Libthrift Update

[Logan Jones <lo...@codescratch.com>]

Hello:

Is there any chance that Accumulo 1.10 could get a libthrift update? There
are several security vulnerabilities with the current version of libthrift
(0.9.3-1), and I wasn't sure if this is something we could actually
accomplish in 1.10.

- Logan

Re: Libthrift Update

[Christopher <ct...@apache.org>]

You would need to upgrade both.

On Sat, Feb 25, 2023, 07:08 Logan Jones <lo...@codescratch.com> wrote:

> Christopher,
>
> Understood. For an Accumulo upgrade, do I need to upgrade clients and
> servers simultaneously? Or are the 1.10 clients compatible with 2.1
> servers?
>
> -Logan
>
> On Sat, Feb 25, 2023 at 4:48 AM Christopher <ct...@apache.org> wrote:
>
> > Thrift makes a lot of breaking changes between releases. It is not a
> simple
> > operation to bump it. We have already made the change to do it and
> included
> > updates in 2.0 and 2.1. 1.10 is the legacy version that is to remain
> stable
> > until it is EOL in November. If libthrift bugs are a concern to you, I
> > advise upgrading to 2.1. Upgrading to 2.1 is a much easier jump than
> > putting in lots of development hours to bump it in a 1.10 release, which
> > you'd have to upgrade to anyway. If you're going to upgrade anyway, just
> go
> > to 2.1 which already has the updates you want.
> >
> > On Fri, Feb 24, 2023, 15:57 Logan Jones <lo...@codescratch.com> wrote:
> >
> > > Hello:
> > >
> > > Is there any chance that Accumulo 1.10 could get a libthrift update?
> > There
> > > are several security vulnerabilities with the current version of
> > libthrift
> > > (0.9.3-1), and I wasn't sure if this is something we could actually
> > > accomplish in 1.10.
> > >
> > > - Logan
> > >
> >
>

Re: Libthrift Update

[Logan Jones <lo...@codescratch.com>]

Christopher,

Understood. For an Accumulo upgrade, do I need to upgrade clients and
servers simultaneously? Or are the 1.10 clients compatible with 2.1 servers?

-Logan

On Sat, Feb 25, 2023 at 4:48 AM Christopher <ct...@apache.org> wrote:

> Thrift makes a lot of breaking changes between releases. It is not a simple
> operation to bump it. We have already made the change to do it and included
> updates in 2.0 and 2.1. 1.10 is the legacy version that is to remain stable
> until it is EOL in November. If libthrift bugs are a concern to you, I
> advise upgrading to 2.1. Upgrading to 2.1 is a much easier jump than
> putting in lots of development hours to bump it in a 1.10 release, which
> you'd have to upgrade to anyway. If you're going to upgrade anyway, just go
> to 2.1 which already has the updates you want.
>
> On Fri, Feb 24, 2023, 15:57 Logan Jones <lo...@codescratch.com> wrote:
>
> > Hello:
> >
> > Is there any chance that Accumulo 1.10 could get a libthrift update?
> There
> > are several security vulnerabilities with the current version of
> libthrift
> > (0.9.3-1), and I wasn't sure if this is something we could actually
> > accomplish in 1.10.
> >
> > - Logan
> >
>

Re: Libthrift Update

[Christopher <ct...@apache.org>]

Thrift makes a lot of breaking changes between releases. It is not a simple
operation to bump it. We have already made the change to do it and included
updates in 2.0 and 2.1. 1.10 is the legacy version that is to remain stable
until it is EOL in November. If libthrift bugs are a concern to you, I
advise upgrading to 2.1. Upgrading to 2.1 is a much easier jump than
putting in lots of development hours to bump it in a 1.10 release, which
you'd have to upgrade to anyway. If you're going to upgrade anyway, just go
to 2.1 which already has the updates you want.

On Fri, Feb 24, 2023, 15:57 Logan Jones <lo...@codescratch.com> wrote:

> Hello:
>
> Is there any chance that Accumulo 1.10 could get a libthrift update? There
> are several security vulnerabilities with the current version of libthrift
> (0.9.3-1), and I wasn't sure if this is something we could actually
> accomplish in 1.10.
>
> - Logan
>