[
https://issues.apache.org/jira/browse/PHOENIX-6010?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17157886#comment-17157886
]
Istvan Toth edited comment on PHOENIX-6010 at 7/15/20, 5:18 AM:
----------------------------------------------------------------
Notes:
* I've chosen 29.0-android for the thirdparty Guava version, as we need Java 7
compatibility.
** The alternative would be Guava 20 (the last non-android release that
supoorts Java 7), which has CVEs.
* Tephra doesn't use phoenix-thirdparty, instead it is shaded with Twill and
Guava 13, as its Twill dependency doesn't work with recent Guavas.
** The long-term solution would be removing the EOL twill dependency from it,
and then converting to thirdparty, but that's quite a lot of work, and I wanted
to have something that works now.
* This is less of an issue for 4.x, where every component is on Guava 13 -
ish, but I think once it's done, it'd be worth backporting this to 4.x as well,
if only to make backporting easier.
* If/when we agree on doing this, and have worked out the details, I'll add
the sub-tasks for getting this in master:
** create a new repo for phoenix-thirdparty and release it
** update and release Tephra with the shaded artifact
** update and release Omid with the the thirdparty stuff
** update the Omid and Tephra dependencies in Phoenix, and convert it to use
thirdparty as well.
Please share your thoughts, opinion, and questions!
was (Author: stoty):
Notes:
* I've chosen 29.0-android for the thirdparty Guava version, as we need Java 7
compatibility.
** The alternative would be Guava 20 (the last non-android release that
supoorts Java 7), which has CVEs.
* Tephra doesn't use phoenix-thirdparty, instead it is shaded with Twill and
Guava 13, as its Twill dependency doesn't work with recent Guavas.
** The long-term solution would be removing the EOL twill dependency from it,
and then converting to thirdparty, but that's quite a lot of work, and I wanted
to have something that works now.
* This is less of an issue for 4.x, where every component is on Guava 13 -
ish, but I think once it's done, it'd be worth backporting this to 4.x as well,
if only to make backporting easier.
* If/when we agree on doing this, and have worked out the details, I'll add
the sub-tasks for getting this in master:
** create a new repo for phoenix-thirdparty
** release phoenix-thirdparty
** update and release Tephra with the shaded artifact
** update and release Omid with the the thirdparty stuff
** update the Omid and Tephra dependencies in Phoenix, and convert it to use
thirdparty as well.
Please share your thoughts, opinion, and questions!
> Create phoenix-thirdparty, and consume guava through it
> -------------------------------------------------------
>
> Key: PHOENIX-6010
> URL: https://issues.apache.org/jira/browse/PHOENIX-6010
> Project: Phoenix
> Issue Type: Improvement
> Components: core, omid, tephra
> Affects Versions: 5.1.0, 4.16.0
> Reporter: Istvan Toth
> Assignee: Istvan Toth
> Priority: Major
>
> We have long-standing and well-documented problems with Guava, just like the
> rest of the Hadoop components.
> Adopt the solution used by HBase:
> * create phoenix-thirdparty repo
> * create a pre-shaded phoenix-shaded-guava artifact in it
> * Use the pre-shaded Guava in every phoenix component
> The advantages are well-known, but to name a few:
> * Phoenix will work with Hadoop 3.1.3+
> * One less CVE in our direct dependencies
> * No more conflict with our consumer's Guava versions
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
