You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ignite.apache.org by Zhenya Stanilovsky <ar...@mail.ru.INVALID> on 2021/08/05 15:03:00 UTC
Re[2]: Google Guava in Ignite 3
Andrey, seems we can use [1] it help us with point 1 in your comment, isn`t it ?
[1] https://maven.apache.org/guides/introduction/introduction-to-optional-and-excludes-dependencies.html
>-1
>It is sad to say -1, as Guava has very useful stuff and it looks easier to
>add it as a dependency rather than copy-paste a code. My concerns are: 1.
>Original Bytecode module depends on 26.0-jre Calcite depends on 29.0-jre We
>maybe will use some other version. A user might want to use one more
>version. So, I'd disagree legalizing Guava will help with maintainability
>anyhow. 2. Guava supports JDK-8. Is it possible to handle different
>versions of Guava in dependencies with JigSaw? What impact will have
>potential future CVEs (and the current one) with the JigSaw? 3. Guava has
>an unresolved CVE [1]. They just mark a vulnerable method as Deprecated and
>didn't actually fix it [2]. [1] https://github.com/google/guava/issues/4011
>[2] https://github.com/google/guava/issues/4011
>
>On Thu, Aug 5, 2021 at 4:54 PM Konstantin Orlov < korlov@gridgain.com > wrote:
>
>> +1, I considered it a necessary evil
>>
>> --
>> Regards,
>> Konstantin Orlov
>>
>>
>>
>> > On 5 Aug 2021, at 16:37, Alexei Scherbakov < alexey.scherbakoff@gmail.com >
>> wrote:
>> >
>> > +1
>> >
>> > чт, 5 авг. 2021 г. в 16:12, Alexander Polovtcev < alexpolovtcev@gmail.com
>> >:
>> >
>> >> Hello, dear Igniters!
>> >>
>> >> I would like to discuss the possibility of using Guava
>> >> < https://github.com/google/guava > in Ignite 3. I know about the
>> >> restrictive
>> >> policy of using it in Ignite 2, but I have the following reasons:
>> >>
>> >> 1. We are de-facto using it already as an implicit dependency, since the
>> >> Calcite module depends on it, and Calcite is going to stay for a while
>> =)
>> >> 2. AFAIK, the "bytecode" module is copied into the codebase only to
>> strip
>> >> Guava away from it. We can remove this module, which will improve the
>> >> maintainability of the project.
>> >> 3. We have some copy-paste of Guava code in the project. For example,
>> see
>> >> this
>> >> <
>> >>
>> https://github.com/apache/ignite-3/blob/main/modules/core/src/main/java/org/apache/ignite/internal/util/IgniteUtils.java#L136
>> >>>
>> >> and this
>> >> <
>> >>
>> https://github.com/apache/ignite-3/blob/main/modules/core/src/main/java/org/apache/ignite/internal/util/IgniteUtils.java#L428
>> >>>
>> >> .
>> >> 4. Regarding security concerns, this report
>> >> <
>> https://www.cvedetails.com/product/52274/Google-Guava.html?vendor_id=1224
>> >>>
>> >> shows no major vulnerability issues for the last three years.
>> >>
>> >> Taking these points into account, I propose to allow using Guava both in
>> >> production and test code and to add it as an explicit dependency.
>> >>
>> >> What do you think?
>> >>
>> >> --
>> >> With regards,
>> >> Aleksandr Polovtcev
>> >>
>> >
>> >
>> > --
>> >
>> > Best regards,
>> > Alexei Scherbakov
>>
>>
>--
>Best regards,
>Andrey V. Mashenkov
Re: Re[2]: Google Guava in Ignite 3
Posted by Andrey Mashenkov <an...@gmail.com>.
Zhenya,
Yes, this may help.
But what about compatibility and CVE?
On Thu, Aug 5, 2021 at 6:03 PM Zhenya Stanilovsky
<ar...@mail.ru.invalid> wrote:
>
>
> Andrey, seems we can use [1] it help us with point 1 in your comment,
> isn`t it ?
>
> [1]
> https://maven.apache.org/guides/introduction/introduction-to-optional-and-excludes-dependencies.html
>
> >-1
> >It is sad to say -1, as Guava has very useful stuff and it looks easier to
> >add it as a dependency rather than copy-paste a code. My concerns are: 1.
> >Original Bytecode module depends on 26.0-jre Calcite depends on 29.0-jre
> We
> >maybe will use some other version. A user might want to use one more
> >version. So, I'd disagree legalizing Guava will help with maintainability
> >anyhow. 2. Guava supports JDK-8. Is it possible to handle different
> >versions of Guava in dependencies with JigSaw? What impact will have
> >potential future CVEs (and the current one) with the JigSaw? 3. Guava has
> >an unresolved CVE [1]. They just mark a vulnerable method as Deprecated
> and
> >didn't actually fix it [2]. [1]
> https://github.com/google/guava/issues/4011
> >[2] https://github.com/google/guava/issues/4011
> >
> >On Thu, Aug 5, 2021 at 4:54 PM Konstantin Orlov < korlov@gridgain.com >
> wrote:
> >
> >> +1, I considered it a necessary evil
> >>
> >> --
> >> Regards,
> >> Konstantin Orlov
> >>
> >>
> >>
> >> > On 5 Aug 2021, at 16:37, Alexei Scherbakov <
> alexey.scherbakoff@gmail.com >
> >> wrote:
> >> >
> >> > +1
> >> >
> >> > чт, 5 авг. 2021 г. в 16:12, Alexander Polovtcev <
> alexpolovtcev@gmail.com
> >> >:
> >> >
> >> >> Hello, dear Igniters!
> >> >>
> >> >> I would like to discuss the possibility of using Guava
> >> >> < https://github.com/google/guava > in Ignite 3. I know about the
> >> >> restrictive
> >> >> policy of using it in Ignite 2, but I have the following reasons:
> >> >>
> >> >> 1. We are de-facto using it already as an implicit dependency, since
> the
> >> >> Calcite module depends on it, and Calcite is going to stay for a
> while
> >> =)
> >> >> 2. AFAIK, the "bytecode" module is copied into the codebase only to
> >> strip
> >> >> Guava away from it. We can remove this module, which will improve the
> >> >> maintainability of the project.
> >> >> 3. We have some copy-paste of Guava code in the project. For example,
> >> see
> >> >> this
> >> >> <
> >> >>
> >>
> https://github.com/apache/ignite-3/blob/main/modules/core/src/main/java/org/apache/ignite/internal/util/IgniteUtils.java#L136
> >> >>>
> >> >> and this
> >> >> <
> >> >>
> >>
> https://github.com/apache/ignite-3/blob/main/modules/core/src/main/java/org/apache/ignite/internal/util/IgniteUtils.java#L428
> >> >>>
> >> >> .
> >> >> 4. Regarding security concerns, this report
> >> >> <
> >>
> https://www.cvedetails.com/product/52274/Google-Guava.html?vendor_id=1224
> >> >>>
> >> >> shows no major vulnerability issues for the last three years.
> >> >>
> >> >> Taking these points into account, I propose to allow using Guava
> both in
> >> >> production and test code and to add it as an explicit dependency.
> >> >>
> >> >> What do you think?
> >> >>
> >> >> --
> >> >> With regards,
> >> >> Aleksandr Polovtcev
> >> >>
> >> >
> >> >
> >> > --
> >> >
> >> > Best regards,
> >> > Alexei Scherbakov
> >>
> >>
> >--
> >Best regards,
> >Andrey V. Mashenkov
>
>
>
>
--
Best regards,
Andrey V. Mashenkov