Oh. Bad. Can we mark the Thrift dependency optional, mark the ANNOUNCEMENT with a big fat notice, and let users proceed at their own risk?
On Tue, Apr 13, 2021 at 2:05 PM Geoffrey Jacoby <gjac...@apache.org> wrote: > It appears that both thrift 0.12 (which HBase 1.6 uses) and Thrift 0.13 > (which HBase 1.7 is targeted for and that Reid is having trouble building > for JDK 7) have CVEs attached to them, which is why later branches are > using Thrift 0.14.1. > > (See CVE-2019-0205 [1] for Thrift 0.12, and CVE-2020-13949 [2] for both > Thrift 0.12 and 0.13) > > Given that we need to support JDK 7 due to HBase 1.x compatibility > guidelines, and the 0.14 version of Thrift doesn't support JDK 7 [3], do we > have a way forward? I hope so, but I'm not seeing one offhand. > > Geoffrey > > [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0205 > [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13949 > [3] https://github.com/apache/thrift/blob/v0.14.0/LANGUAGES.md > > On Tue, Apr 13, 2021 at 12:35 AM Reid Chan <reidchan0...@gmail.com> wrote: > > > Hi team and community: > > > > This is the error message when I tried to make a release 1.7.0: > > > > [INFO] Restricted to JDK 1.7 yet > > org.apache.thrift:libthrift:jar:0.13.0:compile contains > > org/apache/thrift/TNonblockingMultiFetchClient.class targeted to JDK 1.8 > > HBase has unsupported dependencies. > > HBase requires that all dependencies be compiled with version 1.7 or > > earlier > > of the JDK to properly build from source. You appear to be using a > newer > > dependency. You can use > > either "mvn -version" or "mvn enforcer:display-info" to verify what > > version is active. > > Non-release builds can temporarily build with a newer JDK version by > > setting the > > 'compileSource' property (eg. mvn -DcompileSource=1.8 clean package). > > Found Banned Dependency: org.apache.thrift:libthrift:jar:0.13.0 > > [ERROR] Failed to execute goal > > org.apache.maven.plugins:maven-enforcer-plugin:3.0.0-M1:enforce > > (enforce-maven-version) on project hbase-thrift: Some Enforcer rules have > > failed. Look above for specific messages explaining why the rule failed. > -> > > [Help 1] > > [ERROR] > > [ERROR] To see the full stack trace of the errors, re-run Maven with the > -e > > switch. > > [ERROR] Re-run Maven using the -X switch to enable full debug logging. > > [ERROR] > > [ERROR] For more information about the errors and possible solutions, > > please read the following articles: > > [ERROR] [Help 1] > > http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException > > [ERROR] > > [ERROR] After correcting the problems, you can resume the build with the > > command > > [ERROR] mvn <args> -rf :hbase-thrift > > > > > > This happened at Thrift module, it seems that thrift-0.13.0 is targeted > to > > JDK 1.8, but I need to use JDK 7 to do the release. > > > > Thus I couldn't run the make_rc.sh successfully, any hints or experiences > > about how to resolve this? > > > > > > ------ > > Best Regards, > > R.C > > >