I've now got enough knowledge of how vulnerable avro (and to a very much lower extent parquet) is to RCEs from malicious files which trigger classloading.
We need to fix this on branch-3.4, even though it means that the release is somewhat incompatible with older versions. https://issues.apache.org/jira/browse/HADOOP-19315 https://github.com/apache/hadoop/pull/7615# I'm not that worried about compatibility because 1. cloudera did this upgrade internally a while back *and nobody has complained* 2. Anyone who is running an insecure version of avro needs to upgrade ASAP. This new PR removes a key blocker. if anyone who can make a good case for us not doing the backport *and provide a safe alternative*, now is the time to make your cause steve
