LuciferYang commented on PR #50222: URL: https://github.com/apache/spark/pull/50222#issuecomment-2712474272
> Thank you for making a PR, @pan3793 . > > To the reviewers, I'm not against to this PR because this is a legitimate request from the community members. > > I just want to add a context for the record, > > * Apache Spark 4.0.0 RC2 makes this dependency optional intentionally due to [CVE-2024-23953](https://github.com/advisories/GHSA-p953-3j66-hg45). In RC2, The vulnerability only affected the production environments when the users allow it by installing the package intentionally. > * This PR will propagate `Apache Hive LLAP vulnerability` back to Apache Spark binary distribution again although this is not a regression from Apache Spark 3. > * After this PR, it's highly recommended to handle it internally in the production environments by patching it internal fork of Spark or Hive based on their own user situations. > > I must admit that the AS-IS Apache Spark 4.0.0 RC2 was a bandage until Apache Spark upgrades its Hive dependency to Apache Hive 4.x. Every path (including this) has it own rational. So, thank you again. > > From our production environment, we will opt-out still. After restoring this dependency, I think it would be best to have a place to document this known issue and provide recommendations to users, such as on the security.html page of our website, or in the 4.0 release notes. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
