[
https://issues.apache.org/jira/browse/HBASE-24762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17701339#comment-17701339
]
Frens Jan Rumph commented on HBASE-24762:
-----------------------------------------
Would it still be desirable to remove the 2.5.0 dependency from the branch-2
line? We've got some CVE (noise) on this. Would be great if we could remove it.
The dependency in hbase-protocol seems very limited (to
{{{}o.a.h.h.util.ByteStringer{}}}) and covered by
{{{}com.google.protobuf.UnsafeByteOperations{}}}. Or am I overlooking things
here?
Would be happy to provide a PR.
> Purge protobuf java 2.5.0 dependency
> ------------------------------------
>
> Key: HBASE-24762
> URL: https://issues.apache.org/jira/browse/HBASE-24762
> Project: HBase
> Issue Type: Sub-task
> Components: dependencies, Protobufs
> Reporter: Duo Zhang
> Assignee: Duo Zhang
> Priority: Major
> Fix For: 3.0.0-alpha-1
>
>
> On master branch, we have removed the hbase-protocol module so in general, we
> do not need to depend on protobuf 2.5.0 directl. Especially for hadoop 3.3.0,
> hadoop will not depend on 2.5.0 any more, we should make sure hbase do not
> introduce protobuf 2.5.0 too.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
