You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hive.apache.org by SG <si...@gmail.com> on 2022/06/16 08:33:02 UTC
[DISCUSS] Remove Druid dependency from Hive
Hello Everyone,The last commits related to druid were around early 2020[1]Since
then the version of Druid used by hive has remained the same 0.17.1[2]Druid
version 0.17.1 has a significant number of CVEs
<https://mvnrepository.com/artifact/org.apache.druid/druid/0.17.1> associated
with it and some of which allow remote code execution.If no one is
maintaining it or plan to do so in near future, Can we remove it from our
code?Thoughts?-Simhadri[1]
https://github.com/apache/hive/search?o=desc&q=druid&s=committer-date&type=commits
[2]
https://github.com/apache/hive/blob/0033675057a60d0a05a252854455e2b8835e89cc/pom.xml#L127
Re: [DISCUSS] Remove Druid dependency from Hive
Posted by Stamatis Zampetakis <za...@gmail.com>.
Hi Simhadri,
Thanks for starting this discussion Simhadri.
I am cc'ing the user list as well so that we have a better idea if there
are any active users.
Personally I am not that familiar with the Druid module.
* Is it currently broken?
* Do we have active tests?
* Does it need significant effort to update the Druid version?
Best,
Stamatis
On Thu, Jun 16, 2022 at 10:33 AM SG <si...@gmail.com> wrote:
> Hello Everyone,The last commits related to druid were around early
> 2020[1]Since
> then the version of Druid used by hive has remained the same 0.17.1[2]Druid
> version 0.17.1 has a significant number of CVEs
> <https://mvnrepository.com/artifact/org.apache.druid/druid/0.17.1>
> associated
> with it and some of which allow remote code execution.If no one is
> maintaining it or plan to do so in near future, Can we remove it from our
> code?Thoughts?-Simhadri[1]
>
> https://github.com/apache/hive/search?o=desc&q=druid&s=committer-date&type=commits
> [2]
>
> https://github.com/apache/hive/blob/0033675057a60d0a05a252854455e2b8835e89cc/pom.xml#L127
>
Re: [DISCUSS] Remove Druid dependency from Hive
Posted by Stamatis Zampetakis <za...@gmail.com>.
Hi Simhadri,
Thanks for starting this discussion Simhadri.
I am cc'ing the user list as well so that we have a better idea if there
are any active users.
Personally I am not that familiar with the Druid module.
* Is it currently broken?
* Do we have active tests?
* Does it need significant effort to update the Druid version?
Best,
Stamatis
On Thu, Jun 16, 2022 at 10:33 AM SG <si...@gmail.com> wrote:
> Hello Everyone,The last commits related to druid were around early
> 2020[1]Since
> then the version of Druid used by hive has remained the same 0.17.1[2]Druid
> version 0.17.1 has a significant number of CVEs
> <https://mvnrepository.com/artifact/org.apache.druid/druid/0.17.1>
> associated
> with it and some of which allow remote code execution.If no one is
> maintaining it or plan to do so in near future, Can we remove it from our
> code?Thoughts?-Simhadri[1]
>
> https://github.com/apache/hive/search?o=desc&q=druid&s=committer-date&type=commits
> [2]
>
> https://github.com/apache/hive/blob/0033675057a60d0a05a252854455e2b8835e89cc/pom.xml#L127
>