You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hbase.apache.org by Andrew Purtell <ap...@apache.org> on 2019/08/07 17:46:19 UTC
HBASE-22728 consequences
HBASE-22728 addresses theoretical exposure to a Jackson CVE by us (via
hbase-rest) or to our downstream by removing Jackson artifacts from our
exported transitive dependencies, and by updating hbase-rest to use a safe
Jackson version. These changes are arguably not suitable for patch releases
because they can cause a transitive binary compatibility problem. For this
reason I would like us to consider immediate EOL of 1.3 and 1.4 with a
recommendation to upgrade to 1.5.0.
In order for that to happen, we need to commit HBASE-22728 to branch-1,
then release 1.5.0 from head of branch-1, which I will do. Assuming test
results are good I will propose a 1.5.0 release candidate in the next few
days.
Or would you find the HBASE-22728 change acceptable for a patch release?
There are other good reasons to move on from 1.3 and 1.4, foremost a nice
reduction in maintenance burden keeping up these old code lines.
Are there any objections or concerns to this plan?
--
Best regards,
Andrew
Words like orphans lost among the crosstalk, meaning torn from truth's
decrepit hands
- A23, Crosstalk
Re: Considering immediate EOL of branch-1.3 and branch-1.4 (was: Re:
HBASE-22728 consequences)
Posted by Sean Busbey <bu...@apache.org>.
I think getting a 1.5.0 out with the Jackson change release noted is the
way to go for fixing the CVE issue. I would also like to move the stable
pointer to that release.
It seems to me that community effort on contorting the 1.4 or 1.3 line to
keep having releases in the face of the Jackson CVE would be better spent
on eliminating barriers to upgrade from those versions to 1.5.0, but I
wouldn't necessarily vote against someone who wanted to show up and do that
work (unless the proposed solution was to just ignore the problem).
I think it's reasonable for us as a community to announce EOL for those
branches upon release of 1.5.0 if we don't already have someone speaking up
to maintain them. As with any EOL branch some set of contributors could
seek to revive if they have a compelling-to-them use.
On Wed, Aug 7, 2019, 14:16 Andrew Purtell <ap...@apache.org> wrote:
> The idea is to get a stable 1.5.0 out there and not necessarily release any
> more 1.3 and 1.4, ideally, not - and explicitly not address the Jackson
> issue in 1.3 and 1.4, unless like I asked you lot are ok with the patch as
> proposed. The advice for concerned parties would be "upgrade to 1.5".
>
> On Wed, Aug 7, 2019 at 12:11 PM Zach York <zy...@gmail.com>
> wrote:
>
> > I'm fine with eventually EOLing 1.3 and 1.4, but I don't think we can do
> it
> > until we know 1.5.0 is for sure coming out within a reasonable time and
> > will be stable (the current stable pointer is 1.4.10 so what would we
> move
> > that to?).
> >
> > I'm always a fan of reducing maintenance burden, but let's hold off on
> > officially EOLing until we know users have something to move to.
> >
> > On Wed, Aug 7, 2019 at 11:51 AM Andrew Purtell <ap...@apache.org>
> > wrote:
> >
> > > Changing subject line for visibility.
> > >
> > > On Wed, Aug 7, 2019 at 11:48 AM Stack <st...@duboce.net> wrote:
> > >
> > > > EOL'ing 1.3+1.4 sounds good to me.
> > > > S
> > > >
> > > > On Wed, Aug 7, 2019 at 10:46 AM Andrew Purtell <ap...@apache.org>
> > > > wrote:
> > > >
> > > > > HBASE-22728 addresses theoretical exposure to a Jackson CVE by us
> > (via
> > > > > hbase-rest) or to our downstream by removing Jackson artifacts from
> > our
> > > > > exported transitive dependencies, and by updating hbase-rest to
> use a
> > > > safe
> > > > > Jackson version. These changes are arguably not suitable for patch
> > > > releases
> > > > > because they can cause a transitive binary compatibility problem.
> For
> > > > this
> > > > > reason I would like us to consider immediate EOL of 1.3 and 1.4
> with
> > a
> > > > > recommendation to upgrade to 1.5.0.
> > > > >
> > > > > In order for that to happen, we need to commit HBASE-22728 to
> > branch-1,
> > > > > then release 1.5.0 from head of branch-1, which I will do. Assuming
> > > test
> > > > > results are good I will propose a 1.5.0 release candidate in the
> next
> > > few
> > > > > days.
> > > > >
> > > > > Or would you find the HBASE-22728 change acceptable for a patch
> > > release?
> > > > >
> > > > > There are other good reasons to move on from 1.3 and 1.4, foremost
> a
> > > nice
> > > > > reduction in maintenance burden keeping up these old code lines.
> > > > >
> > > > > Are there any objections or concerns to this plan?
