You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Matt Foley (JIRA)" <ji...@apache.org> on 2016/08/08 17:14:20 UTC

[jira] [Commented] (HADOOP-13382) remove unneeded commons-httpclient dependencies from POM files in Hadoop and sub-projects

    [ https://issues.apache.org/jira/browse/HADOOP-13382?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15412097#comment-15412097 ] 

Matt Foley commented on HADOOP-13382:
-------------------------------------

[~steve_l]: sorry.  Fixed in 2.8.0.
[~gsaha]: It is true that other projects with undeclared transitive dependencies on commons-httpclient, previously provided via hadoop-common or hadoop-client, may find this to be an incompatible change.  Of course that also means such project is exposed to the commons-httpclient CVE, and needs to be fixed for that reason as well.  Will update the Description to note this.  Thanks for setting the appropriate flags in the jira.

> remove unneeded commons-httpclient dependencies from POM files in Hadoop and sub-projects
> -----------------------------------------------------------------------------------------
>
>                 Key: HADOOP-13382
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13382
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: build
>    Affects Versions: 2.8.0
>            Reporter: Matt Foley
>            Assignee: Matt Foley
>             Fix For: 2.8.0
>
>         Attachments: HADOOP-13382-branch-2.000.patch, HADOOP-13382-branch-2.8.000.patch, HADOOP-13382.000.patch
>
>
> In branch-2.8 and later, the patches for various child and related bugs listed in HADOOP-10105, most recently including HADOOP-11613, HADOOP-12710, HADOOP-12711, HADOOP-12552, and HDFS-10623, eliminate all use of "commons-httpclient" from Hadoop and its sub-projects (except for hadoop-tools/hadoop-openstack; see HADOOP-11614).
> However, after incorporating these patches, "commons-httpclient" is still listed as a dependency in these POM files:
> * hadoop-project/pom.xml
> * hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/pom.xml
> We wish to remove these, but since commons-httpclient is still used in many files in hadoop-tools/hadoop-openstack, we'll need to _add_ the dependency to
> * hadoop-tools/hadoop-openstack/pom.xml
> (We'll add a note to HADOOP-11614 to undo this when commons-httpclient is removed from hadoop-openstack.)
> In 2.8, this was mostly done by HADOOP-12552, but the version info formerly inherited from hadoop-project/pom.xml also needs to be added, so that is in the branch-2.8 version of the patch.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org