David Knupp has posted comments on this change. ( http://gerrit.cloudera.org:8080/15829 )
Change subject: IMPALA-9648: Exclude/ban netty-all from mvn download ...................................................................... Patch Set 3: (1 comment) > Patch Set 3: > > (2 comments) http://gerrit.cloudera.org:8080/#/c/15829/3/fe/pom.xml File fe/pom.xml: http://gerrit.cloudera.org:8080/#/c/15829/3/fe/pom.xml@762 PS3, Line 762: (,4.1.46] > Change this to * to ban all versions. If we need netty, then exclusions won When you have a chance tomorrow, can you have a look at the code the review for my initial patch for netty* -- the one that we eventually had to revert. https://gerrit.cloudera.org/c/15761/ Tim made the exact same comment on patch set #3, to wit, "Can we tighten this up to exclude everything from io.netty? I.e. io.netty:* . It seems like we're excluding it all anyway..." Indeed, that was my initial inclination also, in the patch immediately prior -- don't pin the ban to a version. But then parallel-all-tests fails upstream. This is from a dry-run with patch set #2: https://jenkins.impala.io/job/all-build-options-ub1604/5596/ Even we look in the maven log artifact, there are lines like: 02:48:28 [INFO] Downloading from cdh.rcs.releases.repo: https://repository.cloudera.com/content/groups/cdh-releases-rcs/io/netty/netty-all/4.1.47.Final/netty-all-4.1.47.Final.jar [...] 02:48:35 [INFO] Downloading from cdh.releases.repo: https://repository.cloudera.com/content/repositories/releases/io/netty/netty-all/4.1.47.Final/netty-all-4.1.47.Final.jar [...] 02:48:40 [INFO] Downloading from impala.cdp.repo: https://native-toolchain.s3.amazonaws.com/build/cdp_components/2523282/maven/io/netty/netty-all/4.1.47.Final/netty-all-4.1.47.Final.jar [...] 02:48:43 [INFO] Downloading from impala.cdh.repo: https://native-toolchain.s3.amazonaws.com/build/cdh_components/1814051/maven/io/netty/netty-all/4.1.47.Final/netty-all-4.1.47.Final.jar [...] 02:48:43 [INFO] Downloading from impala.toolchain.kudu.repo: file:///home/ubuntu/Impala/toolchain/kudu-4ed0dbbd1/java/repository/io/netty/netty-all/4.1.47.Final/netty-all-4.1.47.Final.jar [...] 02:48:47 [INFO] Downloading from cloudera.thirdparty.repo: https://repository.cloudera.com/content/repositories/third-party/io/netty/netty-all/4.1.47.Final/netty-all-4.1.47.Final.jar [...] etc. There are many mentions. But the failure is, once again: 02:56:19 02:56:18 [WARNING] Rule 0: org.apache.maven.plugins.enforcer.BannedDependencies failed with message: 02:56:19 02:56:18 [INFO] BUILD FAILURE 02:56:19 02:56:18 [ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0-M1:enforce (enforce-banned-dependencies) on project impala-frontend: Some Enforcer rules have failed. Look above for specific messages explaining why the rule failed. -> [Help 1] (Note that this predates your patch that prints out the specific failure, sadly.) I'm honestly not sure where netty-all-4.1.47.Final.jar is coming from, though I do think netty-all is required by something -- maybe Ranger? (Search for internal Ranger JIRA with subject "Upgrade Netty version".) I honestly can't tell you what I think the right thing to do is, because I don't have a clue. But I'm pretty sure that all of the point below are true, FWIW. * if we do nothing, we wind up with netty-all 4.1.42.Final in our dependency tree when building locally from ASF * if we exclude * and ban *, local ASF builds will succeed, but upstream GVO/dryrun will fail because netty-all 4.1.47.Final (or maybe now 4.1.48.Final) still winds up in the dependency tree somehow * if we exclude * and ban versions < 4.1.46.Final, local ASF builds succeed, and upstream GVO succeeds (and I have every reason to believe that CI builds to pull ASF changes downstream will also succeed) * on the internal mirror of IMPALA-9648, it specifically states (though it's in a comment, not in the description) that the Black Duck scan "is recommending at least 4.1.46 for a High priority CVE," so it seems like banning anything below that version still adheres to the strict letter of the JIRA. -- To view, visit http://gerrit.cloudera.org:8080/15829 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ie7d61af3c10ee439ca9eef3840403229e6235c97 Gerrit-Change-Number: 15829 Gerrit-PatchSet: 3 Gerrit-Owner: David Knupp <[email protected]> Gerrit-Reviewer: David Knupp <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Joe McDonnell <[email protected]> Gerrit-Comment-Date: Wed, 29 Apr 2020 05:58:40 +0000 Gerrit-HasComments: Yes
