Re: icu4j / i18n-util upgrade

[Istvan Toth]

Thanks Andrew, I accepted the OWASP report at face value.

The sad reality today is that it is easier to do a needless version bump
than to get
users to understand and accept that a static code analysis tool gives false
positives.

Anyway, keeping dependencies up-to-date even without CVEs is generally a
good thing.

Opened https://issues.apache.org/jira/browse/PHOENIX-6818 to track this.

Istvan

On Thu, Oct 20, 2022 at 5:42 PM Andrew Purtell 
wrote:

> The CVE is for the c++ icu library not icu4j but ?
>
> We did A where I work and it did what you’d expect and shut up the vuln
> scanner.
>
> +1 for B. The code is compatibly licensed and not that much. Other options
> carry functionality loss risks or dev work. Dropping it in place is low
> risk and low effort. Longer term you may decide to go in a different
> direction, which is fine, it would be in tree and modifyable.
>
> > On Oct 20, 2022, at 1:05 AM, Istvan Toth  wrote:
> >
> > Hi!
> >
> > Our icu4j version has CVEs.
> > It is pulled in via com.salesforce.i18n:i18n-util
> >
> >
> >
> >
> >
> > *[INFO] +- com.salesforce.i18n:i18n-util:jar:1.0.4:compile[INFO] |  +-
> > commons-lang:commons-lang:jar:2.6:compile[INFO] |  +-
> > com.ibm.icu:icu4j:jar:60.2:compile[INFO] |  +-
> > com.ibm.icu:icu4j-localespi:jar:60.2:compile[INFO] |  \-
> > com.ibm.icu:icu4j-charset:jar:60.2:compile*
> >
> >
> > https://github.com/salesforce/i18n-util is marked as archived, and the
> > committer names are not familiar to me.
> >
> > Do you think that it is possible to have a new release with a recent
> icu4j
> > version ?
> >
> > If not, should we
> >
> > A.) Dependencymanage icu4j (haven't tested if it works yet)
> > B.) Copy the necessary i18n-util code directly to the Phoenix codebase,
> and
> > drop the dependency (it's small)
> > ?
> >
> > regards
> > Istvan
>


-- 
*István Tóth* | Sr. Staff Software Engineer
*Email*: st...@cloudera.com
cloudera.com 
[image: Cloudera] 
[image: Cloudera on Twitter]  [image:
Cloudera on Facebook]  [image: Cloudera
on LinkedIn] 
--
--

[jira] [Created] (PHOENIX-6818) Remove dependency on the i18n-util library

[Istvan Toth (Jira)]

Istvan Toth created PHOENIX-6818:


 Summary: Remove dependency on the i18n-util library
 Key: PHOENIX-6818
 URL: https://issues.apache.org/jira/browse/PHOENIX-6818
 Project: Phoenix
  Issue Type: Improvement
  Components: core
Reporter: Istvan Toth


i18n-util development seems to have stopped.

We should copy the few relevant classes that we use from it, and maintain them 
in Phoenix.
This also means that we need to depend explicitly on the icu4j library that 
i18n-util depends on.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Re: icu4j / i18n-util upgrade

[Andrew Purtell]

The CVE is for the c++ icu library not icu4j but ?

We did A where I work and it did what you’d expect and shut up the vuln 
scanner. 

+1 for B. The code is compatibly licensed and not that much. Other options 
carry functionality loss risks or dev work. Dropping it in place is low risk 
and low effort. Longer term you may decide to go in a different direction, 
which is fine, it would be in tree and modifyable. 

> On Oct 20, 2022, at 1:05 AM, Istvan Toth  wrote:
> 
> Hi!
> 
> Our icu4j version has CVEs.
> It is pulled in via com.salesforce.i18n:i18n-util
> 
> 
> 
> 
> 
> *[INFO] +- com.salesforce.i18n:i18n-util:jar:1.0.4:compile[INFO] |  +-
> commons-lang:commons-lang:jar:2.6:compile[INFO] |  +-
> com.ibm.icu:icu4j:jar:60.2:compile[INFO] |  +-
> com.ibm.icu:icu4j-localespi:jar:60.2:compile[INFO] |  \-
> com.ibm.icu:icu4j-charset:jar:60.2:compile*
> 
> 
> https://github.com/salesforce/i18n-util is marked as archived, and the
> committer names are not familiar to me.
> 
> Do you think that it is possible to have a new release with a recent icu4j
> version ?
> 
> If not, should we
> 
> A.) Dependencymanage icu4j (haven't tested if it works yet)
> B.) Copy the necessary i18n-util code directly to the Phoenix codebase, and
> drop the dependency (it's small)
> ?
> 
> regards
> Istvan

PhoenixDB PyPI project permissions

[Istvan Toth]

Hi!

