Thanks for all the positive feedback, the kyuubi-shaded repo is created. https://gitbox.apache.org/repos/asf/kyuubi-shaded.git https://github.com/apache/kyuubi-shaded.git
Thanks, Cheng Pan On Apr 7, 2023 at 16:22:27, Shaoyun Chen <c...@apache.org> wrote: > +1 > > XiDuo You <ulyssesyo...@gmail.com> 于2023年4月7日周五 15:44写道: > > > +1 > > > Dongdong Hong <hon...@apache.org> 于2023年4月7日周五 15:11写道: > > > > > > +1 > > > > > > Thanks, > > > hongdd > > > > > > On 2023/04/07 07:03:07 Bowen Liang wrote: > > > > +1. > > > > > > > > Moving the shaded module away to the introduced shaded repo would also > help to resolve the problem currently when test with a shaded > profile/module in the Kyuubi project. > > > > > > > > On 2023/04/02 05:58:40 Cheng Pan wrote: > > > > > Hi Kyuubi developers and users, > > > > > > > > > > I propose to introduce a new repo apache/kyuubi-shaded in this > discussion. > > > > > > > > > > > > > > > Why? > > > > > > > > > > To address the following issues: > > > > > > > > > > Case 1: > > > > > Some dependencies which used by both Kyuubi and other dependencies, > have > > > > > known CVEs, but due to the breaking changes of API, we can not > upgrade it > > > > > to the security version. > > > > > > > > > > For example, currently, Kyuubi uses thrift 0.9.3, which is affected > by > > > > > CVE-2018-11798, CVE-2020-13949, CVE-2019-0205, but due to its > breaking API > > > > > change breaks compatible w/ Hive 2.3 and Hive 3.1, we can not > upgrade it to > > > > > 0.16.0. > > > > > > > > > > Case 2: > > > > > For some components, we decide to stay to a lower version of client > to > > > > > compatible w/ an adopted widely version of server, hence we lack of > some > > > > > newer functionality e.g. JDK 17 support. > > > > > > > > > > For example, currently, Kyuubi uses Curator 2.12 and Zookeeper 3.4, > because > > > > > Zookeeper 3.4 is adopted by CDH 5 and CDH 6, AWS EMR(although the > recent > > > > > EMR distributions upgraded to Zookeeper 3.5). > > > > > > > > > > > > > > > How? > > > > > > > > > > Kyuubi uses Apache Maven as the building tool, which is not good to > handle > > > > > shaded stuff in multiple modules project. I believe most of us felt > the bad > > > > > experience of kyuubi-hive-jdbc-shaded, so a separated repo should be > a good > > > > > idea. > > > > > > > > > > All shaded classes should be relocated to the new package which > starting w/ > > > > > `org.apache.kyuubi.shaded.`(or something else), to avoid the > confliction > > > > > between the existing vanilla classes. In the meanwhile, we can > override > > > > > some classes, which is kind of a patch to the existing third party > > > > > libraries. > > > > > > > > > > > > > > > What’s the scope? > > > > > > > > > > The shading/relocation technology should be the final solution, we > must > > > > > avoid using it as much as possible, because the relocation is not > always > > > > > safe, it may break the reflection invoking, and the relocated class > is not > > > > > fully tested. > > > > > > > > > > Currently, I propose to limit the scope to Thrift, Curator, > Zookeeper, > > > > > please list your reasons if you want to add other components. > > > > > > > > > > Thanks, > > > > > Cheng Pan > > > > > > > > > > >
