[jira] [Commented] (DRILL-8267) Remove commons-configuration dependency management

Wed, 20 Jul 2022 00:17:09 -0700 


    [ 
https://issues.apache.org/jira/browse/DRILL-8267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17568887#comment-17568887
 ] 

ASF GitHub Bot commented on DRILL-8267:
---------------------------------------

jnturton commented on code in PR #2609:
URL: https://github.com/apache/drill/pull/2609#discussion_r925256805


##########
pom.xml:
##########
@@ -1984,17 +1983,6 @@
         <artifactId>xercesImpl</artifactId>
         <version>${xerces.version}</version>
       </dependency>
-      <dependency>

Review Comment:
   Note that what we're doing here is removing the _management_ of a dependency 
from the dependencyManagement element, not removing any dependency itself. If I 
look at a Drill installation then I see that we don't ship 
commons-configuration, only commons-configuration2.
   ```
   ➜  ~ ls /opt/apache-drill-1.20.1/jars/3rdparty/commons-conf*                 
   
   /opt/apache-drill-1.20.1/jars/3rdparty/commons-configuration2-2.1.1.jar
   ```
   If I then look at `mvn dependency:tree` I see that the Phoenix storage 
plugin is the one place where we depend on commons-configration via 
org.apache.phoenix:phoenix-core
   ```
   [INFO] org.apache.drill.contrib:drill-storage-phoenix:jar:2.0.0-SNAPSHOT
   [INFO] \- org.apache.phoenix:phoenix-core:jar:tests:5.1.2:test
   [INFO]    \- org.apache.omid:omid-transaction-client:jar:1.0.2:test
   [INFO]       \- commons-configuration:commons-configuration:jar:1.10:test
   ```
   but the scope of dependency is _test_ which explains why 
commons-configuration is not to be found in a Drill installation.
   
   Bottom line: I don't think we do need to manage this dependency any more so 
I'm in favour of this change even though it has no impact, because it 
simplifies our beast of a pom. But the Jira and the PR descriptions should be 
adjusted to reflect what's happening: "Remove unneeded management of 
commons-configuration which only appears in test scope for storage-phoenix" or 
something.
   
   Let's also check in with @vdiravka about this change...





> Remove commons-configuration dependency management
> --------------------------------------------------
>
>                 Key: DRILL-8267
>                 URL: https://issues.apache.org/jira/browse/DRILL-8267
>             Project: Apache Drill
>          Issue Type: Improvement
>            Reporter: PJ Fanning
>            Priority: Major
>
> https://mvnrepository.com/artifact/commons-configuration/commons-configuration/1.10
> This jar is EOL and has many very insecure dependencies.
> Looks like this dependency is not used by Drill or any of its dependencies. 
> Hadoop uses commons-configuration2 instead.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to