hbase-thrift is itself optional though. It’s “just” a gateway, not a core service. Agree, where it’s used, it’s critical for those users. But it’s not in the critical path for all users. Maybe it’s easier to bend on this than the minimum JDK version? Just a thought...
On Tue, Apr 13, 2021 at 18:27 张铎(Duo Zhang) <[email protected]> wrote: > The hbase-thrift module depends on thrift, it can not be optional... > > Nick Dimiduk <[email protected]> 于2021年4月14日周三 上午8:44写道: > > > Oh. Bad. > > > > Can we mark the Thrift dependency optional, mark the ANNOUNCEMENT with a > > big fat notice, and let users proceed at their own risk? > > > > On Tue, Apr 13, 2021 at 2:05 PM Geoffrey Jacoby <[email protected]> > > wrote: > > > > > It appears that both thrift 0.12 (which HBase 1.6 uses) and Thrift 0.13 > > > (which HBase 1.7 is targeted for and that Reid is having trouble > building > > > for JDK 7) have CVEs attached to them, which is why later branches are > > > using Thrift 0.14.1. > > > > > > (See CVE-2019-0205 [1] for Thrift 0.12, and CVE-2020-13949 [2] for both > > > Thrift 0.12 and 0.13) > > > > > > Given that we need to support JDK 7 due to HBase 1.x compatibility > > > guidelines, and the 0.14 version of Thrift doesn't support JDK 7 [3], > do > > we > > > have a way forward? I hope so, but I'm not seeing one offhand. > > > > > > Geoffrey > > > > > > [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0205 > > > [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13949 > > > [3] https://github.com/apache/thrift/blob/v0.14.0/LANGUAGES.md > > > > > > On Tue, Apr 13, 2021 at 12:35 AM Reid Chan <[email protected]> > > wrote: > > > > > > > Hi team and community: > > > > > > > > This is the error message when I tried to make a release 1.7.0: > > > > > > > > [INFO] Restricted to JDK 1.7 yet > > > > org.apache.thrift:libthrift:jar:0.13.0:compile contains > > > > org/apache/thrift/TNonblockingMultiFetchClient.class targeted to JDK > > 1.8 > > > > HBase has unsupported dependencies. > > > > HBase requires that all dependencies be compiled with version 1.7 > or > > > > earlier > > > > of the JDK to properly build from source. You appear to be using a > > > newer > > > > dependency. You can use > > > > either "mvn -version" or "mvn enforcer:display-info" to verify what > > > > version is active. > > > > Non-release builds can temporarily build with a newer JDK version > by > > > > setting the > > > > 'compileSource' property (eg. mvn -DcompileSource=1.8 clean > package). > > > > Found Banned Dependency: org.apache.thrift:libthrift:jar:0.13.0 > > > > [ERROR] Failed to execute goal > > > > org.apache.maven.plugins:maven-enforcer-plugin:3.0.0-M1:enforce > > > > (enforce-maven-version) on project hbase-thrift: Some Enforcer rules > > have > > > > failed. Look above for specific messages explaining why the rule > > failed. > > > -> > > > > [Help 1] > > > > [ERROR] > > > > [ERROR] To see the full stack trace of the errors, re-run Maven with > > the > > > -e > > > > switch. > > > > [ERROR] Re-run Maven using the -X switch to enable full debug > logging. > > > > [ERROR] > > > > [ERROR] For more information about the errors and possible solutions, > > > > please read the following articles: > > > > [ERROR] [Help 1] > > > > > > http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException > > > > [ERROR] > > > > [ERROR] After correcting the problems, you can resume the build with > > the > > > > command > > > > [ERROR] mvn <args> -rf :hbase-thrift > > > > > > > > > > > > This happened at Thrift module, it seems that thrift-0.13.0 is > targeted > > > to > > > > JDK 1.8, but I need to use JDK 7 to do the release. > > > > > > > > Thus I couldn't run the make_rc.sh successfully, any hints or > > experiences > > > > about how to resolve this? > > > > > > > > > > > > ------ > > > > Best Regards, > > > > R.C > > > > > > > > > >
