[jira] [Commented] (DRILL-8267) Remove commons-configuration dependency management
[ https://issues.apache.org/jira/browse/DRILL-8267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17571860#comment-17571860 ] ASF GitHub Bot commented on DRILL-8267: --- jnturton closed pull request #2609: DRILL-8267: Remove commons-configuration dependency management URL: https://github.com/apache/drill/pull/2609 > Remove commons-configuration dependency management > -- > > Key: DRILL-8267 > URL: https://issues.apache.org/jira/browse/DRILL-8267 > Project: Apache Drill > Issue Type: Improvement >Reporter: PJ Fanning >Priority: Major > > https://mvnrepository.com/artifact/commons-configuration/commons-configuration/1.10 > This jar is EOL and has many very insecure dependencies. > Looks like this dependency is not used by Drill or any of its dependencies. > Hadoop uses commons-configuration2 instead. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (DRILL-8267) Remove commons-configuration dependency management
[ https://issues.apache.org/jira/browse/DRILL-8267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17569830#comment-17569830 ] ASF GitHub Bot commented on DRILL-8267: --- jnturton commented on PR #2609: URL: https://github.com/apache/drill/pull/2609#issuecomment-1192225931 @pjfanning are you happy to close this one? > Remove commons-configuration dependency management > -- > > Key: DRILL-8267 > URL: https://issues.apache.org/jira/browse/DRILL-8267 > Project: Apache Drill > Issue Type: Improvement >Reporter: PJ Fanning >Priority: Major > > https://mvnrepository.com/artifact/commons-configuration/commons-configuration/1.10 > This jar is EOL and has many very insecure dependencies. > Looks like this dependency is not used by Drill or any of its dependencies. > Hadoop uses commons-configuration2 instead. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (DRILL-8267) Remove commons-configuration dependency management
[ https://issues.apache.org/jira/browse/DRILL-8267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17569294#comment-17569294 ] ASF GitHub Bot commented on DRILL-8267: --- jnturton commented on code in PR #2609: URL: https://github.com/apache/drill/pull/2609#discussion_r926359954 ## pom.xml: ## @@ -1984,17 +1983,6 @@ xercesImpl ${xerces.version} - Review Comment: Okay @pjfanning, based on @vdiravka's comments I think this dependency management is helping (to keep commons-logging out) and not hurting, so we should probably just leave it as it is. > Remove commons-configuration dependency management > -- > > Key: DRILL-8267 > URL: https://issues.apache.org/jira/browse/DRILL-8267 > Project: Apache Drill > Issue Type: Improvement >Reporter: PJ Fanning >Priority: Major > > https://mvnrepository.com/artifact/commons-configuration/commons-configuration/1.10 > This jar is EOL and has many very insecure dependencies. > Looks like this dependency is not used by Drill or any of its dependencies. > Hadoop uses commons-configuration2 instead. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (DRILL-8267) Remove commons-configuration dependency management
[ https://issues.apache.org/jira/browse/DRILL-8267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17569285#comment-17569285 ] ASF GitHub Bot commented on DRILL-8267: --- vdiravka commented on code in PR #2609: URL: https://github.com/apache/drill/pull/2609#discussion_r926320649 ## pom.xml: ## @@ -1984,17 +1983,6 @@ xercesImpl ${xerces.version} - Review Comment: This management is for two purposes: 1. Per commit DRILL-7713 I understand the dependency was added to remove vulnerability from the transitive dependencies. 2. To avoid using `commons-logging` as dependency. https://github.com/apache/commons-configuration/blob/master/pom.xml#L301 In case we are sure `commons-configuration` dependency is [1.10](https://github.com/apache/phoenix-omid/blob/ba43c8e1d73543fafa102c57af79516c4dc88860/pom.xml#L175) or newer version in Drill after removing this management and `commons-logging` is not used (successful mvn build is enough for this, because [commons-logging](https://github.com/apache/drill/blob/master/pom.xml#L663) is banned in Drill), we can remove this management. The other question do we really need it?! It is possible in future the new dependency will have `commons-configuration` as a transitive dependency and we will face with the same issues, but now they are solved. > Remove commons-configuration dependency management > -- > > Key: DRILL-8267 > URL: https://issues.apache.org/jira/browse/DRILL-8267 > Project: Apache Drill > Issue Type: Improvement >Reporter: PJ Fanning >Priority: Major > > https://mvnrepository.com/artifact/commons-configuration/commons-configuration/1.10 > This jar is EOL and has many very insecure dependencies. > Looks like this dependency is not used by Drill or any of its dependencies. > Hadoop uses commons-configuration2 instead. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (DRILL-8267) Remove commons-configuration dependency management
[ https://issues.apache.org/jira/browse/DRILL-8267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17568887#comment-17568887 ] ASF GitHub Bot commented on DRILL-8267: --- jnturton commented on code in PR #2609: URL: https://github.com/apache/drill/pull/2609#discussion_r925256805 ## pom.xml: ## @@ -1984,17 +1983,6 @@ xercesImpl ${xerces.version} - Review Comment: Note that what we're doing here is removing the _management_ of a dependency from the dependencyManagement element, not removing any dependency itself. If I look at a Drill installation then I see that we don't ship commons-configuration, only commons-configuration2. ``` ➜ ~ ls /opt/apache-drill-1.20.1/jars/3rdparty/commons-conf* /opt/apache-drill-1.20.1/jars/3rdparty/commons-configuration2-2.1.1.jar ``` If I then look at `mvn dependency:tree` I see that the Phoenix storage plugin is the one place where we depend on commons-configration via org.apache.phoenix:phoenix-core ``` [INFO] org.apache.drill.contrib:drill-storage-phoenix:jar:2.0.0-SNAPSHOT [INFO] \- org.apache.phoenix:phoenix-core:jar:tests:5.1.2:test [INFO]\- org.apache.omid:omid-transaction-client:jar:1.0.2:test [INFO] \- commons-configuration:commons-configuration:jar:1.10:test ``` but the scope of dependency is _test_ which explains why commons-configuration is not to be found in a Drill installation. Bottom line: I don't think we do need to manage this dependency any more so I'm in favour of this change even though it has no impact, because it simplifies our beast of a pom. But the Jira and the PR descriptions should be adjusted to reflect what's happening: "Remove unneeded management of commons-configuration which only appears in test scope for storage-phoenix" or something. Let's also check in with @vdiravka about this change... > Remove commons-configuration dependency management > -- > > Key: DRILL-8267 > URL: https://issues.apache.org/jira/browse/DRILL-8267 > Project: Apache Drill > Issue Type: Improvement >Reporter: PJ Fanning >Priority: Major > > https://mvnrepository.com/artifact/commons-configuration/commons-configuration/1.10 > This jar is EOL and has many very insecure dependencies. > Looks like this dependency is not used by Drill or any of its dependencies. > Hadoop uses commons-configuration2 instead. -- This message was sent by Atlassian Jira (v8.20.10#820010)