I've come around to be in favor of bumping the default version for branch-2.6 and maintaining it up on the latest backward-compatible minor releases that we can. I arrive at this conclusion because we do not have the bandwidth as a community to make more frequent minor or major releases. That means the only way that we can stay ahead of the aggressive CVE train coming out of our massive dependency stack is to aggressively upgrade the deps.
I've given my +1 on HBASE-28980 for branch-2.6 Thanks, Nick On 2024/11/15 06:26:08 Istvan Toth wrote: > With Duo's fix for HBASE-28965 , there are no more known blockers. > > Should I go ahead with making 3.4.1 the default for branch-2.5 and > branch-2.6 ? > > On Tue, Nov 5, 2024 at 7:16 AM Istvan Toth <st...@cloudera.com> wrote: > > > I've just committed the - hopefully - last test change, so the nightlies > > will not always fail on the packaging tests. > > > > All non-released branches (i.e. 2.7+ now default to building with 3.4.1). > > > > I wanted to revisit updating the default version on the released (2.5, > > 2.6) branches, because Nick has expressed concerns about it. > > > > The dev tests are good (the test failures seem to be "normal" flakies). As > > we've not updated the default version, we're not yet running the packaging > > tests > > on branch-2.5 and 2.6 against the older Hadoop versions, but we do on the > > rest of branches, and if we update it, we will also run them on 2.5 and 2.6. > > > > Without repeating the arguments I have already made for it, I want to add > > a new one: > > > > Security and CVEs are getting more and more emphasis, which is great, but > > has some drawbacks. > > While the proliferation of static analyzers leads to a lot of frustrating > > CVE witch hunts and false positives, the majority of users cannot evaluate > > the actual security impact, > > or even if they can, they are tied by inflexible policies. > > > > We at Phoenix had recent security discussions with Trino, and ended up > > having to dependencyManage the transitive Hadoop dependencies in our shaded > > uberjar to address their concerns. > > (Which is an antipattern) > > > > While updating the Hadoop version in a patch release undoubtedly increases > > the risk of regressions, IMO we are protected by the Hadoop backwards > > compatibility promises, and we have added a reasonable number of tests to > > catch any issues. I am confident in our test coverage when building HBase > > with any of the supported HBase versions. We also have the packaging > > (smoke) tests for running the official binaries against earlier Hadoop > > clusters, which would catch (some of) the Hadoop wire api incompatibilities > > . > > > > However, IMO not updating Hadoop is net negative to the project's health, > > as the binary (maven or assembly) releases are used primarily either by > > other libraries interfacing with HBase, or by new users, POC clusters, etc. > > and these are the use cases where the transitive CVEs can prevent projects > > from adding (or maintaining as in the case of Trino) HBase support, or > > discourage new users from adopting HBase. > > > > Obviously, I have a very skewed view of HBase users, but I think that most > > production HBase users either use a vendor or cloud provider version, or > > have enough in-house expertise to rebuild HBase with their Hadoop version > > if something goes wrong (despite the Hadoop backwards compatibility > > promises) > > > > > > > > > > > > On Wed, Oct 30, 2024 at 12:41 PM Istvan Toth <st...@cloudera.com> wrote: > > > >> Thanks! > >> > >> I will backport the test changes, but keep the default Hadoop version. > >> > >> We will have more information then. > >> > >> Istvan > >> > >> On Wed, Oct 30, 2024 at 10:22 AM Nick Dimiduk <ndimi...@apache.org> > >> wrote: > >> > >>> On Mon, Oct 28, 2024 at 11:00 AM Istvan Toth <st...@cloudera.com.invalid> > >>> wrote: > >>> > > >>> > I have looked at branch-2.5, but the nightly looks off there, as it > >>> runs > >>> > the packaging tests with Hadoop 3.1.1, which it doesn't even > >>> officially > >>> > support anymore. > >>> > > >>> > What should we do with branch-2.5 ? > >>> > > >>> > I think that it would not be a lot of extra work to backport > >>> everything, > >>> > both the backwards compatibility tests and defaulting Hadoop to 3.4.1. > >>> > We just have to update the version in the pom, and add 3.2.4 to the > >>> list of > >>> > versions to test for backwards compatibility and integration (and > >>> remove > >>> > 3.1.1). > >>> > > >>> > I would prefer