[
https://issues.apache.org/jira/browse/TEZ-4114?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17044302#comment-17044302
]
László Bodor edited comment on TEZ-4114 at 2/25/20 10:07 AM:
-------------------------------------------------------------
[~jeagles]: thanks for taking a look, would you consider still including jetty
into the package? I think the goal of the distribution package is to ship a
more-or-less usable version of tez...in the current situation, seems like tez
doesn't change the server behavior, that's why it doesn't have any direct
dependency on jetty (I guess), but jetty is still a fundamental part of it,
without that, AM cannot even start, so yes, we can go into a direction where we
include only direct dependencies, but in this case, we'll definitely break the
package in a sense that tez users already expect a jetty to be packed, that's
why it's quite easy to install tez.tar.gz into Hadoop installations...but
without jetty packed, every single user/scenario will have to handle this case,
are you 100% sure this is the right way?
if you're still about removing jetty from the package, I'm ok with that, could
you please let me handle it another jira? I mean, I've already backported
TEZ-4114 to downstream, and it solved CVE warnings, and I would create a
separate patch for excluding it from the package, this step would be a clean
distinction between dependency management and package management in terms of
jetty
cc: [~ashutoshc]
was (Author: abstractdog):
[~jeagles]: thanks for taking a look, would you consider still including jetty
into the package? I think the goal of the distribution package is to ship a
more-or-less usable version of tez...in the current situation, seems like tez
doesn't change the server behavior, that's why it doesn't have any direct
dependency on jetty (I guess), but jetty is still a fundamental part of it,
without that, AM cannot even start, so yes, we can go into a direction where we
include only direct dependencies, but in this case, we'll definitely break the
package in a sense that tez users already expect a jetty to be packed, that's
why it's quite easy to install tez.tar.gz into Hadoop installations, without
jetty packed, every single user/scenario will have to handle this case, are you
100% sure this is the right way?
if you're still about removing jetty from the package, I'm ok with that, could
you please let me handle it another jira? I mean, I've already backported
TEZ-4114 to downstream, and it solved CVE warnings, and I would create a
separate patch for excluding it from the package, this step would be a clean
distinction between dependency management and package management in terms of
jetty
cc: [~ashutoshc]
> Upgrade to Jetty 9.4
> --------------------
>
> Key: TEZ-4114
> URL: https://issues.apache.org/jira/browse/TEZ-4114
> Project: Apache Tez
> Issue Type: Bug
> Reporter: László Bodor
> Assignee: László Bodor
> Priority: Major
> Attachments: TEZ-4114.01.patch, TEZ-4114.02.patch, TEZ-4114.03.patch,
> TEZ-4114.04.patch, TEZ-4114.05.patch, TEZ-4114.06.patch, TEZ-4114.07.patch,
> master.deps.txt
>
>
> Hadoop already did it in: https://issues.apache.org/jira/browse/HADOOP-16152
> Hive: "in progress", only abandoned jiras
> https://issues.apache.org/jira/browse/HIVE-21961
> https://issues.apache.org/jira/browse/HIVE-21211
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
