[
https://issues.apache.org/jira/browse/NIFI-13515?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18055944#comment-18055944
]
Joe Witt commented on NIFI-13515:
---------------------------------
This is a closed JIRA so if you'd like to propose something and/or offer
changes I recommend you create a new JIRA.
I could anticipate some pushback to re-introduce support for Kudu as something
maintained by the Apache NiFi community itself. For certain anyone can take
the previous codebase, polish a little, update to latest Kudu, and likely be in
good shape for their purposes.
For us to bring it back in we need to consider whether we have much support
within the community to maintain it. We don't seem to have that. Maintenance
in these cases includes the non-glorious but essential part which is
maintaining the dependencies both direct and transitive (Kudu in this case) and
ensuring they're not vulnerable and so on. We don't seem to have anyone
actively stepping up to take that on. It appears both zchovan and achennaka
have commits to Kudu. Are either of you perhaps planning to help ensure this
happens? We also consider the health, activity, and demand for interaction
with the service in question. Kudu is no doubt an important part of the Hadoop
ecosystem. But I suspect it is or can be well supported in the vendor context
and outside of that I don't know how much pull their is for it. Others would
have to share more on that. We would also look at how active the project is
and how well it maintains its dependencies. Commit activity month over month
is declining and in recent months looks quite low. Might just be seasonal -
i've not looked into project activity and such overall.
These are just my quick thoughts. Should anyone raise a JIRA to re-introduce
they'd want to offer some thoughts on these dimensions and hopefully a PR as
well.
> Remove PutKudu and KuduLookupService along with nifi-kudu-nar
> -------------------------------------------------------------
>
> Key: NIFI-13515
> URL: https://issues.apache.org/jira/browse/NIFI-13515
> Project: Apache NiFi
> Issue Type: Sub-task
> Reporter: Joe Witt
> Assignee: Joe Witt
> Priority: Major
> Fix For: 2.0.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> The kudu components have a very long standing HIGH vulnerability CVE stemming
> from its shading of an old netty
> kudu-client-1.17.0.jar (shaded: io.netty:netty-codec-http:4.1.94.Final)
> repository/org/apache/kudu/kudu-client/1.17.0/kudu-client-1.17.0.jar/META-INF/maven/io.netty/netty-codec-http/pom.xml
> MD5: b18b426e138cb17f5e44b8873b5afbac
> SHA1: 6b0212a0b0ae2b36c3500dda980e8547179575f8
> SHA256:62be40ca13b3b09b37980bfddc86bf6f30732d995231bf4549da362bff09cb64
> Referenced In Projects/Scopes:
> nifi-code-coverage:compile
> nifi-kudu-processors:compile
> nifi-kudu-controller-service:compile
> nifi-kudu-nar:compile
> The components are not maintained, the dependency sees infrequent activity,
> and usage seems quite limited.
> https://issues.apache.org/jira/browse/NIFI-13498
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
