[ https://issues.apache.org/jira/browse/PHOENIX-6010?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17157886#comment-17157886 ]
Istvan Toth edited comment on PHOENIX-6010 at 7/15/20, 5:18 AM: ---------------------------------------------------------------- Notes: * I've chosen 29.0-android for the thirdparty Guava version, as we need Java 7 compatibility. ** The alternative would be Guava 20 (the last non-android release that supoorts Java 7), which has CVEs. * Tephra doesn't use phoenix-thirdparty, instead it is shaded with Twill and Guava 13, as its Twill dependency doesn't work with recent Guavas. ** The long-term solution would be removing the EOL twill dependency from it, and then converting to thirdparty, but that's quite a lot of work, and I wanted to have something that works now. * This is less of an issue for 4.x, where every component is on Guava 13 - ish, but I think once it's done, it'd be worth backporting this to 4.x as well, if only to make backporting easier. * If/when we agree on doing this, and have worked out the details, I'll add the sub-tasks for getting this in master: ** create a new repo for phoenix-thirdparty and release it ** update and release Tephra with the shaded artifact ** update and release Omid with the the thirdparty stuff ** update the Omid and Tephra dependencies in Phoenix, and convert it to use thirdparty as well. Please share your thoughts, opinion, and questions! was (Author: stoty): Notes: * I've chosen 29.0-android for the thirdparty Guava version, as we need Java 7 compatibility. ** The alternative would be Guava 20 (the last non-android release that supoorts Java 7), which has CVEs. * Tephra doesn't use phoenix-thirdparty, instead it is shaded with Twill and Guava 13, as its Twill dependency doesn't work with recent Guavas. ** The long-term solution would be removing the EOL twill dependency from it, and then converting to thirdparty, but that's quite a lot of work, and I wanted to have something that works now. * This is less of an issue for 4.x, where every component is on Guava 13 - ish, but I think once it's done, it'd be worth backporting this to 4.x as well, if only to make backporting easier. * If/when we agree on doing this, and have worked out the details, I'll add the sub-tasks for getting this in master: ** create a new repo for phoenix-thirdparty ** release phoenix-thirdparty ** update and release Tephra with the shaded artifact ** update and release Omid with the the thirdparty stuff ** update the Omid and Tephra dependencies in Phoenix, and convert it to use thirdparty as well. Please share your thoughts, opinion, and questions! > Create phoenix-thirdparty, and consume guava through it > ------------------------------------------------------- > > Key: PHOENIX-6010 > URL: https://issues.apache.org/jira/browse/PHOENIX-6010 > Project: Phoenix > Issue Type: Improvement > Components: core, omid, tephra > Affects Versions: 5.1.0, 4.16.0 > Reporter: Istvan Toth > Assignee: Istvan Toth > Priority: Major > > We have long-standing and well-documented problems with Guava, just like the > rest of the Hadoop components. > Adopt the solution used by HBase: > * create phoenix-thirdparty repo > * create a pre-shaded phoenix-shaded-guava artifact in it > * Use the pre-shaded Guava in every phoenix component > The advantages are well-known, but to name a few: > * Phoenix will work with Hadoop 3.1.3+ > * One less CVE in our direct dependencies > * No more conflict with our consumer's Guava versions -- This message was sent by Atlassian Jira (v8.3.4#803005)