ctubbsii commented on PR #2785: URL: https://github.com/apache/thrift/pull/2785#issuecomment-1523747821
> > In my experience, every version of Thrift has been accompanied by a breaking change. This is one of the reasons why I don't understand why people seem to want to upgrade it so aggressively > > @ctubbsii How do you handle the CVEs then? The security team in some companies forcibly bans the jars which were reported CVEs, even if the project which uses Thrift does not really get affected. Similar questions on bugs. Case-by-case mitigation, if affected. Can patch/local fork or mitigate in calling code, or mitigate with firewall, or something else. Just depends on the impact. Ideally, we advocate upstream do maintenance releases to make this easier on everybody downstream. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
