Re: Can we upgrade Guava to the same version as master on 3.11 branch?
So far no opinion for or against the guava upgrade. Would someone review my change if I create a PR for this? Jeff, thank you for checking. On Fri, Feb 28, 2020 at 12:21 PM Jeff Jirsa wrote: > > This isn't an opinion for or against upgrading guava, just a note that the > two classes mentioned in that vulnerability are not actually in the > codebase: > > jjirsa:cassandra jjirsa$ git checkout cassandra-3.11 > Checking out files: 100% (3212/3212), done.) > Switched to branch 'cassandra-3.11' > Your branch is up to date with 'origin/cassandra-3.11'. > jjirsa:cassandra jjirsa$ grep -r CompoundOrdering src/ > jjirsa:cassandra jjirsa$ grep -r AtomicDoubleArray src/ > jjirsa:cassandra jjirsa$ > > > > On Fri, Feb 28, 2020 at 7:33 AM Tomo Suzuki > wrote: > > > Hi Cassandra developers, > > > > Today I learned that Guava 18 has "severe" vulnerability [1,2]. As per > > code freezing, Cassandra 3.11 still accepts security related PRs. > > Will Cassandra team accept a pull request to upgrade Guava in 3.11 > > [3], if I create one? > > > > [1]: https://search.maven.org/artifact/com.google.guava/guava/18.0/bundle > > [2]: > > https://ossindex.sonatype.org/vuln/24585a7f-eb6b-4d8d-a2a9-a6f16cc7c1d0 > > [3]: https://issues.apache.org/jira/browse/CASSANDRA-15453 > > > > On Mon, Dec 16, 2019 at 12:45 PM Tomo Suzuki wrote: > > > > > > Russell, > > > > > > That's great to hear. Then I'll wait for Cassandra 4 release for now. > > > In the meantime, I found an outdated dependency in Cassandra. Ticketed > > > [1]. > > > > > > [1]: CASSANDRA-15455 Upgrade com.carrotsearch:hppc dependency > > > > > > > > > On Mon, Dec 16, 2019 at 12:08 AM Russell Spitzer > > > wrote: > > > > > > > > The hadoop formats should be compatible with any Cassandra version > > > > regardless of which Cassandra-all you include since they communicate > > with > > > > the driver under the hood and not Cassandra internal libraries. This > > means > > > > you should feel free to use Cassandra 4 in your integration without > > fear of > > > > losing backwards compatibility. In fact it should be able to speak to > > > > Cassandra 2.x as well. > > > > > > > > On Sun, Dec 15, 2019, 10:24 PM Tomo Suzuki > > > > > > wrote: > > > > > > > > > Hi Russell, > > > > > > > > > > Yes, Apache Beam uses hadoop format for Cassandra IO [1]. That test > > > > > (HadoopFormatIOCassandraTest) failed [2] when I tried to upgrade > > Guava > > > > > version. Added this information to the ticket. > > > > > > > > > > [1]: https://beam.apache.org/documentation/io/built-in/hadoop/ > > > > > [2]: > > > > > > > https://github.com/GoogleCloudPlatform/cloud-opensource-java/issues/1028#issuecomment-557680928 > > > > > > > > > > On Sun, Dec 15, 2019 at 10:36 PM Russell Spitzer > > > > > wrote: > > > > > > > > > > > > Why does the beam integration rely on Cassandra all, does it use > > the > > > > > hadoop > > > > > > formats? > > > > > > > > > > > > On Sun, Dec 15, 2019, 9:07 PM Tomo Suzuki > > > > > > > > wrote: > > > > > > > > > > > > > Hi Cassandra developers, > > > > > > > > > > > > > > I want to backport the Guava version upgrade (CASSANDRA-15248) > > into > > > > > > > 3.11 branch, so that cassandra-all:3.11.X works with higher > > version of > > > > > > > Guava. > > > > > > > I just created a ticket > > > > > > > https://issues.apache.org/jira/browse/CASSANDRA-15453 explaining > > > > > > > background. > > > > > > > > > > > > > > Before committing anything, I'd like to hear any opinion on the > > > > > > > backporting. What do you think? > > > > > > > > > > > > > > Regards, > > > > > > > Tomo > > > > > > > > > > > > > > > > - > > > > > > > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > > > > > > > For additional commands, e-mail: dev-h...@cassandra.apache.org > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > Regards, > > > > > Tomo > > > > > > > > > > - > > > > > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > > > > > For additional commands, e-mail: dev-h...@cassandra.apache.org > > > > > > > > > > > > > > > > > > > > > > -- > > > Regards, > > > Tomo > > > > > > > > -- > > Regards, > > Tomo > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > > For additional commands, e-mail: dev-h...@cassandra.apache.org > > > > -- Regards, Tomo - To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org For additional commands, e-mail: dev-h...@cassandra.apache.org
Re: Can we upgrade Guava to the same version as master on 3.11 branch?
