Sounds like a good plan and good work Istvan! Having pre-shaded third party repo and using in most of the dependent components like Omid, Tephra avoids a lot of headaches with compatibility.
On Wed, Jul 15, 2020 at 11:07 AM Istvan Toth <[email protected]> wrote: > Hi! > > I've just opened https://issues.apache.org/jira/browse/PHOENIX-6010 that > introduces a pre-shaded Hbase-style phoenx-thirdparty repo with pre-shaded > Guava. > > Please check it out, and share your thoughts on it! > > Copying most of the ticket here, in the hope of getting more eyes on it: > > We have long-standing and well-documented problems with Guava, just like > the rest of the Hadoop components. > > Adopt the solution used by HBase: > > - create phoenix-thirdparty repo > - create a pre-shaded phoenix-shaded-guava artifact in it > - Use the pre-shaded Guava in every phoenix component > > The advantages are well-known, but to name a few: > > - Phoenix will work with Hadoop 3.1.3+ > - One less CVE in our direct dependencies > - No more conflict with our consumer's Guava versions > > > Notes: > > - I've chosen 29.0-android for the thirdparty Guava version, as we need > Java 7 compatibility. > - The alternative would be Guava 20 (the last non-android release > that supports Java 7), which has CVEs. > - Tephra doesn't use phoenix-thirdparty, instead it is shaded with Twill > and Guava 13, as its Twill dependency doesn't work with recent Guavas. > - The long-term solution would be removing the EOL twill dependency > from it, and then converting to thirdparty, but that's quite a > lot of work, > and I wanted to have something that works now. > - This is less of an issue for 4.x, where every component is on Guava 13 > - ish, but I think once it's done, it'd be worth backporting this to > 4.x as > well, if only to make backporting easier. > - If/when we agree on doing this, and have worked out the details, I'll > add the sub-tasks for getting this in master: > - create a new repo for phoenix-thirdparty and release it > - update and release Tephra with the shaded artifact > - update and release Omid with the the thirdparty stuff > - update the Omid and Tephra dependencies in Phoenix, and convert it > to use thirdparty as well. > > Please share your thoughts, opinion, and questions! >
