On Thu, Jan 13, 2011 at 6:12 PM, Arun C Murthy <[email protected]> wrote: > > On Jan 13, 2011, at 5:35 PM, Eli Collins wrote: >> >> Given that Todd has already done the work to rebase the 0.20.104.3 >> patch set on 0.20.2, and in a way that doesn't require one big change, >> and his patch set includes branch20-append which the HBase guys want >> an Apache release of wouldn't it make sense to go this route? What do >> others think? Seems better to have one 0.20.100 release than multiple >> ones for security and append. > > > My concern around 0.20.104.3 is that it has serious security holes including > a root exploit that we have since fixed. I'm sure you guys are aware of > them, Todd has helped to fix some. >
The cdh3 patch set Todd is talking about is not vanilla 104.3, it's 104.3 re-based onto 20.2 plus patches from branch-20 and trunk (the performance and stability fixes I think you're referring to, at least the ones that have been posted to Apache jira). Can you post a pointer to the version you're referring to, eg on github? If there isn't a big delta between it and the cdh3 patch set (which should have the 20-based patches from jira) perhaps you and Todd could easily merge in the delta to create 0.20.x? > The version I'm offering to push to the community has fixed all of them, > *plus* the added benefit of several stability and performance fixes we have > done since 20.104.3, almost 10 internal releases. This is a battle tested > and hardened version which we have deployed on 40,000+ nodes. It is a > significant upgrade on 0.20.104.3 which we never deployed. I'm pretty sure > *some* users will find that valuable. ;) Definitely, but better to hit two birds with one stone right? Instead of a security + enhancements release and an append release we could have a single security + append + enhancements release and users don't have to choose. > Also, I've offered to push individual patches as a background activity on a > branch - that should suffice, no? Or, do you consider this a blocker? Definitely not a blocker. > Again, my goal in this exercise is to get a stable, improved version of > Hadoop into the hands of our users asap, and focus on 0.22 and beyond. Agree, that's everyone's goal. My point is that a release that's already been re-based on 20.2, doesn't require a separate HBase release, and doesn't require you spend time on a background task to break up the big change into smaller ones seems like a faster way forward. Thanks, Eli