I have added Richard as an *Owner* to the *phoenixdb* project on PyPI.

The current Owners are Josh, Lukas Lalinsky (the original author), Richard
and me.

If anyone else has or creates a PyPI account, please contact one of the
owners to add you.

regards
Istvan

[jira] [Updated] (PHOENIX-6817) Switch to guava -JRE variant

[Istvan Toth (Jira)]

 [ 
https://issues.apache.org/jira/browse/PHOENIX-6817?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Istvan Toth updated PHOENIX-6817:
-
Description: 
We chose to include the -android variant of Guava, to ensure compatibiity with 
Java 7, which was required by the 4.x branch.

Now that the 4.x branch is EOL, we can switch to the more standard -jre version.

  was:
We chose to include the -android variant of Guava, to ensure compatibiity with 
Java 7, which was required by the 4.x branch.

Now that the 4.x branch is EOL, we can switch to the more standarrd -jre 
version.


> Switch to guava -JRE variant
> 
>
> Key: PHOENIX-6817
> URL: https://issues.apache.org/jira/browse/PHOENIX-6817
> Project: Phoenix
>  Issue Type: Improvement
>  Components: thirdparty
>Affects Versions: thirdparty-2.0.0
>Reporter: Istvan Toth
>Priority: Major
>
> We chose to include the -android variant of Guava, to ensure compatibiity 
> with Java 7, which was required by the 4.x branch.
> Now that the 4.x branch is EOL, we can switch to the more standard -jre 
> version.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (PHOENIX-6816) Update Jetty to 9.4.49.v20220914

[Istvan Toth (Jira)]

 [ 
https://issues.apache.org/jira/browse/PHOENIX-6816?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Istvan Toth updated PHOENIX-6816:
-
Affects Version/s: 5.2.0
   5.1.3

> Update Jetty to 9.4.49.v20220914
> 
>
> Key: PHOENIX-6816
> URL: https://issues.apache.org/jira/browse/PHOENIX-6816
> Project: Phoenix
>  Issue Type: Task
>Affects Versions: 5.2.0, 5.1.3
>Reporter: Istvan Toth
>Assignee: Istvan Toth
>Priority: Major
>
> Update the Jetty in tracing-webapp to the latest release.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (PHOENIX-6815) Update Gson version to 2.9.1

[Istvan Toth (Jira)]

 [ 
https://issues.apache.org/jira/browse/PHOENIX-6815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Istvan Toth updated PHOENIX-6815:
-
Affects Version/s: 5.2.0
   5.1.3

> Update Gson version to 2.9.1
> 
>
> Key: PHOENIX-6815
> URL: https://issues.apache.org/jira/browse/PHOENIX-6815
> Project: Phoenix
>  Issue Type: Task
>Affects Versions: 5.2.0, 5.1.3
>Reporter: Istvan Toth
>Assignee: Istvan Toth
>Priority: Major
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (OMID-190) Update website for 1.0.2

[Istvan Toth (Jira)]

 [ 
https://issues.apache.org/jira/browse/OMID-190?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Istvan Toth updated OMID-190:
-
Fix Version/s: 1.1.1
   (was: 1.1.0)

> Update website for 1.0.2
> 
>
> Key: OMID-190
> URL: https://issues.apache.org/jira/browse/OMID-190
> Project: Phoenix Omid
>  Issue Type: Improvement
>Affects Versions: 1.0.2
>Reporter: Istvan Toth
>Priority: Major
> Fix For: 1.1.1
>
>
> The site repo URL has changed, and the download links point to the old repo 
> and relase dirs.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (OMID-195) Add security system tests

