[jira] [Comment Edited] (CASSANDRA-18645) Upgrade guava on trunk
[ https://issues.apache.org/jira/browse/CASSANDRA-18645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17741055#comment-17741055 ] Ekaterina Dimitrova edited comment on CASSANDRA-18645 at 7/7/23 2:15 PM: - Thank you for the review. CVE-2022-45688 - should be addressed in CASSANDRA-18643 CVE-2023-34462 - should be addressed in CASSANDRA-18649 I miss in my branch the commits from yesterday that suppressed them. Commtted to [https://github.com/apache/cassandra] [006ec71f63..992ad25b96|https://github.com/apache/cassandra/commit/992ad25b9608e59903dea4ec8becc00efbff5340] trunk -> trunk I added CHANGES.txt entry on commit. was (Author: e.dimitrova): CVE-2022-45688 - should be addressed in CASSANDRA-18643 CVE-2023-34462 - should be addressed in CASSANDRA-18649 I miss in my branch the commits from yesterday that suppressed them. Commtted to https://github.com/apache/cassandra [006ec71f63..992ad25b96|https://github.com/apache/cassandra/commit/992ad25b9608e59903dea4ec8becc00efbff5340] trunk -> trunk I added CHANGES.txt entry on commit. > Upgrade guava on trunk > -- > > Key: CASSANDRA-18645 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18645 > Project: Cassandra > Issue Type: Task > Components: Build >Reporter: Ekaterina Dimitrova >Assignee: Ekaterina Dimitrova >Priority: Normal > Labels: Dependency > Fix For: 5.0 > > > Recently guava added JDK17 in CI and fixed some bugs down the road. > Upgrading before the major 5.0 release is something we should do. > Also, the current version that Cassandra uses is from 2018. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Comment Edited] (CASSANDRA-18645) Upgrade guava on trunk
[ https://issues.apache.org/jira/browse/CASSANDRA-18645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17740802#comment-17740802 ] Ekaterina Dimitrova edited comment on CASSANDRA-18645 at 7/6/23 8:41 PM: - I went carefully through the changelog. The only thing that came out of it is that two security vulnerabilities have been fixed in the latest versions, so we no longer need the suppressions. [Patch|https://github.com/apache/cassandra/pull/2470], CI: [J8|https://app.circleci.com/pipelines/github/ekaterinadimitrova2/cassandra/2406/workflows/0795901b-c741-48f9-811e-02cc6f74314b], [J11|https://app.circleci.com/pipelines/github/ekaterinadimitrova2/cassandra/2406/workflows/47fa7ceb-1d08-4b41-a5c2-addd9772676f], [J17|https://app.circleci.com/pipelines/github/ekaterinadimitrova2/cassandra/2407/workflows/57238374-7137-4413-bddd-6a92b6757399] was (Author: e.dimitrova): I went carefully through the changelog. The only thing that came out of it for us is that two security vulnerabilities have been fixed in the latest versions so we do not need the suppressions anymore. [Patch|https://github.com/apache/cassandra/pull/2470], CI: [J8|https://app.circleci.com/pipelines/github/ekaterinadimitrova2/cassandra/2406/workflows/0795901b-c741-48f9-811e-02cc6f74314b], [J11|https://app.circleci.com/pipelines/github/ekaterinadimitrova2/cassandra/2406/workflows/47fa7ceb-1d08-4b41-a5c2-addd9772676f], [J17|https://app.circleci.com/pipelines/github/ekaterinadimitrova2/cassandra/2407/workflows/57238374-7137-4413-bddd-6a92b6757399] > Upgrade guava on trunk > -- > > Key: CASSANDRA-18645 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18645 > Project: Cassandra > Issue Type: Task > Components: Build >Reporter: Ekaterina Dimitrova >Assignee: Ekaterina Dimitrova >Priority: Normal > Labels: Dependency > Fix For: 5.x > > > Recently guava added JDK17 in CI and fixed some bugs down the road. > Upgrading before the major 5.0 release is something we should do. > Also, the current version that Cassandra uses is from 2018. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Comment Edited] (CASSANDRA-18645) Upgrade guava on trunk
