+1 Looks like a good plan, and happy to see PR's up for it already :)
On 7/16/20 8:44 AM, [email protected] wrote:
Sounds like a good plan and good work Istvan! Having pre-shaded third party
repo and using in most of the dependent components like Omid, Tephra avoids
a lot of headaches with compatibility.
On Wed, Jul 15, 2020 at 11:07 AM Istvan Toth <[email protected]> wrote:
Hi!
I've just opened https://issues.apache.org/jira/browse/PHOENIX-6010 that
introduces a pre-shaded Hbase-style phoenx-thirdparty repo with pre-shaded
Guava.
Please check it out, and share your thoughts on it!
Copying most of the ticket here, in the hope of getting more eyes on it:
We have long-standing and well-documented problems with Guava, just like
the rest of the Hadoop components.
Adopt the solution used by HBase:
- create phoenix-thirdparty repo
- create a pre-shaded phoenix-shaded-guava artifact in it
- Use the pre-shaded Guava in every phoenix component
The advantages are well-known, but to name a few:
- Phoenix will work with Hadoop 3.1.3+
- One less CVE in our direct dependencies
- No more conflict with our consumer's Guava versions
Notes:
- I've chosen 29.0-android for the thirdparty Guava version, as we need
Java 7 compatibility.
- The alternative would be Guava 20 (the last non-android release
that supports Java 7), which has CVEs.
- Tephra doesn't use phoenix-thirdparty, instead it is shaded with Twill
and Guava 13, as its Twill dependency doesn't work with recent Guavas.
- The long-term solution would be removing the EOL twill dependency
from it, and then converting to thirdparty, but that's quite a
lot of work,
and I wanted to have something that works now.
- This is less of an issue for 4.x, where every component is on Guava 13
- ish, but I think once it's done, it'd be worth backporting this to
4.x as
well, if only to make backporting easier.
- If/when we agree on doing this, and have worked out the details, I'll
add the sub-tasks for getting this in master:
- create a new repo for phoenix-thirdparty and release it
- update and release Tephra with the shaded artifact
- update and release Omid with the the thirdparty stuff
- update the Omid and Tephra dependencies in Phoenix, and convert it
to use thirdparty as well.
Please share your thoughts, opinion, and questions!
