[ https://issues.apache.org/jira/browse/HBASE-16260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15393646#comment-15393646 ]
Sean Busbey commented on HBASE-16260: ------------------------------------- {quote} I suggest we move forward with the revert, downgrade this issue from blocker, and free up RM's. {quote} +1. we'll need to have a good release note that calls out we're vulnerable to whatever web stuff was mitigated. also please JIRA(s) for getting mitigations in place without blacklisted dependencies. {quote} I looked briefly at the rat module source code, it appears to be only designed to enforce the presence of approved headers in distributed files. There's nothing I can find about checking metadata on dependencies. Are we reduced to consuming the DEPENDENCIES report mentioned earlier? Maybe Sean Busbey knows more voodoo than I... {quote} The best I can think of is generating a dependency list of licenses via maven, preferably in a way that leverages the supplemental info we already track for our generated LICENSE/NOTICE files. I don't know if the DEPENDENCIES file does that, but it should be easy enough to check. I can think of how we could make the velocity template that makes LICENSE/NOTICE fail if there are only cat-x licenses, but I think we've seen how poor the error messaging out of that is. > Audit dependencies for Category-X > --------------------------------- > > Key: HBASE-16260 > URL: https://issues.apache.org/jira/browse/HBASE-16260 > Project: HBase > Issue Type: Task > Components: community, dependencies > Affects Versions: 2.0.0, 1.2.0, 1.3.0, 1.2.1, 1.1.4, 1.0.4, 1.1.5, 1.2.2 > Reporter: Sean Busbey > Assignee: Sean Busbey > Priority: Blocker > Fix For: 2.0.0, 1.1.6, 1.2.3 > > > Make sure we do not have category x dependencies. > right now we atleast have an LGPL for xom:xom (thanks to PHOENIX-3103 for the > catch) -- This message was sent by Atlassian JIRA (v6.3.4#6332)