+1 to NOT breaking compatibility in branch-2. I think it is reasonable to require JDK7 for trunk, if we limit use of JDK7-only API to security fixes etc. If we make other optimizations (like IO), it would be a pain to backport things to branch-2. I guess this all depends on when we see ourselves shipping Hadoop-3. Any ideas on that?
On Tue, Apr 8, 2014 at 9:19 AM, Eli Collins <e...@cloudera.com> wrote: > On Tue, Apr 8, 2014 at 2:00 AM, Ottenheimer, Davi > <davi.ottenhei...@emc.com> wrote: > >> From: Eli Collins [mailto:e...@cloudera.com] > >> Sent: Monday, April 07, 2014 11:54 AM > >> > >> > >> IMO we should not drop support for Java 6 in a minor update of a stable > >> release (v2). I don't think the larger Hadoop user base would find it > >> acceptable that upgrading to a minor update caused their systems to stop > >> working because they didn't upgrade Java. There are people still getting > >> support for Java 6. ... > >> > >> Thanks, > >> Eli > > > > Hi Eli, > > > > Technically you are correct those with extended support get critical > security fixes for 6 until the end of 2016. I am curious whether many of > those are in the Hadoop user base. Do you know? My guess is the vast > majority are within Oracle's official public end of life, which was over 12 > months ago. Even Premier support ended Dec 2013: > > > > http://www.oracle.com/technetwork/java/eol-135779.html > > > > The end of Java 6 support carries much risk. It has to be considered in > terms of serious security vulnerabilities such as CVE-2013-2465 with CVSS > score 10.0. > > > > http://www.cvedetails.com/cve/CVE-2013-2465/ > > > > Since you mentioned "caused systems to stop" as an example of what would > be a concern to Hadoop users, please note the CVE-2013-2465 availability > impact: > > > > "Complete (There is a total shutdown of the affected resource. The > attacker can render the resource completely unavailable.)" > > > > This vulnerability was patched in Java 6 Update 51, but post end of > life. Apple pushed out the update specifically because of this > vulnerability (http://support.apple.com/kb/HT5717) as did some other > vendors privately, but for the majority of people using Java 6 means they > have a ticking time bomb. > > > > Allowing it to stay should be considered in terms of accepting the whole > risk posture. > > > > There are some who get extended support, but I suspect many just have > a if-it's-not-broke mentality when it comes to production deployments. > The current code supports both java6 and java7 and so allows these > people to remain compatible, while enabling others to upgrade to the > java7 runtime. This seems like the right compromise for a stable > release series. Again, absolutely makes sense for trunk (ie v3) to > require java7 or greater. >