[ https://issues.apache.org/jira/browse/CASSANDRA-18645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17739239#comment-17739239 ] Ekaterina Dimitrova edited comment on CASSANDRA-18645 at 7/5/23 4:47 PM: - We must remove the exclusion of failureaccess - Guava InternalFutureFailureAccess and InternalFuturesContains. >From maven: "com.google.common.util.concurrent.internal.InternalFutureFailureAccess and InternalFutures. Most Guava users will never need to use this artifact. Its classes are conceptually a part of Guava, but they were moved to a separate artifact so that Android libraries can use them without pulling in all of Guava (just as they can use ListenableFuture by depending on the listenablefuture artifact)." I did a quick preliminary run in CI a few weeks ago when I realized Guava added JDK17 - [https://app.circleci.com/pipelines/github/ekaterinadimitrova2/cassandra?branch=test-guava]. I do not see any failures, but I am not surprised because, in newer Guava versions, there is a promise for no breakages in API, even if a method is deprecated. I have to finish next week the review of the Guava [release notes|https://github.com/google/guava/releases] before pushing this for review. was (Author: e.dimitrova): We must remove the exclusion of failureaccess - Guava InternalFutureFailureAccess and InternalFuturesContains. >From maven: "com.google.common.util.concurrent.internal.InternalFutureFailureAccess and InternalFutures. Most Guava users will never need to use this artifact. Its classes are conceptually a part of Guava, but they were moved to a separate artifact so that Android libraries can use them without pulling in all of Guava (just as they can use ListenableFuture by depending on the listenablefuture artifact)." I did a quick preliminary run in CI a few weeks ago when I realized Guava added JDK17 - [https://app.circleci.com/pipelines/github/ekaterinadimitrova2/cassandra?branch=test-guava]. I do not see any failures, but I am not surprised because, in newer Guava versions, there is a promise for no breakages in API, even if a method is deprecated. I have to finish next week the review of the Guava [release notes|https://github.com/google/guava/releases?page=2] before pushing this for review. > Upgrade guava on trunk > -- > > Key: CASSANDRA-18645 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18645 > Project: Cassandra > Issue Type: Task > Components: Build >Reporter: Ekaterina Dimitrova >Assignee: Ekaterina Dimitrova >Priority: Normal > Labels: Dependency > Fix For: 5.x > > > Recently guava added JDK17 in CI and fixed some bugs down the road. > Upgrading before the major 5.0 release is something we should do. > Also, the current version that Cassandra uses is from 2018. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Comment Edited] (CASSANDRA-18645) Upgrade guava on trunk
[ https://issues.apache.org/jira/browse/CASSANDRA-18645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17739239#comment-17739239 ] Ekaterina Dimitrova edited comment on CASSANDRA-18645 at 6/30/23 10:38 PM: --- We must remove the exclusion of failureaccess - Guava InternalFutureFailureAccess and InternalFuturesContains. >From maven: "com.google.common.util.concurrent.internal.InternalFutureFailureAccess and InternalFutures. Most Guava users will never need to use this artifact. Its classes are conceptually a part of Guava, but they were moved to a separate artifact so that Android libraries can use them without pulling in all of Guava (just as they can use ListenableFuture by depending on the listenablefuture artifact)." I did a quick preliminary run in CI a few weeks ago when I realized Guava added JDK17 - [https://app.circleci.com/pipelines/github/ekaterinadimitrova2/cassandra?branch=test-guava]. I do not see any failures, but I am not surprised because, in newer Guava versions, there is a promise for no breakages in API, even if a method is deprecated. I have to finish next week the review of the Guava [release notes|https://github.com/google/guava/releases?page=2] before pushing this for review. was (Author: e.dimitrova): We must remove the exclusion of failureaccess - Guava InternalFutureFailureAccess and InternalFuturesContains. com.google.common.util.concurrent.internal.InternalFutureFailureAccess and InternalFutures. Most Guava users will never need to use this artifact. Its