You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cassandra.apache.org by Tomo Suzuki <su...@google.com.INVALID> on 2020/02/28 15:33:02 UTC
Re: Can we upgrade Guava to the same version as master on 3.11 branch?
Hi Cassandra developers,
Today I learned that Guava 18 has "severe" vulnerability [1,2]. As per
code freezing, Cassandra 3.11 still accepts security related PRs.
Will Cassandra team accept a pull request to upgrade Guava in 3.11
[3], if I create one?
[1]: https://search.maven.org/artifact/com.google.guava/guava/18.0/bundle
[2]: https://ossindex.sonatype.org/vuln/24585a7f-eb6b-4d8d-a2a9-a6f16cc7c1d0
[3]: https://issues.apache.org/jira/browse/CASSANDRA-15453
On Mon, Dec 16, 2019 at 12:45 PM Tomo Suzuki <su...@google.com> wrote:
>
> Russell,
>
> That's great to hear. Then I'll wait for Cassandra 4 release for now.
> In the meantime, I found an outdated dependency in Cassandra. Ticketed
> [1].
>
> [1]: CASSANDRA-15455 Upgrade com.carrotsearch:hppc dependency
>
>
> On Mon, Dec 16, 2019 at 12:08 AM Russell Spitzer
> <ru...@gmail.com> wrote:
> >
> > The hadoop formats should be compatible with any Cassandra version
> > regardless of which Cassandra-all you include since they communicate with
> > the driver under the hood and not Cassandra internal libraries. This means
> > you should feel free to use Cassandra 4 in your integration without fear of
> > losing backwards compatibility. In fact it should be able to speak to
> > Cassandra 2.x as well.
> >
> > On Sun, Dec 15, 2019, 10:24 PM Tomo Suzuki <su...@google.com.invalid>
> > wrote:
> >
> > > Hi Russell,
> > >
> > > Yes, Apache Beam uses hadoop format for Cassandra IO [1]. That test
> > > (HadoopFormatIOCassandraTest) failed [2] when I tried to upgrade Guava
> > > version. Added this information to the ticket.
> > >
> > > [1]: https://beam.apache.org/documentation/io/built-in/hadoop/
> > > [2]:
> > > https://github.com/GoogleCloudPlatform/cloud-opensource-java/issues/1028#issuecomment-557680928
> > >
> > > On Sun, Dec 15, 2019 at 10:36 PM Russell Spitzer
> > > <ru...@gmail.com> wrote:
> > > >
> > > > Why does the beam integration rely on Cassandra all, does it use the
> > > hadoop
> > > > formats?
> > > >
> > > > On Sun, Dec 15, 2019, 9:07 PM Tomo Suzuki <su...@google.com.invalid>
> > > > wrote:
> > > >
> > > > > Hi Cassandra developers,
> > > > >
> > > > > I want to backport the Guava version upgrade (CASSANDRA-15248) into
> > > > > 3.11 branch, so that cassandra-all:3.11.X works with higher version of
> > > > > Guava.
> > > > > I just created a ticket
> > > > > https://issues.apache.org/jira/browse/CASSANDRA-15453 explaining
> > > > > background.
> > > > >
> > > > > Before committing anything, I'd like to hear any opinion on the
> > > > > backporting. What do you think?
> > > > >
> > > > > Regards,
> > > > > Tomo
> > > > >
> > > > > ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: dev-unsubscribe@cassandra.apache.org
> > > > > For additional commands, e-mail: dev-help@cassandra.apache.org
> > > > >
> > > > >
> > >
> > >
> > >
> > > --
> > > Regards,
> > > Tomo
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: dev-unsubscribe@cassandra.apache.org
> > > For additional commands, e-mail: dev-help@cassandra.apache.org
> > >
> > >
>
>
>
> --
> Regards,
> Tomo
--
Regards,
Tomo
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@cassandra.apache.org
For additional commands, e-mail: dev-help@cassandra.apache.org
Re: Can we upgrade Guava to the same version as master on 3.11 branch?
Posted by Tomo Suzuki <su...@google.com.INVALID>.
So far no opinion for or against the guava upgrade.
Would someone review my change if I create a PR for this?
Jeff, thank you for checking.
On Fri, Feb 28, 2020 at 12:21 PM Jeff Jirsa <jj...@gmail.com> wrote:
>
> This isn't an opinion for or against upgrading guava, just a note that the
> two classes mentioned in that vulnerability are not actually in the
> codebase:
>
> jjirsa:cassandra jjirsa$ git checkout cassandra-3.11
> Checking out files: 100% (3212/3212), done.)
> Switched to branch 'cassandra-3.11'
> Your branch is up to date with 'origin/cassandra-3.11'.
