[jira] [Commented] (DRILL-8267) Remove commons-configuration dependency management

2022-07-27 Thread ASF GitHub Bot (Jira) 


[ 
https://issues.apache.org/jira/browse/DRILL-8267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17571860#comment-17571860
 ] 

ASF GitHub Bot commented on DRILL-8267:
---

jnturton closed pull request #2609: DRILL-8267: Remove commons-configuration 
dependency management
URL: https://github.com/apache/drill/pull/2609




> Remove commons-configuration dependency management
> --
>
> Key: DRILL-8267
> URL: https://issues.apache.org/jira/browse/DRILL-8267
> Project: Apache Drill
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>
> https://mvnrepository.com/artifact/commons-configuration/commons-configuration/1.10
> This jar is EOL and has many very insecure dependencies.
> Looks like this dependency is not used by Drill or any of its dependencies. 
> Hadoop uses commons-configuration2 instead.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (DRILL-8267) Remove commons-configuration dependency management

2022-07-22 Thread ASF GitHub Bot (Jira) 


[ 
https://issues.apache.org/jira/browse/DRILL-8267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17569830#comment-17569830
 ] 

ASF GitHub Bot commented on DRILL-8267:
---

jnturton commented on PR #2609:
URL: https://github.com/apache/drill/pull/2609#issuecomment-1192225931

   @pjfanning are you happy to close this one?




> Remove commons-configuration dependency management
> --
>
> Key: DRILL-8267
> URL: https://issues.apache.org/jira/browse/DRILL-8267
> Project: Apache Drill
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>
> https://mvnrepository.com/artifact/commons-configuration/commons-configuration/1.10
> This jar is EOL and has many very insecure dependencies.
> Looks like this dependency is not used by Drill or any of its dependencies. 
> Hadoop uses commons-configuration2 instead.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (DRILL-8267) Remove commons-configuration dependency management

2022-07-21 Thread ASF GitHub Bot (Jira) 


[ 
https://issues.apache.org/jira/browse/DRILL-8267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17569294#comment-17569294
 ] 

ASF GitHub Bot commented on DRILL-8267:
---

jnturton commented on code in PR #2609:
URL: https://github.com/apache/drill/pull/2609#discussion_r926359954


##
pom.xml:
##
@@ -1984,17 +1983,6 @@
 xercesImpl
 ${xerces.version}
   
-  

Review Comment:
   Okay @pjfanning, based on @vdiravka's comments I think this dependency 
management is helping (to keep commons-logging out) and not hurting, so we 
should probably just leave it as it is.





> Remove commons-configuration dependency management
> --
>
> Key: DRILL-8267
> URL: https://issues.apache.org/jira/browse/DRILL-8267
> Project: Apache Drill
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>
> https://mvnrepository.com/artifact/commons-configuration/commons-configuration/1.10
> This jar is EOL and has many very insecure dependencies.
> Looks like this dependency is not used by Drill or any of its dependencies. 
> Hadoop uses commons-configuration2 instead.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (DRILL-8267) Remove commons-configuration dependency management

2022-07-21 Thread ASF GitHub Bot (Jira) 


[ 
https://issues.apache.org/jira/browse/DRILL-8267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17569285#comment-17569285
 ] 

ASF GitHub Bot commented on DRILL-8267:
---

vdiravka commented on code in PR #2609:
URL: https://github.com/apache/drill/pull/2609#discussion_r926320649


##
pom.xml:
##
@@ -1984,17 +1983,6 @@
 xercesImpl
 ${xerces.version}
   
-  

Review Comment:
   This management is for two purposes:
   1. Per commit DRILL-7713 I understand the dependency was added to remove 
vulnerability from the transitive dependencies.
   2. To avoid using `commons-logging` as dependency. 
https://github.com/apache/commons-configuration/blob/master/pom.xml#L301
   
   In case we are sure `commons-configuration` dependency is 
[1.10](https://github.com/apache/phoenix-omid/blob/ba43c8e1d73543fafa102c57af79516c4dc88860/pom.xml#L175)
 or newer version in Drill after removing this management and `commons-logging` 
is not used (successful mvn build is enough for this, because 
[commons-logging](https://github.com/apache/drill/blob/master/pom.xml#L663) is 
banned in Drill), we can remove this management.
   The other question do we really need it?! It is possible in future the new 
dependency will have `commons-configuration` as a transitive dependency and we 
will face with the same issues, but now they are solved.





> Remove commons-configuration dependency management
> --
>
> Key: DRILL-8267
> URL: https://issues.apache.org/jira/browse/DRILL-8267
> Project: Apache Drill
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>
> https://mvnrepository.com/artifact/commons-configuration/commons-configuration/1.10
> This jar is EOL and has many very insecure dependencies.
> Looks like this dependency is not used by Drill or any of its dependencies. 
> Hadoop uses commons-configuration2 instead.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (DRILL-8267) Remove commons-configuration dependency management

2022-07-20 Thread ASF GitHub Bot (Jira) 


[ 
https://issues.apache.org/jira/browse/DRILL-8267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17568887#comment-17568887
 ] 

ASF GitHub Bot commented on DRILL-8267:
---

jnturton commented on code in PR #2609:
URL: https://github.com/apache/drill/pull/2609#discussion_r925256805


##
pom.xml:
##
@@ -1984,17 +1983,6 @@
 xercesImpl
 ${xerces.version}
   
-  

Review Comment:
   Note that what we're doing here is removing the _management_ of a dependency 
from the dependencyManagement element, not removing any dependency itself. If I 
look at a Drill installation then I see that we don't ship 
commons-configuration, only commons-configuration2.
   ```
   ➜  ~ ls /opt/apache-drill-1.20.1/jars/3rdparty/commons-conf* 
   
   /opt/apache-drill-1.20.1/jars/3rdparty/commons-configuration2-2.1.1.jar
   ```
   If I then look at `mvn dependency:tree` I see that the Phoenix storage 
plugin is the one place where we depend on commons-configration via 
org.apache.phoenix:phoenix-core
   ```
   [INFO] org.apache.drill.contrib:drill-storage-phoenix:jar:2.0.0-SNAPSHOT
   [INFO] \- org.apache.phoenix:phoenix-core:jar:tests:5.1.2:test
   [INFO]\- org.apache.omid:omid-transaction-client:jar:1.0.2:test
   [INFO]   \- commons-configuration:commons-configuration:jar:1.10:test
   ```
   but the scope of dependency is _test_ which explains why 
commons-configuration is not to be found in a Drill installation.
   
   Bottom line: I don't think we do need to manage this dependency any more so 
I'm in favour of this change even though it has no impact, because it 
simplifies our beast of a pom. But the Jira and the PR descriptions should be 
adjusted to reflect what's happening: "Remove unneeded management of 
commons-configuration which only appears in test scope for storage-phoenix" or 
something.
   
   Let's also check in with @vdiravka about this change...





> Remove commons-configuration dependency management
> --
>
> Key: DRILL-8267
> URL: https://issues.apache.org/jira/browse/DRILL-8267
> Project: Apache Drill
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>
> https://mvnrepository.com/artifact/commons-configuration/commons-configuration/1.10
> This jar is EOL and has many very insecure dependencies.
> Looks like this dependency is not used by Drill or any of its dependencies. 
> Hadoop uses commons-configuration2 instead.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)