Re: CVE reports and process to completion
Many thanks to Ayush for volunteering! Anyone else? Note that handling vulnerabilities is of utmost importance to an Apache project. It is one of the four technical requirements established by ASF [1]. If there are not enough PMC members to handle CVEs the project can be taken down. Best, Stamatis [1] https://www.apache.org/dev/project-requirements#technical On Wed, Sep 13, 2023 at 11:11 AM Ayush Saxena wrote: > > Hi Stamatis, > Thanx for starting the thread, I can volunteer as well. > > -Ayush > > On Tue, 12 Sept 2023 at 13:43, Stamatis Zampetakis wrote: > > > > Hey everyone, > > > > When someone discovers a potential security vulnerability for Hive (or > > any other Apache project) they can opt to inform the PMC of the > > project by following the ASF guidelines [1]. For Hive, the report > > should be sent to secur...@hive.apache.org. > > > > Next, the PMC follows the steps outlined in [2] to process the report > > and if it is deemed necessary release a fix for the vulnerability. > > > > In order to make the CVE process as smooth as possible and ensure that > > CVE reports are addressed in a timely manner I would like to introduce > > the notion of a "CVE mentor". > > > > The "CVE mentor" is the one responsible for bringing the reported CVE > > to completion ensuring that the steps in [2] are followed. They are > > the principal contact person between the reporter of the vulnerability > > and the PMC and the one who leads the discussions. The triage and fix > > can be done by the mentor or entrusted to a committer (ensuring of > > course that everything remains private till a fix is officially > > released). Given that we need to release a fix very soon after a > > vulnerability is fixed the mentor may also need to act as the release > > manager. Since the reports arrive in the private list the CVE mentor > > should be someone that has access to the security list (all PMC and > > few other individuals). > > > > However, for the idea to work we need a few people (preferably PMC) to > > volunteer for the role of the "CVE mentor". Then the volunteers can > > pick incoming CVE reports in a round robin fashion. Needless to say > > that since I am the one proposing it, I would like to be part of the > > list. > > > > Any additional thoughts or suggestions on how to improve this process > > are very welcomed. Also if you like the idea and want to volunteer > > please reply to this email to add yourself to the list. > > > > Best, > > Stamatis Zampetakis > > > > [1] https://www.apache.org/security/ > > [2] https://www.apache.org/security/committers.html#possible
Re: Alternatives to dependency on hive-exec?
Hey Chris, Keep in mind that the core jar was removed some time ago [1, 2] so in new releases (4.0.0 onwards) it will not be there. I am not sure what integration you are trying to establish but it would be definitely easier if you opt for something lighter like the JDBC API and the Hive JDBC driver. Shading in hive-exec is a real pain point [3] but not an easy one to get rid of. Best, Stamatis [1] https://lists.apache.org/thread/yld75ltf9y8d9q3cow3xqlg0fqyj6mkg [2] https://issues.apache.org/jira/browse/HIVE-25531 [3] https://issues.apache.org/jira/browse/HIVE-26220 On Tue, Sep 19, 2023 at 10:17 AM Christofer Dutz wrote: > > Hi all, > > ok … so it seems StackOverflow’s my friend. > Seems adding a classifier of “core” to the dependency gets me an unshaded > version. > > Chris > > Von: Christofer Dutz > Datum: Dienstag, 19. September 2023 um 09:19 > An: dev@hive.apache.org > Betreff: Alternatives to dependency on hive-exec? > Hi all, > > I’m currently trying to manage all dependencies in the Apache IoTDB project. > Here for the hive integration, a dependency is used to hive-exec. > Unfortunately, this simply seems to be a big fat jar of all sorts of > dependencies, that we also use separately. > This results in all sorts of dependencies being available twice and I would > love to eliminate this. > > Do you have any suggestions to how I could work without the hive-exec > dependency? I have no problem with adding 10 dependencies instead. > However, I spotted some shaded classes in org.apache.hive … are these > available outside the hive-exec dependency? > > Chris
AW: Alternatives to dependency on hive-exec?
Hi all, ok … so it seems StackOverflow’s my friend. Seems adding a classifier of “core” to the dependency gets me an unshaded version. Chris Von: Christofer Dutz Datum: Dienstag, 19. September 2023 um 09:19 An: dev@hive.apache.org Betreff: Alternatives to dependency on hive-exec? Hi all, I’m currently trying to manage all dependencies in the Apache IoTDB project. Here for the hive integration, a dependency is used to hive-exec. Unfortunately, this simply seems to be a big fat jar of all sorts of dependencies, that we also use separately. This results in all sorts of dependencies being available twice and I would love to eliminate this. Do you have any suggestions to how I could work without the hive-exec dependency? I have no problem with adding 10 dependencies instead. However, I spotted some shaded classes in org.apache.hive … are these available outside the hive-exec dependency? Chris
Alternatives to dependency on hive-exec?
Hi all, I’m currently trying to manage all dependencies in the Apache IoTDB project. Here for the hive integration, a dependency is used to hive-exec. Unfortunately, this simply seems to be a big fat jar of all sorts of dependencies, that we also use separately. This results in all sorts of dependencies being available twice and I would love to eliminate this. Do you have any suggestions to how I could work without the hive-exec dependency? I have no problem with adding 10 dependencies instead. However, I spotted some shaded classes in org.apache.hive … are these available outside the hive-exec dependency? Chris
