You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@phoenix.apache.org by "James Taylor (JIRA)" <ji...@apache.org> on 2017/02/09 17:25:41 UTC
[jira] [Commented] (PHOENIX-3659) Remove transitive OWASP esapi
dependency
[ https://issues.apache.org/jira/browse/PHOENIX-3659?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15859849#comment-15859849 ]
James Taylor commented on PHOENIX-3659:
---------------------------------------
Good catch, [~elserj]! Let's just bump our pom version to be at or above 1.1.6 and 1.2.3. I don't think that'll be an issue.
> Remove transitive OWASP esapi dependency
> ----------------------------------------
>
> Key: PHOENIX-3659
> URL: https://issues.apache.org/jira/browse/PHOENIX-3659
> Project: Phoenix
> Issue Type: Task
> Reporter: Josh Elser
> Priority: Blocker
>
> HBase accidentally let OWASP's ESAPI artifact slip into a few release which is not allowed (as there are GPL deps).
> This was resolved in 1.1.6 and 1.2.3. A trivial fix would be to upgrade the 1.1 and 1.2 branches to these versions, but I don't know if there are other implications to doing that..
> I'm not sure if there are runtime concerns if we just omit those dependencies. Would have to look at the suite of reverts that came in via HBASE-16317 to see if any of them would actually affect us in phoenix-landia.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)