Is it possible to patch the old thrift which supports JDK7? Stack <[email protected]> 于2021年4月20日周二 上午2:28写道:
> I'm w/ Peter -- release 1.7 w/ jdk7 & old thrift and then call it a day. > Thanks, > S > > On Mon, Apr 19, 2021 at 9:07 AM Reid Chan <[email protected]> wrote: > > > Bring this up again. > > > > There are two straight forward solutions: one is as Peter mentioned, the > > other is released with JDK 8. I think the choice is about which weighs > > more. > > Better if we have a more tricky workaround. > > > > Not sure if it needs a [VOTE] thread or not, please let me know. > > > > > > --- > > Best Regards, > > R.C > > > > > > On Wed, Apr 14, 2021 at 8:06 PM Peter Somogyi <[email protected]> > wrote: > > > > > I'm +1 on maintaining JDK7 compatibility and releasing 1.7.0 with the > > older > > > Thrift version. > > > > > > Peter > > > > > > On Wed, Apr 14, 2021 at 5:01 AM Nick Dimiduk <[email protected]> > > wrote: > > > > > > > hbase-thrift is itself optional though. It’s “just” a gateway, not a > > core > > > > service. Agree, where it’s used, it’s critical for those users. But > > it’s > > > > not in the critical path for all users. Maybe it’s easier to bend on > > this > > > > than the minimum JDK version? Just a thought... > > > > > > > > On Tue, Apr 13, 2021 at 18:27 张铎(Duo Zhang) <[email protected]> > > > wrote: > > > > > > > > > The hbase-thrift module depends on thrift, it can not be > optional... > > > > > > > > > > Nick Dimiduk <[email protected]> 于2021年4月14日周三 上午8:44写道: > > > > > > > > > > > Oh. Bad. > > > > > > > > > > > > Can we mark the Thrift dependency optional, mark the ANNOUNCEMENT > > > with > > > > a > > > > > > big fat notice, and let users proceed at their own risk? > > > > > > > > > > > > On Tue, Apr 13, 2021 at 2:05 PM Geoffrey Jacoby < > > [email protected]> > > > > > > wrote: > > > > > > > > > > > > > It appears that both thrift 0.12 (which HBase 1.6 uses) and > > Thrift > > > > 0.13 > > > > > > > (which HBase 1.7 is targeted for and that Reid is having > trouble > > > > > building > > > > > > > for JDK 7) have CVEs attached to them, which is why later > > branches > > > > are > > > > > > > using Thrift 0.14.1. > > > > > > > > > > > > > > (See CVE-2019-0205 [1] for Thrift 0.12, and CVE-2020-13949 [2] > > for > > > > both > > > > > > > Thrift 0.12 and 0.13) > > > > > > > > > > > > > > Given that we need to support JDK 7 due to HBase 1.x > > compatibility > > > > > > > guidelines, and the 0.14 version of Thrift doesn't support JDK > 7 > > > [3], > > > > > do > > > > > > we > > > > > > > have a way forward? I hope so, but I'm not seeing one offhand. > > > > > > > > > > > > > > Geoffrey > > > > > > > > > > > > > > [1] > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0205 > > > > > > > [2] > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13949 > > > > > > > [3] https://github.com/apache/thrift/blob/v0.14.0/LANGUAGES.md > > > > > > > > > > > > > > On Tue, Apr 13, 2021 at 12:35 AM Reid Chan < > > [email protected] > > > > > > > > > > wrote: > > > > > > > > > > > > > > > Hi team and community: > > > > > > > > > > > > > > > > This is the error message when I tried to make a release > 1.7.0: > > > > > > > > > > > > > > > > [INFO] Restricted to JDK 1.7 yet > > > > > > > > org.apache.thrift:libthrift:jar:0.13.0:compile contains > > > > > > > > org/apache/thrift/TNonblockingMultiFetchClient.class targeted > > to > > > > JDK > > > > > > 1.8 > > > > > > > > HBase has unsupported dependencies. > > > > > > > > HBase requires that all dependencies be compiled with > version > > > 1.7 > > > > > or > > > > > > > > earlier > > > > > > > > of the JDK to properly build from source. You appear to be > > > > using a > > > > > > > newer > > > > > > > > dependency. You can use > > > > > > > > either "mvn -version" or "mvn enforcer:display-info" to > > verify > > > > what > > > > > > > > version is active. > > > > > > > > Non-release builds can temporarily build with a newer JDK > > > version > > > > > by > > > > > > > > setting the > > > > > > > > 'compileSource' property (eg. mvn -DcompileSource=1.8 clean > > > > > package). > > > > > > > > Found Banned Dependency: > org.apache.thrift:libthrift:jar:0.13.0 > > > > > > > > [ERROR] Failed to execute goal > > > > > > > > > org.apache.maven.plugins:maven-enforcer-plugin:3.0.0-M1:enforce > > > > > > > > (enforce-maven-version) on project hbase-thrift: Some > Enforcer > > > > rules > > > > > > have > > > > > > > > failed. Look above for specific messages explaining why the > > rule > > > > > > failed. > > > > > > > -> > > > > > > > > [Help 1] > > > > > > > > [ERROR] > > > > > > > > [ERROR] To see the full stack trace of the errors, re-run > Maven > > > > with > > > > > > the > > > > > > > -e > > > > > > > > switch. > > > > > > > > [ERROR] Re-run Maven using the -X switch to enable full debug > > > > > logging. > > > > > > > > [ERROR] > > > > > > > > [ERROR] For more information about the errors and possible > > > > solutions, > > > > > > > > please read the following articles: > > > > > > > > [ERROR] [Help 1] > > > > > > > > > > > > > > > > > > > > http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException > > > > > > > > [ERROR] > > > > > > > > [ERROR] After correcting the problems, you can resume the > build > > > > with > > > > > > the > > > > > > > > command > > > > > > > > [ERROR] mvn <args> -rf :hbase-thrift > > > > > > > > > > > > > > > > > > > > > > > > This happened at Thrift module, it seems that thrift-0.13.0 > is > > > > > targeted > > > > > > > to > > > > > > > > JDK 1.8, but I need to use JDK 7 to do the release. > > > > > > > > > > > > > > > > Thus I couldn't run the make_rc.sh successfully, any hints or > > > > > > experiences > > > > > > > > about how to resolve this? > > > > > > > > > > > > > > > > > > > > > > > > ------ > > > > > > > > Best Regards, > > > > > > > > R.C > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
