Re: [VOTE] Release Apache Spark 2.0.0 (RC5)

Yeah, I thought the vote was closed... but I couldn't think of a better thread to remark upon! That's a useful comment on Derby's role - thanks. Certainly, we'd just attempted a build-and-test execution with revising the Derby level to the current 10.12.1.1, and hadn't observed any issues... a PR

Re: [VOTE] Release Apache Spark 2.0.0 (RC5)

-1 Sorry, I've just noted that the RC5 proposal includes shipping Derby @ 10.11.1.1 which is vulnerable to CVE: 2015-1832. It would be ideal if we could instead ship 10.12.1.1 real soon. -- View this message in context:

Jetty 9.3 CVE to be avoided...

To anyone contemplating an upgrade of the Jetty component in use with Apache Spark, please be aware of CVE-2016-4800 , and ensure that you are attempting to only integrate a version of the Jetty 9.3 stream that is *9.3.9* /or later/.

Re: cutting 1.6.2 rc and 2.0.0 rc this week?

Sean Owen wrote > Clearly we need to keep the 1.x line going for a bit... Is there any perspective on just how long 'a bit' might be? I'm not sure I've found any prior description in our community of a (long-term?) support commitment previously - are we talking months, or years? -- View this