arpadboda commented on PR #9452: URL: https://github.com/apache/nifi/pull/9452#issuecomment-2441139502
Sorry, but at first look I'm -1 to this PR: First of all I would like to note that I completely agree with removing Hive 3 dependencies and removing these vulnerabilities, thank you David for bringing this topic up and initiating the discussion/changes! My concerns lie with timing and complexity introduced by these changes. By complexity I mean that this change actually remove a feature from a component, but leaves the component there, so whoever is willing to use it on his/her own risk needs to duplicate the whole thing with many potential conflicts later. Removing a NAR completely is fine, in case someone needs it later, just picks the last available version and it most probably works with latest NiFi. No vulnerabilities in NiFi, this is a win-win deal for everyone. However this case is far more complex, leaving the NAR in NiFi but removing features used by members of the community, making their lives much more difficult. By timining I mean: -Do we want to have it in 2.0? As this is behind a profile, doesn't get built into NiFi unless the user explicitly wants it, no vulnerability is introduced by default, on the other hand we release 2.0 with half-functioning Iceberg services. -Do we plan to merge it after 2.0? In this case we are not in a rush and we should do it properly (replacing the deprecated Hive 3 dependecy with Hive 4 libs, which should eliminate most of the security concerns raised here). I'm pretty sure some members of the community are happy to help in these activities, for eg @mark-bathori -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
