[GitHub] [nifi] joewitt commented on pull request #5724: NIFI-9585: Upgrade H2 to 2.1.210

[GitBox <gi...@apache.org>]

joewitt commented on pull request #5724:
URL: https://github.com/apache/nifi/pull/5724#issuecomment-1024402198


   So ... this is great because we needed NiFi to move to H2 version 2 anyway.  And registry.  However, we simply cannot have such a disruptive process.  We're not truly exposed to the H2 vulnerabilities in question that we know of anyway so we can and should try to do more for the users here.
   
   For NiFi H2 usage is for audit data and auth stuff. For auth it is fairly transient meaning users can just relogin in after the upgrade if we lost the data.  For the audit data we can say they'll lose it.  But lets try to do better.  Lets try to have old h2 lib when we detect the old format.  It would dump out the SQL statements/export of the old db.  Then it is off/done closed out.  Then we have new h2/v2 take over and import.  This should keep the users stuff all happy/they lose nothing.  And while technically the h2 1.x jars are still present we can easily declare we dont expose the vulnerability.  Later we can delete it entirely such as at a major version change (nifi 2.x).
   
   For the registry..well...we gotta make it seamless like the above.
   
   So unfortunately I think we need to do a good bit more work here.  This as is simply causes to much disruption for users.  A toolkit option is also viable but introduces considerable additional complexity that we usually reserve for major upgrades.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org