Andrey, seems we can use [1] it help us with point 1 in your comment, isn`t it ?
[1]
https://maven.apache.org/guides/introduction/introduction-to-optional-and-excludes-dependencies.html
>-1
>It is sad to say -1, as Guava has very useful stuff and it looks easier to
>add it as a dependency rather than copy-paste a code. My concerns are: 1.
>Original Bytecode module depends on 26.0-jre Calcite depends on 29.0-jre We
>maybe will use some other version. A user might want to use one more
>version. So, I'd disagree legalizing Guava will help with maintainability
>anyhow. 2. Guava supports JDK-8. Is it possible to handle different
>versions of Guava in dependencies with JigSaw? What impact will have
>potential future CVEs (and the current one) with the JigSaw? 3. Guava has
>an unresolved CVE [1]. They just mark a vulnerable method as Deprecated and
>didn't actually fix it [2]. [1] https://github.com/google/guava/issues/4011
>[2] https://github.com/google/guava/issues/4011
>
>On Thu, Aug 5, 2021 at 4:54 PM Konstantin Orlov < kor...@gridgain.com > wrote:
>
>> +1, I considered it a necessary evil
>>
>> --
>> Regards,
>> Konstantin Orlov
>>
>>
>>
>> > On 5 Aug 2021, at 16:37, Alexei Scherbakov < alexey.scherbak...@gmail.com >
>> wrote:
>> >
>> > +1
>> >
>> > чт, 5 авг. 2021 г. в 16:12, Alexander Polovtcev < alexpolovt...@gmail.com
>> >:
>> >
>> >> Hello, dear Igniters!
>> >>
>> >> I would like to discuss the possibility of using Guava
>> >> < https://github.com/google/guava > in Ignite 3. I know about the
>> >> restrictive
>> >> policy of using it in Ignite 2, but I have the following reasons:
>> >>
>> >> 1. We are de-facto using it already as an implicit dependency, since the
>> >> Calcite module depends on it, and Calcite is going to stay for a while
>> =)
>> >> 2. AFAIK, the "bytecode" module is copied into the codebase only to
>> strip
>> >> Guava away from it. We can remove this module, which will improve the
>> >> maintainability of the project.
>> >> 3. We have some copy-paste of Guava code in the project. For example,
>> see
>> >> this
>> >> <
>> >>
>>
>> https://github.com/apache/ignite-3/blob/main/modules/core/src/main/java/org/apache/ignite/internal/util/IgniteUtils.java#L136
>> >>>
>> >> and this
>> >> <
>> >>
>>
>> https://github.com/apache/ignite-3/blob/main/modules/core/src/main/java/org/apache/ignite/internal/util/IgniteUtils.java#L428
>> >>>
>> >> .
>> >> 4. Regarding security concerns, this report
>> >> <
>> https://www.cvedetails.com/product/52274/Google-Guava.html?vendor_id=1224
>> >>>
>> >> shows no major vulnerability issues for the last three years.
>> >>
>> >> Taking these points into account, I propose to allow using Guava both in
>> >> production and test code and to add it as an explicit dependency.
>> >>
>> >> What do you think?
>> >>
>> >> --
>> >> With regards,
>> >> Aleksandr Polovtcev
>> >>
>> >
>> >
>> > --
>> >
>> > Best regards,
>> > Alexei Scherbakov
>>
>>
>--
>Best regards,
>Andrey V. Mashenkov
