Hi, One open security issue is the use of protobuf 2.5.0 by Omid. As discussed in a recent thread https://lists.apache.org/thread/rthnk6vxx5y6cr7t5kkkx2vj9c91nf37 using unshaded protobuf in a library is no longer viable because of protobuf 3/4 api incompatibilities, hence we need to use a shaded protobuf artifact for OMID.
I propose releasing a new phoenix-thirdparty release which includes it own shaded protobuf library (similarly to HBase, but without the patches) At the moment the version is 2.2.0, bumped from 2.1.x, but we could also go to 3.0.0, I'm not sure which one is better. Please share your thoughts. Istvan
