FWIW, I only removed the Dataset Sink. The morphline Solr Sink also has a dependency on Kite but I didn’t encounter any problems with it. Yet.
Also, it seems a lot of Flume depends on Netty 4 (io.netty) but there is still some things that use Netty 3 (org.jboss.netty). For one, flume-sdk requires Netty 3. Netty 3 is EOL - https://netty.io/news/2016/06/29/3-10-6-Final.html. It appears that Netty 3 has at least https://nvd.nist.gov/vuln/detail/CVE-2021-43797 outstanding against it. Addressing that will require modifying a fair amount of code, which I hadn’t really planned to do for this release. Ralph > On Jan 12, 2022, at 2:48 PM, Bessenyei Balázs Donát <bes...@apache.org> wrote: > > +1 on removing Kite if that's needed to create a new release. I was > wondering if we can get confirmation on Kite being abandoned, but > https://github.com/kite-sdk/kite/issues/507 seems like a good enough > justification. > > > Donat > > On Wed, Jan 12, 2022 at 6:22 PM Ralph Goers <ralph.go...@dslextreme.com> > wrote: >> >> Given that the Kite Dataset Sink is documented as being experimental and >> since Kite appears to have been abandoned I am making the decisions to >> remove the Kite Dataset Sink from Flume. >> >> Ralph >> >>> On Jan 12, 2022, at 9:14 AM, Ralph Goers <ralph.go...@dslextreme.com> wrote: >>> >>> I am working on exactly that. But there are quite a few dependencies that >>> need to be updated besides Log4j. That update was pretty easy. >>> >>> I am currently trying to update the Avro dependency as it also has security >>> issues. Unfortunately, Avro’s upgrade is not completely binary compatible, >>> which is causing an error in the kite-sdk, which appears to be an another >>> Cloudera abandoned project. >>> >>> In short, Apache Flume really needs more people to become active in the >>> project. >>> >>> Ralph >>> >>>> On Jan 12, 2022, at 6:30 AM, Justin Holmes <jus...@nascency.co.uk> wrote: >>>> >>>> Can we have a release that includes the fixed log4j vulnerabilities soon? >>>> >>>> -- >>>> Justin Holmes >>> >>