[
https://issues.apache.org/jira/browse/HBASE-16260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15393646#comment-15393646
]
Sean Busbey commented on HBASE-16260:
-------------------------------------
{quote}
I suggest we move forward with the revert, downgrade this issue from blocker,
and free up RM's.
{quote}
+1. we'll need to have a good release note that calls out we're vulnerable to
whatever web stuff was mitigated. also please JIRA(s) for getting mitigations
in place without blacklisted dependencies.
{quote}
I looked briefly at the rat module source code, it appears to be only designed
to enforce the presence of approved headers in distributed files. There's
nothing I can find about checking metadata on dependencies. Are we reduced to
consuming the DEPENDENCIES report mentioned earlier? Maybe Sean Busbey knows
more voodoo than I...
{quote}
The best I can think of is generating a dependency list of licenses via maven,
preferably in a way that leverages the supplemental info we already track for
our generated LICENSE/NOTICE files. I don't know if the DEPENDENCIES file does
that, but it should be easy enough to check. I can think of how we could make
the velocity template that makes LICENSE/NOTICE fail if there are only cat-x
licenses, but I think we've seen how poor the error messaging out of that is.
> Audit dependencies for Category-X
> ---------------------------------
>
> Key: HBASE-16260
> URL: https://issues.apache.org/jira/browse/HBASE-16260
> Project: HBase
> Issue Type: Task
> Components: community, dependencies
> Affects Versions: 2.0.0, 1.2.0, 1.3.0, 1.2.1, 1.1.4, 1.0.4, 1.1.5, 1.2.2
> Reporter: Sean Busbey
> Assignee: Sean Busbey
> Priority: Blocker
> Fix For: 2.0.0, 1.1.6, 1.2.3
>
>
> Make sure we do not have category x dependencies.
> right now we atleast have an LGPL for xom:xom (thanks to PHOENIX-3103 for the
> catch)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
