Okay, let's go for it, István. This will be our policy for active release lines going forward. Go ahead with your patches and please update the compatibility guidelines in the book relating to supported Hadoop versions and CVE mitigation, as appropriate.
Thanks, Nick On Thu, Jan 9, 2025 at 7:57 AM Andrew Purtell <andrew.purt...@gmail.com> wrote: > > I have not been following. I’ve been away for a while and am getting back up > to speed. Thanks for summarizing the discussion so far. > > I support it too. For purely practical reasons, I admit. We have to be CVE > clean, to the extent possible, with annoying documentation requirements when > known issues remain in a deployment image. > > We’d also want 3.4 for the fix for the lease leak on close bug in the DFS > client. That was the cause of hundreds of half-closed WALs leaked in > production before we analyzed the issues and rolled out a mitigation. We use > FSHLog, for reasons. Users who do the same are subject to the same issue and > bundling 3.4.1 libraries (and also documenting the required site > configuration) is the solution. > > > On Jan 8, 2025, at 10:36 PM, Istvan Toth <st...@cloudera.com.invalid> wrote: > > > > We've updated the default Hadoop version on the non-release branches to > > 3.4.1, and have discussed doing the same on the release branches. > > I don't know if you've been following the discussion threads about this > > Andrew, but it basically a dilemma of > > > > * risking undetected problems on HBase patch release upgrade, and causing > > problems for some existing users > > * VS shipping the release with old known CVEs in the included Hadoop, which > > hinders HBase adoptation due to being perceived as insecure. > > > > Duo and I support this, but Nick has reservations, and deferred to you. > > > > What do you think ? > > > >> On Tue, Jan 7, 2025 at 5:44 PM Andrew Purtell <apurt...@apache.org> wrote: > >> > >> Hi Nihal, > >> > >> I think we could take HBASE-29028 and HBASE-28983 in the upcoming release > >> right now. Let me follow up on the respective PRs. > >> > >> For HBASE-28832, I think it should have some time to bake. Maybe in > >> branch-2 first, for kicking the tires, and then we could backport it to the > >> releases. > >> > >>> On Mon, Jan 6, 2025 at 9:23 PM Nihal Jain <nihalj...@apache.org> wrote: > >>> > >>> Hi, > >>> > >>> Dávid Paksy is working on backporting changes for upgrading to bootstrap > >>> 5.3.3. > >>> > >>> Following PRs are pending for this: > >>> 1) HBASE-29028 Backport missing UI patches to branch-2.5 > >>> 2) HBASE-28832 Upgrade from bootstrap 3.4.1 to non vulnerable version > >> 5.3.3 > >>> 3) HBASE-28983 Static resources are not loaded on REST web UI pages in > >> dev > >>> mode > >>> > >>> Changes for first two JIRAs are up review. Third is good to have. > >>> > >>> Please suggest if we want to consume these changes for upcoming release > >> or > >>> should we wait on merging these until release is done. > >>> > >>> Regards, > >>> Nihal > >>> > >>> On 2025/01/06 17:49:10 Andrew Purtell wrote: > >>>> Related to 2.5.11, there are 61 resolved issues*, and one pending that > >>> may > >>>> land in the next couple of days. > >>>> > >>>> * - https://issues.apache.org/jira/projects/HBASE/versions/12354955 > >>>> > >>>> On Mon, Jan 6, 2025 at 9:37 AM Andrew Purtell <apurt...@apache.org> > >>> wrote: > >>>> > >>>>> We are overdue for a maintenance release of 2.5. > >>>>> > >>>>> If you have any pending work that should go in to such a release, > >>> please > >>>>> get it committed in the next couple of days. Please let me know if > >> you > >>> have > >>>>> any blocking issues preventing that. > >>>>> > >>>> > >>> > >> > >> > >> -- > >> Best regards, > >> Andrew > >> > >> Unrest, ignorance distilled, nihilistic imbeciles - > >> It's what we’ve earned > >> Welcome, apocalypse, what’s taken you so long? > >> Bring us the fitting end that we’ve been counting on > >> - A23, Welcome, Apocalypse > >> > > > > > > -- > > *István Tóth* | Sr. Staff Software Engineer > > *Email*: st...@cloudera.com > > cloudera.com <https://www.cloudera.com> > > [image: Cloudera] <https://www.cloudera.com/> > > [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: > > Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: Cloudera > > on LinkedIn] <https://www.linkedin.com/company/cloudera> > > ------------------------------ > > ------------------------------
