[ https://issues.apache.org/jira/browse/TEZ-4114?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17044302#comment-17044302 ]
László Bodor edited comment on TEZ-4114 at 2/25/20 10:07 AM: ------------------------------------------------------------- [~jeagles]: thanks for taking a look, would you consider still including jetty into the package? I think the goal of the distribution package is to ship a more-or-less usable version of tez...in the current situation, seems like tez doesn't change the server behavior, that's why it doesn't have any direct dependency on jetty (I guess), but jetty is still a fundamental part of it, without that, AM cannot even start, so yes, we can go into a direction where we include only direct dependencies, but in this case, we'll definitely break the package in a sense that tez users already expect a jetty to be packed, that's why it's quite easy to install tez.tar.gz into Hadoop installations...but without jetty packed, every single user/scenario will have to handle this case, are you 100% sure this is the right way? if you're still about removing jetty from the package, I'm ok with that, could you please let me handle it another jira? I mean, I've already backported TEZ-4114 to downstream, and it solved CVE warnings, and I would create a separate patch for excluding it from the package, this step would be a clean distinction between dependency management and package management in terms of jetty cc: [~ashutoshc] was (Author: abstractdog): [~jeagles]: thanks for taking a look, would you consider still including jetty into the package? I think the goal of the distribution package is to ship a more-or-less usable version of tez...in the current situation, seems like tez doesn't change the server behavior, that's why it doesn't have any direct dependency on jetty (I guess), but jetty is still a fundamental part of it, without that, AM cannot even start, so yes, we can go into a direction where we include only direct dependencies, but in this case, we'll definitely break the package in a sense that tez users already expect a jetty to be packed, that's why it's quite easy to install tez.tar.gz into Hadoop installations, without jetty packed, every single user/scenario will have to handle this case, are you 100% sure this is the right way? if you're still about removing jetty from the package, I'm ok with that, could you please let me handle it another jira? I mean, I've already backported TEZ-4114 to downstream, and it solved CVE warnings, and I would create a separate patch for excluding it from the package, this step would be a clean distinction between dependency management and package management in terms of jetty cc: [~ashutoshc] > Upgrade to Jetty 9.4 > -------------------- > > Key: TEZ-4114 > URL: https://issues.apache.org/jira/browse/TEZ-4114 > Project: Apache Tez > Issue Type: Bug > Reporter: László Bodor > Assignee: László Bodor > Priority: Major > Attachments: TEZ-4114.01.patch, TEZ-4114.02.patch, TEZ-4114.03.patch, > TEZ-4114.04.patch, TEZ-4114.05.patch, TEZ-4114.06.patch, TEZ-4114.07.patch, > master.deps.txt > > > Hadoop already did it in: https://issues.apache.org/jira/browse/HADOOP-16152 > Hive: "in progress", only abandoned jiras > https://issues.apache.org/jira/browse/HIVE-21961 > https://issues.apache.org/jira/browse/HIVE-21211 -- This message was sent by Atlassian Jira (v8.3.4#803005)