Hi Cassandra developers, Today I learned that Guava 18 has "severe" vulnerability [1,2]. As per code freezing, Cassandra 3.11 still accepts security related PRs. Will Cassandra team accept a pull request to upgrade Guava in 3.11 [3], if I create one? [1]: https://search.maven.org/artifact/com.google.guava/guava/18.0/bundle [2]: https://ossindex.sonatype.org/vuln/24585a7f-eb6b-4d8d-a2a9-a6f16cc7c1d0 [3]: https://issues.apache.org/jira/browse/CASSANDRA-15453 On Mon, Dec 16, 2019 at 12:45 PM Tomo Suzuki wrote: > > Russell, > > That's great to hear. Then I'll wait for Cassandra 4 release for now. > In the meantime, I found an outdated dependency in Cassandra. Ticketed > [1]. > > [1]: CASSANDRA-15455 Upgrade com.carrotsearch:hppc dependency > > > On Mon, Dec 16, 2019 at 12:08 AM Russell Spitzer > wrote: > > > > The hadoop formats should be compatible with any Cassandra version > > regardless of which Cassandra-all you include since they communicate with > > the driver under the hood and not Cassandra internal libraries. This means > > you should feel free to use Cassandra 4 in your integration without fear of > > losing backwards compatibility. In fact it should be able to speak to > > Cassandra 2.x as well. > > > > On Sun, Dec 15, 2019, 10:24 PM Tomo Suzuki > > wrote: > > > > > Hi Russell, > > > > > > Yes, Apache Beam uses hadoop format for Cassandra IO [1]. That test > > > (HadoopFormatIOCassandraTest) failed [2] when I tried to upgrade Guava > > > version. Added this information to the ticket. > > > > > > [1]: https://beam.apache.org/documentation/io/built-in/hadoop/ > > > [2]: > > > https://github.com/GoogleCloudPlatform/cloud-opensource-java/issues/1028#issuecomment-557680928 > > > > > > On Sun, Dec 15, 2019 at 10:36 PM Russell Spitzer > > > wrote: > > > > > > > > Why does the beam integration rely on Cassandra all, does it use the > > > hadoop > > > > formats? > > > > > > > > On Sun, Dec 15, 2019, 9:07 PM Tomo Suzuki > > > > wrote: > > > > > > > > > Hi Cassandra developers, > > > > > > > > > > I want to backport the Guava version upgrade (CASSANDRA-15248) into > > > > > 3.11 branch, so that cassandra-all:3.11.X works with higher version of > > > > > Guava. > > > > > I just created a ticket > > > > > https://issues.apache.org/jira/browse/CASSANDRA-15453 explaining > > > > > background. > > > > > > > > > > Before committing anything, I'd like to hear any opinion on the > > > > > backporting. What do you think? > > > > > > > > > > Regards, > > > > > Tomo > > > > > > > > > > - > > > > > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > > > > > For additional commands, e-mail: dev-h...@cassandra.apache.org > > > > > > > > > > > > > > > > > > > > > > -- > > > Regards, > > > Tomo > > > > > > - > > > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > > > For additional commands, e-mail: dev-h...@cassandra.apache.org > > > > > > > > > > -- > Regards, > Tomo -- Regards, Tomo - To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org For additional commands, e-mail: dev-h...@cassandra.apache.org
Re: Can we upgrade Guava to the same version as master on 3.11 branch?
Russell, That's great to hear. Then I'll wait for Cassandra 4 release for now. In the meantime, I found an outdated dependency in Cassandra. Ticketed [1]. [1]: CASSANDRA-15455 Upgrade com.carrotsearch:hppc dependency On Mon, Dec 16, 2019 at 12:08 AM Russell Spitzer wrote: > > The hadoop formats should be compatible with any Cassandra version > regardless of which Cassandra-all you include since they communicate with > the driver under the hood and not Cassandra internal libraries. This means > you should feel free to use Cassandra 4 in your integration without fear of > losing backwards compatibility. In fact it should be able to speak to > Cassandra 2.x as well. > > On Sun, Dec 15, 2019, 10:24 PM Tomo Suzuki > wrote: > > > Hi Russell, > > > > Yes, Apache Beam uses hadoop format for Cassandra IO [1]. That test > > (HadoopFormatIOCassandraTest) failed [2] when I tried to upgrade Guava > > version. Added this information to the ticket. > > > > [1]: https://beam.apache.org/documentation/io/built-in/hadoop/ > > [2]: > > https://github.com/GoogleCloudPlatform/cloud-opensource-java/issues/1028#issuecomment-557680928 > > > > On Sun, Dec 15, 2019 at 10:36 PM Russell Spitzer > > wrote: > > > > > > Why does the beam integration rely on Cassandra all, does it use the > > hadoop > > > formats? > > > > > > On Sun, Dec 15, 2019, 9:07 PM Tomo Suzuki > > > wrote: > > > > > > > Hi Cassandra developers, > > > > > > > > I want to backport the Guava version upgrade (CASSANDRA-15248) into > > > > 3.11 branch, so that cassandra-all:3.11.X works with higher version of > > > > Guava. > > > > I just created a ticket > > > > https://issues.apache.org/jira/browse/CASSANDRA-15453 explaining > > > > background. > > > > > > > > Before committing anything, I'd like to hear any opinion on the > > > > backporting. What do you think? > > > > > > > > Regards, > > > > Tomo > > > > > > > > - > > > > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > > > > For additional commands, e-mail: dev-h...@cassandra.apache.org > > > > > > > > > > > > > > > > -- > > Regards, > > Tomo > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > > For additional commands, e-mail: dev-h...@cassandra.apache.org > > > > -- Regards, Tomo - To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org For additional commands, e-mail: dev-h...@cassandra.apache.org
Re: Can we upgrade Guava to the same version as master on 3.11 branch?