> jjirsa:cassandra jjirsa$ grep -r CompoundOrdering src/
> jjirsa:cassandra jjirsa$ grep -r AtomicDoubleArray src/
> jjirsa:cassandra jjirsa$
>
>
>
> On Fri, Feb 28, 2020 at 7:33 AM Tomo Suzuki <su...@google.com.invalid>
> wrote:
>
> > Hi Cassandra developers,
> >
> > Today I learned that Guava 18 has "severe" vulnerability [1,2]. As per
> > code freezing, Cassandra 3.11 still accepts security related PRs.
> > Will Cassandra team accept a pull request to upgrade Guava in 3.11
> > [3], if I create one?
> >
> > [1]: https://search.maven.org/artifact/com.google.guava/guava/18.0/bundle
> > [2]:
> > https://ossindex.sonatype.org/vuln/24585a7f-eb6b-4d8d-a2a9-a6f16cc7c1d0
> > [3]: https://issues.apache.org/jira/browse/CASSANDRA-15453
> >
> > On Mon, Dec 16, 2019 at 12:45 PM Tomo Suzuki <su...@google.com> wrote:
> > >
> > > Russell,
> > >
> > > That's great to hear. Then I'll wait for Cassandra 4 release for now.
> > > In the meantime, I found an outdated dependency in Cassandra. Ticketed
> > > [1].
> > >
> > > [1]: CASSANDRA-15455 Upgrade com.carrotsearch:hppc dependency
> > >
> > >
> > > On Mon, Dec 16, 2019 at 12:08 AM Russell Spitzer
> > > <ru...@gmail.com> wrote:
> > > >
> > > > The hadoop formats should be compatible with any Cassandra version
> > > > regardless of which Cassandra-all you include since they communicate
> > with
> > > > the driver under the hood and not Cassandra internal libraries. This
> > means
> > > > you should feel free to use Cassandra 4 in your integration without
> > fear of
> > > > losing backwards compatibility. In fact it should be able to speak to
> > > > Cassandra 2.x as well.
> > > >
> > > > On Sun, Dec 15, 2019, 10:24 PM Tomo Suzuki <suztomo@google.com.invalid
> > >
> > > > wrote:
> > > >
> > > > > Hi Russell,
> > > > >
> > > > > Yes, Apache Beam uses hadoop format for Cassandra IO [1]. That test
> > > > > (HadoopFormatIOCassandraTest) failed [2] when I tried to upgrade
> > Guava
> > > > > version. Added this information to the ticket.
> > > > >
> > > > > [1]: https://beam.apache.org/documentation/io/built-in/hadoop/
> > > > > [2]:
> > > > >
> > https://github.com/GoogleCloudPlatform/cloud-opensource-java/issues/1028#issuecomment-557680928
> > > > >
> > > > > On Sun, Dec 15, 2019 at 10:36 PM Russell Spitzer
> > > > > <ru...@gmail.com> wrote:
> > > > > >
> > > > > > Why does the beam integration rely on Cassandra all, does it use
> > the
> > > > > hadoop
> > > > > > formats?
> > > > > >
> > > > > > On Sun, Dec 15, 2019, 9:07 PM Tomo Suzuki
> > <su...@google.com.invalid>
> > > > > > wrote:
> > > > > >
> > > > > > > Hi Cassandra developers,
> > > > > > >
> > > > > > > I want to backport the Guava version upgrade (CASSANDRA-15248)
> > into
> > > > > > > 3.11 branch, so that cassandra-all:3.11.X works with higher
> > version of
> > > > > > > Guava.
> > > > > > > I just created a ticket
> > > > > > > https://issues.apache.org/jira/browse/CASSANDRA-15453 explaining
> > > > > > > background.
> > > > > > >
> > > > > > > Before committing anything, I'd like to hear any opinion on the
> > > > > > > backporting. What do you think?
> > > > > > >
> > > > > > > Regards,
> > > > > > > Tomo
> > > > > > >
> > > > > > >
> > ---------------------------------------------------------------------
> > > > > > > To unsubscribe, e-mail: dev-unsubscribe@cassandra.apache.org
> > > > > > > For additional commands, e-mail: dev-help@cassandra.apache.org
> > > > > > >
> > > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Regards,
> > > > > Tomo
> > > > >
> > > > > ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: dev-unsubscribe@cassandra.apache.org
> > > > > For additional commands, e-mail: dev-help@cassandra.apache.org
> > > > >
> > > > >
> > >
> > >
> > >
> > > --
> > > Regards,
> > > Tomo
> >
> >
> >
> > --
> > Regards,
> > Tomo
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@cassandra.apache.org
> > For additional commands, e-mail: dev-help@cassandra.apache.org
> >
> >
--
Regards,
Tomo
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@cassandra.apache.org
For additional commands, e-mail: dev-help@cassandra.apache.org
Re: Can we upgrade Guava to the same version as master on 3.11 branch?