> > > > >
> > > > > --
> > > > > Best regards,
> > > > > Andrew
> > > > >
> > > > > Words like orphans lost among the crosstalk, meaning torn from
> > truth's
> > > > > decrepit hands
> > > > > - A23, Crosstalk
> > > > >
> > > >
> > >
> > >
> > > --
> > > Best regards,
> > > Andrew
> > >
> > > Words like orphans lost among the crosstalk, meaning torn from truth's
> > > decrepit hands
> > > - A23, Crosstalk
> > >
> >
>
>
> --
> Best regards,
> Andrew
>
> Words like orphans lost among the crosstalk, meaning torn from truth's
> decrepit hands
> - A23, Crosstalk
>
Re: Considering immediate EOL of branch-1.3 and branch-1.4 (was: Re:
HBASE-22728 consequences)
Posted by Andrew Purtell <ap...@apache.org>.
The idea is to get a stable 1.5.0 out there and not necessarily release any
more 1.3 and 1.4, ideally, not - and explicitly not address the Jackson
issue in 1.3 and 1.4, unless like I asked you lot are ok with the patch as
proposed. The advice for concerned parties would be "upgrade to 1.5".
On Wed, Aug 7, 2019 at 12:11 PM Zach York <zy...@gmail.com>
wrote:
> I'm fine with eventually EOLing 1.3 and 1.4, but I don't think we can do it
> until we know 1.5.0 is for sure coming out within a reasonable time and
> will be stable (the current stable pointer is 1.4.10 so what would we move
> that to?).
>
> I'm always a fan of reducing maintenance burden, but let's hold off on
> officially EOLing until we know users have something to move to.
>
> On Wed, Aug 7, 2019 at 11:51 AM Andrew Purtell <ap...@apache.org>
> wrote:
>
> > Changing subject line for visibility.
> >
> > On Wed, Aug 7, 2019 at 11:48 AM Stack <st...@duboce.net> wrote:
> >
> > > EOL'ing 1.3+1.4 sounds good to me.
> > > S
> > >
> > > On Wed, Aug 7, 2019 at 10:46 AM Andrew Purtell <ap...@apache.org>
> > > wrote:
> > >
> > > > HBASE-22728 addresses theoretical exposure to a Jackson CVE by us
> (via
> > > > hbase-rest) or to our downstream by removing Jackson artifacts from
> our
> > > > exported transitive dependencies, and by updating hbase-rest to use a
> > > safe
> > > > Jackson version. These changes are arguably not suitable for patch
> > > releases
> > > > because they can cause a transitive binary compatibility problem. For
> > > this
> > > > reason I would like us to consider immediate EOL of 1.3 and 1.4 with
> a
> > > > recommendation to upgrade to 1.5.0.
> > > >
> > > > In order for that to happen, we need to commit HBASE-22728 to
> branch-1,
> > > > then release 1.5.0 from head of branch-1, which I will do. Assuming
> > test
> > > > results are good I will propose a 1.5.0 release candidate in the next
> > few
> > > > days.
> > > >
> > > > Or would you find the HBASE-22728 change acceptable for a patch
> > release?
> > > >
> > > > There are other good reasons to move on from 1.3 and 1.4, foremost a
> > nice
> > > > reduction in maintenance burden keeping up these old code lines.
> > > >
> > > > Are there any objections or concerns to this plan?
> > > >
> > > > --
> > > > Best regards,
> > > > Andrew
> > > >
> > > > Words like orphans lost among the crosstalk, meaning torn from
> truth's
> > > > decrepit hands
> > > > - A23, Crosstalk
> > > >
> > >
> >
> >
> > --
> > Best regards,
> > Andrew
> >
> > Words like orphans lost among the crosstalk, meaning torn from truth's
> > decrepit hands
> > - A23, Crosstalk
> >
>
--
Best regards,
Andrew
Words like orphans lost among the crosstalk, meaning torn from truth's
decrepit hands
- A23, Crosstalk
Re: Considering immediate EOL of branch-1.3 and branch-1.4 (was: Re:
HBASE-22728 consequences)
Posted by Zach York <zy...@gmail.com>.
I'm fine with eventually EOLing 1.3 and 1.4, but I don't think we can do it
until we know 1.5.0 is for sure coming out within a reasonable time and
will be stable (the current stable pointer is 1.4.10 so what would we move
that to?).
I'm always a fan of reducing maintenance burden, but let's hold off on
officially EOLing until we know users have something to move to.
On Wed, Aug 7, 2019 at 11:51 AM Andrew Purtell <ap...@apache.org> wrote:
> Changing subject line for visibility.
>
> On Wed, Aug 7, 2019 at 11:48 AM Stack <st...@duboce.net> wrote:
>
> > EOL'ing 1.3+1.4 sounds good to me.