The hadoop formats should be compatible with any Cassandra version regardless of which Cassandra-all you include since they communicate with the driver under the hood and not Cassandra internal libraries. This means you should feel free to use Cassandra 4 in your integration without fear of losing backwards compatibility. In fact it should be able to speak to Cassandra 2.x as well. On Sun, Dec 15, 2019, 10:24 PM Tomo Suzuki wrote: > Hi Russell, > > Yes, Apache Beam uses hadoop format for Cassandra IO [1]. That test > (HadoopFormatIOCassandraTest) failed [2] when I tried to upgrade Guava > version. Added this information to the ticket. > > [1]: https://beam.apache.org/documentation/io/built-in/hadoop/ > [2]: > https://github.com/GoogleCloudPlatform/cloud-opensource-java/issues/1028#issuecomment-557680928 > > On Sun, Dec 15, 2019 at 10:36 PM Russell Spitzer > wrote: > > > > Why does the beam integration rely on Cassandra all, does it use the > hadoop > > formats? > > > > On Sun, Dec 15, 2019, 9:07 PM Tomo Suzuki > > wrote: > > > > > Hi Cassandra developers, > > > > > > I want to backport the Guava version upgrade (CASSANDRA-15248) into > > > 3.11 branch, so that cassandra-all:3.11.X works with higher version of > > > Guava. > > > I just created a ticket > > > https://issues.apache.org/jira/browse/CASSANDRA-15453 explaining > > > background. > > > > > > Before committing anything, I'd like to hear any opinion on the > > > backporting. What do you think? > > > > > > Regards, > > > Tomo > > > > > > - > > > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > > > For additional commands, e-mail: dev-h...@cassandra.apache.org > > > > > > > > > > -- > Regards, > Tomo > > - > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > For additional commands, e-mail: dev-h...@cassandra.apache.org > >
Re: Can we upgrade Guava to the same version as master on 3.11 branch?
Hi Russell, Yes, Apache Beam uses hadoop format for Cassandra IO [1]. That test (HadoopFormatIOCassandraTest) failed [2] when I tried to upgrade Guava version. Added this information to the ticket. [1]: https://beam.apache.org/documentation/io/built-in/hadoop/ [2]: https://github.com/GoogleCloudPlatform/cloud-opensource-java/issues/1028#issuecomment-557680928 On Sun, Dec 15, 2019 at 10:36 PM Russell Spitzer wrote: > > Why does the beam integration rely on Cassandra all, does it use the hadoop > formats? > > On Sun, Dec 15, 2019, 9:07 PM Tomo Suzuki > wrote: > > > Hi Cassandra developers, > > > > I want to backport the Guava version upgrade (CASSANDRA-15248) into > > 3.11 branch, so that cassandra-all:3.11.X works with higher version of > > Guava. > > I just created a ticket > > https://issues.apache.org/jira/browse/CASSANDRA-15453 explaining > > background. > > > > Before committing anything, I'd like to hear any opinion on the > > backporting. What do you think? > > > > Regards, > > Tomo > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > > For additional commands, e-mail: dev-h...@cassandra.apache.org > > > > -- Regards, Tomo - To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org For additional commands, e-mail: dev-h...@cassandra.apache.org
Re: Can we upgrade Guava to the same version as master on 3.11 branch?
Why does the beam integration rely on Cassandra all, does it use the hadoop formats? On Sun, Dec 15, 2019, 9:07 PM Tomo Suzuki wrote: > Hi Cassandra developers, > > I want to backport the Guava version upgrade (CASSANDRA-15248) into > 3.11 branch, so that cassandra-all:3.11.X works with higher version of > Guava. > I just created a ticket > https://issues.apache.org/jira/browse/CASSANDRA-15453 explaining > background. > > Before committing anything, I'd like to hear any opinion on the > backporting. What do you think? > > Regards, > Tomo > > - > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > For additional commands, e-mail: dev-h...@cassandra.apache.org > >