> From: Eli Collins [mailto:e...@cloudera.com] > Sent: Monday, April 07, 2014 11:54 AM > > > IMO we should not drop support for Java 6 in a minor update of a stable > release (v2). I don't think the larger Hadoop user base would find it > acceptable that upgrading to a minor update caused their systems to stop > working because they didn't upgrade Java. There are people still getting > support for Java 6. ... > > Thanks, > Eli
Hi Eli, Technically you are correct those with extended support get critical security fixes for 6 until the end of 2016. I am curious whether many of those are in the Hadoop user base. Do you know? My guess is the vast majority are within Oracle's official public end of life, which was over 12 months ago. Even Premier support ended Dec 2013: http://www.oracle.com/technetwork/java/eol-135779.html The end of Java 6 support carries much risk. It has to be considered in terms of serious security vulnerabilities such as CVE-2013-2465 with CVSS score 10.0. http://www.cvedetails.com/cve/CVE-2013-2465/ Since you mentioned "caused systems to stop" as an example of what would be a concern to Hadoop users, please note the CVE-2013-2465 availability impact: "Complete (There is a total shutdown of the affected resource. The attacker can render the resource completely unavailable.)" This vulnerability was patched in Java 6 Update 51, but post end of life. Apple pushed out the update specifically because of this vulnerability (http://support.apple.com/kb/HT5717) as did some other vendors privately, but for the majority of people using Java 6 means they have a ticking time bomb. Allowing it to stay should be considered in terms of accepting the whole risk posture. Davi
