I am in favor of shading Jetty as well, if we can. The caveat being "if we can".
On Mon, Feb 24, 2020 at 2:11 PM Wei-Chiu Chuang <[email protected]> wrote: > Forgot to share a few past attempts: > > 1. HBASE-18224 <https://issues.apache.org/jira/browse/HBASE-18224 > >Upgrade > jetty > > > 1. HBASE-19390 <https://issues.apache.org/jira/browse/HBASE-19390 > >Revert > to older version of Jetty 9.3 > > > 1. HBASE-19256 <https://issues.apache.org/jira/browse/HBASE-19256> [ > hbase-thirdparty] shade jetty > > > On Mon, Feb 24, 2020 at 2:06 PM Wei-Chiu Chuang <[email protected]> > wrote: > > > Hi, > > > > While I work on this jira HBASE-23834 > > <https://issues.apache.org/jira/browse/HBASE-23834> (HBase fails to run > > on Hadoop 3.3.0/3.2.2/3.1.4 due to jetty version mismatch) and I realized > > this was attempted before. But it simply doesn't work when you have > Hadoop > > and HBase on different Jetty minor versions (9.3 / 9.4) unless Jetty is > > shaded in HBase (or Hadoop). > > > > We should update Jetty in HBase for sure. 9.3 has known security > > vulnerabilities and not fixed until 9.4. > > > > Given that hbase-thirdparty is the standard practice to place > > thirdparty jars, should we also shade Jetty into hbase-thirdparty? > > > > >