Posted by Jeff Jirsa <jj...@gmail.com>.
This isn't an opinion for or against upgrading guava, just a note that the
two classes mentioned in that vulnerability are not actually in the
codebase:
jjirsa:cassandra jjirsa$ git checkout cassandra-3.11
Checking out files: 100% (3212/3212), done.)
Switched to branch 'cassandra-3.11'
Your branch is up to date with 'origin/cassandra-3.11'.
jjirsa:cassandra jjirsa$ grep -r CompoundOrdering src/
jjirsa:cassandra jjirsa$ grep -r AtomicDoubleArray src/
jjirsa:cassandra jjirsa$
On Fri, Feb 28, 2020 at 7:33 AM Tomo Suzuki <su...@google.com.invalid>
wrote:
> Hi Cassandra developers,
>
> Today I learned that Guava 18 has "severe" vulnerability [1,2]. As per
> code freezing, Cassandra 3.11 still accepts security related PRs.
> Will Cassandra team accept a pull request to upgrade Guava in 3.11
> [3], if I create one?
>
> [1]: https://search.maven.org/artifact/com.google.guava/guava/18.0/bundle
> [2]:
> https://ossindex.sonatype.org/vuln/24585a7f-eb6b-4d8d-a2a9-a6f16cc7c1d0
> [3]: https://issues.apache.org/jira/browse/CASSANDRA-15453
>
> On Mon, Dec 16, 2019 at 12:45 PM Tomo Suzuki <su...@google.com> wrote:
> >
> > Russell,
> >
> > That's great to hear. Then I'll wait for Cassandra 4 release for now.
> > In the meantime, I found an outdated dependency in Cassandra. Ticketed
> > [1].
> >
> > [1]: CASSANDRA-15455 Upgrade com.carrotsearch:hppc dependency
> >
> >
> > On Mon, Dec 16, 2019 at 12:08 AM Russell Spitzer
> > <ru...@gmail.com> wrote:
> > >
> > > The hadoop formats should be compatible with any Cassandra version
> > > regardless of which Cassandra-all you include since they communicate
> with
> > > the driver under the hood and not Cassandra internal libraries. This
> means
> > > you should feel free to use Cassandra 4 in your integration without
> fear of
> > > losing backwards compatibility. In fact it should be able to speak to
> > > Cassandra 2.x as well.
> > >
> > > On Sun, Dec 15, 2019, 10:24 PM Tomo Suzuki <suztomo@google.com.invalid
> >
> > > wrote:
> > >
> > > > Hi Russell,
> > > >
> > > > Yes, Apache Beam uses hadoop format for Cassandra IO [1]. That test
> > > > (HadoopFormatIOCassandraTest) failed [2] when I tried to upgrade
> Guava
> > > > version. Added this information to the ticket.
> > > >
> > > > [1]: https://beam.apache.org/documentation/io/built-in/hadoop/
> > > > [2]:
> > > >
> https://github.com/GoogleCloudPlatform/cloud-opensource-java/issues/1028#issuecomment-557680928
> > > >
> > > > On Sun, Dec 15, 2019 at 10:36 PM Russell Spitzer
> > > > <ru...@gmail.com> wrote:
> > > > >
> > > > > Why does the beam integration rely on Cassandra all, does it use
> the
> > > > hadoop
> > > > > formats?
> > > > >
> > > > > On Sun, Dec 15, 2019, 9:07 PM Tomo Suzuki
> <su...@google.com.invalid>
> > > > > wrote:
> > > > >
> > > > > > Hi Cassandra developers,
> > > > > >
> > > > > > I want to backport the Guava version upgrade (CASSANDRA-15248)
> into
> > > > > > 3.11 branch, so that cassandra-all:3.11.X works with higher
> version of
> > > > > > Guava.
> > > > > > I just created a ticket
> > > > > > https://issues.apache.org/jira/browse/CASSANDRA-15453 explaining
> > > > > > background.
> > > > > >
> > > > > > Before committing anything, I'd like to hear any opinion on the
> > > > > > backporting. What do you think?
> > > > > >
> > > > > > Regards,
> > > > > > Tomo
> > > > > >
> > > > > >
> ---------------------------------------------------------------------
> > > > > > To unsubscribe, e-mail: dev-unsubscribe@cassandra.apache.org
> > > > > > For additional commands, e-mail: dev-help@cassandra.apache.org
> > > > > >
> > > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Regards,
> > > > Tomo
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: dev-unsubscribe@cassandra.apache.org
> > > > For additional commands, e-mail: dev-help@cassandra.apache.org
> > > >
> > > >
> >
> >
> >
> > --
> > Regards,
> > Tomo
>
>
>
> --
> Regards,
> Tomo
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@cassandra.apache.org
> For additional commands, e-mail: dev-help@cassandra.apache.org
>
>