Unless there's a published CVE for the current minimum lines, I'd say leave them as is.
Hadoop is usually good at keep this up to date as they announce CVEs: https://hadoop.apache.org/cve_list.html On Mon, Feb 3, 2020 at 4:36 PM Nick Dimiduk <[email protected]> wrote: > > Hello, > > I'd like to discuss the Hadoop versions we'll target for the 2.3 release > line. The topics up for discussion are: (1) what do we set as the > dependency versions in our poms as build defaults on each profile; and (2) > what is the breadth of testing to which we are able to commit for the > purposes of our compatibility matrix? > > Currently our pom has: > > <hadoop-two.version>2.8.5</hadoop-two.version> > <hadoop-three.version>3.1.2</hadoop-three.version> > > Regarding our Hadoop 2 dependency, it seems the Hadoop project no longer > lists 2.8.x on their release page [0], though my searches have not > materialized an EOL announcement. There is a thread [1] suggesting that > there will be just one more release on 2.8 after 2.8.5, dates from > September 2019. Is this reason enough to bump forward our Hadoop-2 > dependency, and if so, to what version? 2.9.2 seems a likely candidate, > however it looks like Duo's inquiry [2] as to the liveliness of that > release line has gone unanswered. 2.10.0 was release fairly recently, but > I've not seen anything to indicate that should be considered a stable > release. At this point, I'm prone to simply not touch it for 2.3. > > Regarding our Hadoop 3 dependency, 3.1.2 is the latest version on that > release line. Since then, we've seen the advent of 3.2.x. I can find no > indication of the 3.2.x series being labeled as "not production ready." > There's talk of Hadoop 3.3, which will supposedly bring JDK11 support, but > I don't think it matches our timelines for HBase 2.3. Is there a reason to > advance our Hadoop 3 dependency? Likewise, at this point, I'm prone to > simply not touch it for 2.3. > > Thoughts? > > Thanks, > Nick > > [0]: https://hadoop.apache.org/releases.html > [1]: > https://lists.apache.org/thread.html/ac7c53cf6f41d440d7ca120b2ea41fc5dc0f36041d4c03ee30d4e6d3%40%3Ccommon-dev.hadoop.apache.org%3E > [2]: > https://lists.apache.org/thread.html/0b1b5d80e6481796635c91e409dab0111387db3012d43357352108ec%40%3Ccommon-dev.hadoop.apache.org%3E
