pan3793 commented on PR #4888: URL: https://github.com/apache/hive/pull/4888#issuecomment-1821993187
@zhangbutao I mostly stand on a downstream project perspective. Hive has a low release rate. The latest stable versions(except for alpha and beta) are - 2.3.9 released on [Jun 10, 2021](https://mvnrepository.com/artifact/org.apache.hive/hive-exec) - 3.1.3 released on [Apr 10, 2022](https://mvnrepository.com/artifact/org.apache.hive/hive-exec) Once CVEs are reported as caused by Hive's transitive dependencies, such a release rate makes downstream projects like Spark awkward. Spark uses Hive 2.3.9 now. Hive 2.3.9 has many dependencies which have CVEs: - log4j 2.6.2 - suffered by log4shell, but fortunately, the new log4j has good API compatibility so Spark could upgrade the log4j deps directly - Guava 14 - EOL and has many CVEs, and the new versions of Guava have breaking API changes so we can not do upgrading like log4j does, Spark sticks on Guava 14 because of Hive - Jackson 1.x - EOL and has many CVEs, and the new Jackson 2.x has breaking API changes so we can not do upgrading like log4j does, Spark must ship those jars otherwise may break Hive class invocation - jodd-core 3.5.2 - has CVE-2018-21234, and the new versions of Guava have breaking API changes so we can not do upgrading like log4j does, actually, Hive does not use those CVE code paths. Hive only uses a few codes (~300 lines) of the `jodd-util`, copy code is a clean and cheap way, then Hive and the downstream projects will not be suffered if there are new CVEs found in the left codes of `jodd-util` in the future. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org For additional commands, e-mail: gitbox-h...@hive.apache.org