classes are conceptually a part of Guava, but they were moved to a separate artifact so that Android libraries can use them without pulling in all of Guava (just as they can use ListenableFuture by depending on the listenablefuture artifact). I did a quick preliminary run in CI a few weeks ago when I realized Guava added JDK17 - [https://app.circleci.com/pipelines/github/ekaterinadimitrova2/cassandra?branch=test-guava]. I do not see any failures, but I am not surprised because, in newer Guava versions, there is a promise for no breakages in API, even if a method is deprecated. I have to finish next week the review of the Guava [release notes|https://github.com/google/guava/releases?page=2] before pushing this for review. > Upgrade guava on trunk > -- > > Key: CASSANDRA-18645 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18645 > Project: Cassandra > Issue Type: Task > Components: Build >Reporter: Ekaterina Dimitrova >Assignee: Ekaterina Dimitrova >Priority: Normal > Labels: Dependency > Fix For: 5.x > > > Recently guava added JDK17 in CI and fixed some bugs down the road. > Upgrading before the major 5.0 release is something we should do. > Also, the current version that Cassandra uses is from 2018. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Comment Edited] (CASSANDRA-18645) Upgrade guava on trunk
[ https://issues.apache.org/jira/browse/CASSANDRA-18645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17739239#comment-17739239 ] Ekaterina Dimitrova edited comment on CASSANDRA-18645 at 6/30/23 10:37 PM: --- We must remove the exclusion of failureaccess - Guava InternalFutureFailureAccess and InternalFuturesContains. com.google.common.util.concurrent.internal.InternalFutureFailureAccess and InternalFutures. Most Guava users will never need to use this artifact. Its classes are conceptually a part of Guava, but they were moved to a separate artifact so that Android libraries can use them without pulling in all of Guava (just as they can use ListenableFuture by depending on the listenablefuture artifact). I did a quick preliminary run in CI a few weeks ago when I realized Guava added JDK17 - [https://app.circleci.com/pipelines/github/ekaterinadimitrova2/cassandra?branch=test-guava]. I do not see any failures, but I am not surprised because, in newer Guava versions, there is a promise for no breakages in API, even if a method is deprecated. I have to finish next week the review of the Guava [release notes|https://github.com/google/guava/releases?page=2] before pushing this for review. was (Author: e.dimitrova): We must remove the exclusion of failureaccess - Guava InternalFutureFailureAccess and InternalFuturesContains. com.google.common.util.concurrent.internal.InternalFutureFailureAccess and InternalFutures. Most users will never need to use this artifact. Its classes are conceptually a part of Guava, but they were moved to a separate artifact so that Android libraries can use them without pulling in all of Guava (just as they can use ListenableFuture by depending on the listenablefuture artifact). I did a quick preliminary run in CI a few weeks ago when I realized Guava added JDK17 - [https://app.circleci.com/pipelines/github/ekaterinadimitrova2/cassandra?branch=test-guava]. I do not see any failures, but I am not surprised because, in newer Guava versions, there is a promise for no breakages in API, even if a method is deprecated. I have to finish next week the review of the Guava [release notes|https://github.com/google/guava/releases?page=2] before pushing this for review. > Upgrade guava on trunk > -- > > Key: CASSANDRA-18645 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18645 > Project: Cassandra > Issue Type: Task > Components: Build >Reporter: Ekaterina Dimitrova >Assignee: Ekaterina Dimitrova >Priority: Normal > Labels: Dependency > Fix For: 5.x > > > Recently guava added JDK17 in CI and fixed some bugs down the road. > Upgrading before the major 5.0 release is something we should do. > Also, the current version that Cassandra uses is from 2018. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org