You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@phoenix.apache.org by Istvan Toth <st...@apache.org> on 2022/02/03 12:35:37 UTC

[DISCUSS] Releasing Phoenix-thirdparty 1.2 (or 2.0 ?)

Hi!

I think that it is time to update phoenix-thirdparty.
There are only two changes:

   - PHOENIX-6575 Replace patched commons-cli with original one when a
   release with CLI-254 is available

which replaces the current patched commons-cli with the official 1.5.0
release, which has the same fixes.
Unfortunately, the API that enables the fixes is a bit different, and
requires minor code changes in the downstream projects.
I'm not sure if we should bump the version to 2.0 because of that, or if
1.2.0 is enough.

The other change (not yet committed) is

   - PHOENIX-6641 Bump Guava to 31.0.1 in phoenix-thirdparty

The current Guava version has CVE-2020-8908 . Now the vulnerability is not
really fixed in any later version, the problematic method is
just @deprecated .
Still, I guess it's better to keep up with the releases than to get stuck
on an old one, which is likely to cause problems later.

Uncharacteristically, this Guava update does not seem to break any of our
code.

As you can see, neither of the changes are critical, but I think both are
nice to have.

Please let me know your opinion, if you agree, or if you agree.
Please also review PHOENIX-6641, if you have the time.

regards
Istvan

Re: [DISCUSS] Releasing Phoenix-thirdparty 1.2 (or 2.0 ?)

Posted by Ankit Singhal <an...@apache.org>.

+1, on bumping to 2.0 just to keep the version consistent in
case someone wants to use it as a drop-in jar.

PHOENIX-6641 also looks good to me, just gave +1

Regards,
Ankit Singhal


On Thu, 3 Feb 2022 at 04:35, Istvan Toth <st...@apache.org> wrote:

> Hi!
>
> I think that it is time to update phoenix-thirdparty.
> There are only two changes:
>
>    - PHOENIX-6575 Replace patched commons-cli with original one when a
>    release with CLI-254 is available
>
> which replaces the current patched commons-cli with the official 1.5.0
> release, which has the same fixes.
> Unfortunately, the API that enables the fixes is a bit different, and
> requires minor code changes in the downstream projects.
> I'm not sure if we should bump the version to 2.0 because of that, or if
> 1.2.0 is enough.
>
> The other change (not yet committed) is
>
>    - PHOENIX-6641 Bump Guava to 31.0.1 in phoenix-thirdparty
>
> The current Guava version has CVE-2020-8908 . Now the vulnerability is not
> really fixed in any later version, the problematic method is
> just @deprecated .
> Still, I guess it's better to keep up with the releases than to get stuck
> on an old one, which is likely to cause problems later.
>
> Uncharacteristically, this Guava update does not seem to break any of our
> code.
>
> As you can see, neither of the changes are critical, but I think both are
> nice to have.
>
> Please let me know your opinion, if you agree, or if you agree.
> Please also review PHOENIX-6641, if you have the time.
>
> regards
> Istvan
>