On Tue, Apr 8, 2014 at 2:00 AM, Ottenheimer, Davi <davi.ottenhei...@emc.com> wrote: >> From: Eli Collins [mailto:e...@cloudera.com] >> Sent: Monday, April 07, 2014 11:54 AM >> >> >> IMO we should not drop support for Java 6 in a minor update of a stable >> release (v2). I don't think the larger Hadoop user base would find it >> acceptable that upgrading to a minor update caused their systems to stop >> working because they didn't upgrade Java. There are people still getting >> support for Java 6. ... >> >> Thanks, >> Eli > > Hi Eli, > > Technically you are correct those with extended support get critical security > fixes for 6 until the end of 2016. I am curious whether many of those are in > the Hadoop user base. Do you know? My guess is the vast majority are within > Oracle's official public end of life, which was over 12 months ago. Even > Premier support ended Dec 2013: > > http://www.oracle.com/technetwork/java/eol-135779.html > > The end of Java 6 support carries much risk. It has to be considered in terms > of serious security vulnerabilities such as CVE-2013-2465 with CVSS score > 10.0. > > http://www.cvedetails.com/cve/CVE-2013-2465/ > > Since you mentioned "caused systems to stop" as an example of what would be a > concern to Hadoop users, please note the CVE-2013-2465 availability impact: > > "Complete (There is a total shutdown of the affected resource. The attacker > can render the resource completely unavailable.)" > > This vulnerability was patched in Java 6 Update 51, but post end of life. > Apple pushed out the update specifically because of this vulnerability > (http://support.apple.com/kb/HT5717) as did some other vendors privately, but > for the majority of people using Java 6 means they have a ticking time bomb. > > Allowing it to stay should be considered in terms of accepting the whole risk > posture. >
There are some who get extended support, but I suspect many just have a if-it's-not-broke mentality when it comes to production deployments. The current code supports both java6 and java7 and so allows these people to remain compatible, while enabling others to upgrade to the java7 runtime. This seems like the right compromise for a stable release series. Again, absolutely makes sense for trunk (ie v3) to require java7 or greater.
