Ahmed, I see you filed HADOOP-17083 <https://issues.apache.org/jira/browse/HADOOP-17083> for the same discussion.
I started a thread a while ago in the Hadoop dev mailing list to share my experience adopting guava27. Simply porting HADOOP-15960 <https://issues.apache.org/jira/browse/HADOOP-15960> to branch-2 will break miserably because all downstream applications will not compile/run. It took us half a year to get it harmonized across Cloudera's stack and I don't want to see you spending time on that. I feel the better approach is HADOOP-16924 <https://issues.apache.org/jira/browse/HADOOP-16924> where we shade and then update guava. There is more work inside Hadoop to change references to the shaded guava classpath, but it'll save you more time later. On Tue, Jun 23, 2020 at 9:09 AM Ahmed Hussein <a...@ahussein.me> wrote: > Hi folks, > > I was looking into upgrading guava to 27.0-jre on branch-2.10 in order to > address the vulnerabilities reported as CVE-2018-10237 > <https://nvd.nist.gov/vuln/detail/CVE-2018-10237>. > Since there are concerns using Java8, the plan is to stick to JDK7. > > Obviously, it is expected that the upgrade will break downstream projects. > > I opened this for discussion to get feedback and make sure that we have > common ground to address the security of vulnerabilities. > > Let me know WDYT. > > -- > Best Regards, > > *Ahmed Hussein, PhD* >