> > S
> >
> > On Wed, Aug 7, 2019 at 10:46 AM Andrew Purtell <ap...@apache.org>
> > wrote:
> >
> > > HBASE-22728 addresses theoretical exposure to a Jackson CVE by us (via
> > > hbase-rest) or to our downstream by removing Jackson artifacts from our
> > > exported transitive dependencies, and by updating hbase-rest to use a
> > safe
> > > Jackson version. These changes are arguably not suitable for patch
> > releases
> > > because they can cause a transitive binary compatibility problem. For
> > this
> > > reason I would like us to consider immediate EOL of 1.3 and 1.4 with a
> > > recommendation to upgrade to 1.5.0.
> > >
> > > In order for that to happen, we need to commit HBASE-22728 to branch-1,
> > > then release 1.5.0 from head of branch-1, which I will do. Assuming
> test
> > > results are good I will propose a 1.5.0 release candidate in the next
> few
> > > days.
> > >
> > > Or would you find the HBASE-22728 change acceptable for a patch
> release?
> > >
> > > There are other good reasons to move on from 1.3 and 1.4, foremost a
> nice
> > > reduction in maintenance burden keeping up these old code lines.
> > >
> > > Are there any objections or concerns to this plan?
> > >
> > > --
> > > Best regards,
> > > Andrew
> > >
> > > Words like orphans lost among the crosstalk, meaning torn from truth's
> > > decrepit hands
> > > - A23, Crosstalk
> > >
> >
>
>
> --
> Best regards,
> Andrew
>
> Words like orphans lost among the crosstalk, meaning torn from truth's
> decrepit hands
> - A23, Crosstalk
>
Considering immediate EOL of branch-1.3 and branch-1.4 (was: Re:
HBASE-22728 consequences)
Posted by Andrew Purtell <ap...@apache.org>.
Changing subject line for visibility.
On Wed, Aug 7, 2019 at 11:48 AM Stack <st...@duboce.net> wrote:
> EOL'ing 1.3+1.4 sounds good to me.
> S
>
> On Wed, Aug 7, 2019 at 10:46 AM Andrew Purtell <ap...@apache.org>
> wrote:
>
> > HBASE-22728 addresses theoretical exposure to a Jackson CVE by us (via
> > hbase-rest) or to our downstream by removing Jackson artifacts from our
> > exported transitive dependencies, and by updating hbase-rest to use a
> safe
> > Jackson version. These changes are arguably not suitable for patch
> releases
> > because they can cause a transitive binary compatibility problem. For
> this
> > reason I would like us to consider immediate EOL of 1.3 and 1.4 with a
> > recommendation to upgrade to 1.5.0.
> >
> > In order for that to happen, we need to commit HBASE-22728 to branch-1,
> > then release 1.5.0 from head of branch-1, which I will do. Assuming test
> > results are good I will propose a 1.5.0 release candidate in the next few
> > days.
> >
> > Or would you find the HBASE-22728 change acceptable for a patch release?
> >
> > There are other good reasons to move on from 1.3 and 1.4, foremost a nice
> > reduction in maintenance burden keeping up these old code lines.
> >
> > Are there any objections or concerns to this plan?
> >
> > --
> > Best regards,
> > Andrew
> >
> > Words like orphans lost among the crosstalk, meaning torn from truth's
> > decrepit hands
> > - A23, Crosstalk
> >
>
--
Best regards,
Andrew
Words like orphans lost among the crosstalk, meaning torn from truth's
decrepit hands
- A23, Crosstalk
Re: HBASE-22728 consequences
Posted by Stack <st...@duboce.net>.
EOL'ing 1.3+1.4 sounds good to me.
S
On Wed, Aug 7, 2019 at 10:46 AM Andrew Purtell <ap...@apache.org> wrote:
> HBASE-22728 addresses theoretical exposure to a Jackson CVE by us (via
> hbase-rest) or to our downstream by removing Jackson artifacts from our
> exported transitive dependencies, and by updating hbase-rest to use a safe
> Jackson version. These changes are arguably not suitable for patch releases
> because they can cause a transitive binary compatibility problem. For this
> reason I would like us to consider immediate EOL of 1.3 and 1.4 with a
> recommendation to upgrade to 1.5.0.
>
> In order for that to happen, we need to commit HBASE-22728 to branch-1,
> then release 1.5.0 from head of branch-1, which I will do. Assuming test
> results are good I will propose a 1.5.0 release candidate in the next few
> days.
>
> Or would you find the HBASE-22728 change acceptable for a patch release?
>
> There are other good reasons to move on from 1.3 and 1.4, foremost a nice
> reduction in maintenance burden keeping up these old code lines.
>
> Are there any objections or concerns to this plan?
>
> --
> Best regards,
> Andrew
>
> Words like orphans lost among the crosstalk, meaning torn from truth's
> decrepit hands
> - A23, Crosstalk
>