to have uniform tests and default to Hadoop 3.4.1 on all > >>> > active branches. > >>> > Having a (few) final 2.5.x release(s) with tested Hadoop 3.4.x support > >>> may > >>> > be useful for users for migration and CVE mitigation purposes. > >>> > > >>> > WDYT ? > >>> > >>> branch-2.5's default hadoop3 version is 3.2.4. That's a big dependency > >>> to change for a patch release. I don't think that we can get away with > >>> that change and maintain our compatibility obligations. I'm not up to > >>> speed on the current state of CVEs for this older (EOL?) version, so > >>> we have that dimension to consider. If the newer version is "drop-in" > >>> compatible (and only if), then I have no issue with moving that > >>> release line forward. Ultimately it's the release manager for 2.5 to > >>> make a determination, so I defer to Andrew's assessment. > >>> > >>> I am in favor of backing-porting the improved testing coverage you've > >>> added to branch-2.5. It would be great to understand if branch-2.5 (1) > >>> compiled against 3.2.4 will run on Hadoop 3.4.1 and (2) builds and > >>> tests out on 3.4.1. That will give the more security-minded users > >>> additional confidence in bumping their hadoop dependency on their own. > >>> > >>> Thanks, > >>> Nick > >>> > >>> > On Mon, Oct 21, 2024 at 6:54 PM Istvan Toth <st...@cloudera.com> > >>> wrote: > >>> > > >>> > > We could also move the default to 3.4.1 directly. > >>> > > We already test for 3.4.0 in the nightly job. > >>> > > > >>> > > On Mon, Oct 21, 2024 at 3:49 PM 张铎(Duo Zhang) <palomino...@gmail.com > >>> > > >>> > > wrote: > >>> > > > >>> > >> And seems hadoop 3.4.1 is out. we could see whether to bump to this > >>> > >> version later? > >>> > >> > >>> > >> Istvan Toth <st...@cloudera.com.invalid> 于2024年10月21日周一 20:56写道: > >>> > >> > > >>> > >> > I have merged the new tests to the nightly Jenkins runs on master. > >>> > >> > > >>> > >> > They have identified another 3.4.0 incompatibility: > >>> > >> > HBASE-28929 <https://issues.apache.org/jira/browse/HBASE-28929> > >>> > >> > > >>> > >> > I will hold off backporting the test changes until HBASE-28929 is > >>> > >> resolved. > >>> > >> > >>> > > > >>> > > > >>> > > -- > >>> > > *István Tóth* | Sr. Staff Software Engineer > >>> > > *Email*: st...@cloudera.com > >>> > > cloudera.com <https://www.cloudera.com> > >>> > > [image: Cloudera] <https://www.cloudera.com/> > >>> > > [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: > >>> > > Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: > >>> > > Cloudera on LinkedIn] <https://www.linkedin.com/company/cloudera> > >>> > > ------------------------------ > >>> > > ------------------------------ > >>> > > > >>> > > >>> > > >>> > -- > >>> > *István Tóth* | Sr. Staff Software Engineer > >>> > *Email*: st...@cloudera.com > >>> > cloudera.com <https://www.cloudera.com> > >>> > [image: Cloudera] <https://www.cloudera.com/> > >>> > [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: > >>> > Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: > >>> Cloudera > >>> > on LinkedIn] <https://www.linkedin.com/company/cloudera> > >>> > ------------------------------ > >>> > ------------------------------ > >>> > >> > >> > >> -- > >> *István Tóth* | Sr. Staff Software Engineer > >> *Email*: st...@cloudera.com > >> cloudera.com <https://www.cloudera.com> > >> [image: Cloudera] <https://www.cloudera.com/> > >> [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: > >> Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: > >> Cloudera on LinkedIn] <https://www.linkedin.com/company/cloudera> > >> ------------------------------ > >> ------------------------------ > >> > > > > > > -- > > *István Tóth* | Sr. Staff Software Engineer > > *Email*: st...@cloudera.com > > cloudera.com <https://www.cloudera.com> > > [image: Cloudera] <https://www.cloudera.com/> > > [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: > > Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: > > Cloudera on LinkedIn] <https://www.linkedin.com/company/cloudera> > > ------------------------------ > > ------------------------------ > > > > > -- > *István Tóth* | Sr. Staff Software Engineer > *Email*: st...@cloudera.com > cloudera.com <https://www.cloudera.com> > [image: Cloudera] <https://www.cloudera.com/> > [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: > Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: Cloudera > on LinkedIn] <https://www.linkedin.com/company/cloudera> > ------------------------------ > ------------------------------ >
