Users/stack/checkouts/hbase.apache.git/hbase-common/src/main/java/org/apache/hadoop/hbase/util/GsonUtil.java:[28,58] > > > > > package org.apache.hbase.thirdparty.com.google.gson.stream does not > > > exist > > > > > [ERROR] > > > > > > > > > > > > > > > > > > > /Users/stack/checkouts/hbase.apache.git/hbase-common/src/main/java/org/apache/hadoop/hbase/util/GsonUtil.java:[44,17] > > > > > cannot find symbol > > > > > [ERROR] symbol: class GsonBuilder > > > > > [ERROR] location: class org.apache.hadoop.hbase.util.GsonUtil > > > > > [ERROR] > > > > > > > > > > > > > > > > > > > /Users/stack/checkouts/hbase.apache.git/hbase-common/src/main/java/org/apache/hadoop/hbase/util/GsonUtil.java:[46,49] > > > > > cannot find symbol > > > > > [ERROR] symbol: class TypeAdapter > > > > > [ERROR] location: class org.apache.hadoop.hbase.util.GsonUtil > > > > > [ERROR] > > > > > > > > > > > > > > > > > > > /Users/stack/checkouts/hbase.apache.git/hbase-common/src/main/java/org/apache/hadoop/hbase/util/GsonUtil.java:[45,57] > > > > > cannot find symbol > > > > > [ERROR] symbol: variable LongSerializationPolicy > > > > > [ERROR] location: class org.apache.hadoop.hbase.util.GsonUtil > > > > > [ERROR] > > > > > > > > > > > > > > > > > > > /Users/stack/checkouts/hbase.apache.git/hbase-common/src/main/java/org/apache/hadoop/hbase/util/GsonUtil.java:[45,16] > > > > > cannot find symbol > > > > > [ERROR] symbol: class GsonBuilder > > > > > [ERROR] location: class org.apache.hadoop.hbase.util.GsonUtil > > > > > [ERROR] -> [Help 1] > > > > > [ERROR] > > > > > > > > > > > > > > > $ git diff pom.xml > > > > > diff --git a/pom.xml b/pom.xml > > > > > index 0c1eb0f559..c61b255d85 100755 > > > > > --- a/pom.xml > > > > > +++ b/pom.xml > > > > > @@ -1368,7 +1368,7 @@ > > > > > <surefire.version>2.22.2</surefire.version> > > > > > <wagon.ssh.version>2.12</wagon.ssh.version> > > > > > <xml.maven.version>1.0.1</xml.maven.version> > > > > > - <hbase-thirdparty.version>2.2.1</hbase-thirdparty.version> > > > > > + <hbase-thirdparty.version>3.0.0</hbase-thirdparty.version> > > > > > <!-- Intraproject jar naming properties --> > > > > > <!-- TODO this is pretty ugly, but works for the moment. > > > > > Modules are pretty heavy-weight things, so doing this work > > isn't > > > > too > > > > > bad. --> > > > > > @@ -3874,4 +3874,11 @@ > > > > > <url>file:///tmp</url> > > > > > </site> > > > > > </distributionManagement> > > > > > + <repositories> > > > > > + <repository> > > > > > + <id>test</id> > > > > > + <name>test</name> > > > > > + <url> > > > > > > > > https://repository.apache.org/content/repositories/orgapachehbase-1350/ > > > > > </url> > > > > > + </repository> > > > > > + </repositories> > > > > > </project> > > > > > > > > > > My expectation that I could slot in 3.0.0 and it would just work > > > should > > > > > hold? > > > > > > > > > > S > > > > > > > > > > On Sat, Sep 21, 2019 at 10:17 PM Sean Busbey <[email protected]> > > > wrote: > > > > > > > > > > > Please consider the following for the 3.0.0 release of Apache HBase > > > > > > Thirdparty. > > > > > > > > > > > > The only change since our prior 2.2.1 release moves our relocated > > > GSON > > > > > > library into its own artifact and ensures that that artifact can be > > > > > > used with JDK7 for branch-1 releases. > > > > > > > > > > > > Source artifact, signatures, checksums, and changes are available > > at: > > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/hbase/hbase-thirdparty-3.0.0-RC0/ > > > > > > > > > > > > The release was made against tag 3.0.0RC0 which currently points at > > > ref > > > > > > 7bc3b10d118dd171c76ef7a4e8e79e91e99b740e > > > > > > > > > > > > Everything is signed with my key '0D80DB7C' which can be found > > here: > > > > > > > > > > > > https://dist.apache.org/repos/dist/release/hbase/KEYS > > > > > > > > > > > > Maven staging repository is available at: > > > > > > > > > > > > > > > > > > https://repository.apache.org/content/repositories/orgapachehbase-1350/ > > > > > > > > > > > > Since these artifacts don't really show up downstream until they're > > > > > > used in a main HBase release, I'd like to only run this vote as > > long > > > > > > as it takes to get enough binding votes if folks don't mind. I > > figure > > > > > > it's relatively easy for us to roll forward with another HBase > > > > > > Thirdparty release if something comes up while trying to use it in > > a > > > > > > main HBase release candidate. > > > > > > > > > > > > As of this email the relevant artifact sha512 checksum(s) are: > > > > > > > > > > > > hbase-thirdparty-3.0.0-src.tar.gz: > > > > > > B6BA18F5 515E9B18 3079F7A3 65E68462 CC2571DB > > > > > > 1A078141 06A94652 D5276713 E0C54FF5 1CC1C16D > > > > > > B0E28F4A BD3D37A2 2106C295 B250F153 4FD172ED > > > > > > CE3489FD > > > > > > > > > > > > > > > > > > > >
