Vladimir Sitnikov created COMPRESS-710:
------------------------------------------
Summary: Modularize Commons Compress into per-format artifacts to
reduce attack surface
Key: COMPRESS-710
URL: https://issues.apache.org/jira/browse/COMPRESS-710
Project: Commons Compress
Issue Type: Improvement
Components: Archivers, Compressors
Reporter: Vladimir Sitnikov
Split org.apache.commons:commons-compress into a small core plus pluggable
per-format modules (e.g., commons-compress-tar, commons-compress-zip,
commons-compress-7z, …). Keep the current monolithic jar as a meta-artifact
that depends on the modules for full backward compatibility. Goal: let
consumers include only the formats they actually use, minimizing attack
surface, transitive dependencies, and CVE blast radius.
Motivation
* Real-world users often need just TAR/TGZ (or just ZIP), yet must ship the
entire codebase for all formats.
* Recent vulnerabilities in parsers for formats many users don’t touch still
require org-wide rollouts because everything ships together.
* Security guidance increasingly favors least privilege / minimal dependency
footprint.
* Some codecs (xz, zstd, brotli) already rely on optional deps; modularization
would make such choices explicit and auditable.
Goals
* Make it possible to depend on only the needed formats (e.g., only tar).
Preserve source and binary compatibility for common APIs where feasible.
* Keep usage simple (no complex service bootstrapping for most users).
Non-Goals (initial phase)
* Rewriting format implementations.
* Changing public APIs unless strictly necessary.
* Introducing breaking changes for end-users who continue using the monolithic
artifact.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