[Istvan Toth (Jira)]

 [ 
https://issues.apache.org/jira/browse/OMID-195?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Istvan Toth updated OMID-195:
-
Fix Version/s: 1.1.1
   (was: 1.1.0)

> Add security system tests
> -
>
> Key: OMID-195
> URL: https://issues.apache.org/jira/browse/OMID-195
> Project: Phoenix Omid
>  Issue Type: Bug
>Reporter: Rajeshbabu Chintaguntla
>Assignee: Rajeshbabu Chintaguntla
>Priority: Major
> Fix For: 1.1.1
>
>
> Currently not much system tests to coverage functionality when security 
> enabled. This is the JIRA to add the tests with security enabled.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (OMID-206) Half of the regions of commit table not getting used

[Istvan Toth (Jira)]

 [ 
https://issues.apache.org/jira/browse/OMID-206?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Istvan Toth updated OMID-206:
-
Fix Version/s: 1.1.1
   (was: 1.1.0)

> Half of the regions of commit table not getting used
> 
>
> Key: OMID-206
> URL: https://issues.apache.org/jira/browse/OMID-206
> Project: Phoenix Omid
>  Issue Type: Bug
>Reporter: Rajeshbabu Chintaguntla
>Assignee: Rajeshbabu Chintaguntla
>Priority: Major
> Fix For: 1.1.1
>
> Attachments: Screen Shot 2021-03-30 at 11.32.54 PM.png
>
>
> PFA image,
> only half regions are getting load remaining half not even getting single 
> request..



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (PHOENIX-6815) Update Gson version to 2.9.1

[Istvan Toth (Jira)]

 [ 
https://issues.apache.org/jira/browse/PHOENIX-6815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Istvan Toth updated PHOENIX-6815:
-
Summary: Update Gson version to 2.9.1  (was: Bump gson version to 2.9.1)

> Update Gson version to 2.9.1
> 
>
> Key: PHOENIX-6815
> URL: https://issues.apache.org/jira/browse/PHOENIX-6815
> Project: Phoenix
>  Issue Type: Task
>Reporter: Istvan Toth
>Assignee: Istvan Toth
>Priority: Major
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (OMID-234) Bump SnakeYaml version to 1.33

[Istvan Toth (Jira)]

Istvan Toth created OMID-234:


 Summary: Bump SnakeYaml version to 1.33
 Key: OMID-234
 URL: https://issues.apache.org/jira/browse/OMID-234
 Project: Phoenix Omid
  Issue Type: Task
Affects Versions: 1.1.0
Reporter: Istvan Toth






--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (PHOENIX-6817) Switch to guava -JRE variant

[Istvan Toth (Jira)]

Istvan Toth created PHOENIX-6817:


 Summary: Switch to guava -JRE variant
 Key: PHOENIX-6817
 URL: https://issues.apache.org/jira/browse/PHOENIX-6817
 Project: Phoenix
  Issue Type: Improvement
  Components: thirdparty
Affects Versions: thirdparty-2.0.0
Reporter: Istvan Toth


We chose to include the -android variant of Guava, to ensure compatibiity with 
Java 7, which was required by the 4.x branch.

Now that the 4.x branch is EOL, we can switch to the more standarrd -jre 
version.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (PHOENIX-6816) Update Jetty to 9.4.49.v20220914

[Istvan Toth (Jira)]

Istvan Toth created PHOENIX-6816:


 Summary: Update Jetty to 9.4.49.v20220914
 Key: PHOENIX-6816
 URL: https://issues.apache.org/jira/browse/PHOENIX-6816
 Project: Phoenix
  Issue Type: Task
Reporter: Istvan Toth


Update the Jetty in tracing-webapp to the latest release.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Assigned] (PHOENIX-6816) Update Jetty to 9.4.49.v20220914

[Istvan Toth (Jira)]

 [ 
https://issues.apache.org/jira/browse/PHOENIX-6816?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Istvan Toth reassigned PHOENIX-6816:


Assignee: Istvan Toth

> Update Jetty to 9.4.49.v20220914
> 
>
> Key: PHOENIX-6816
> URL: https://issues.apache.org/jira/browse/PHOENIX-6816
> Project: Phoenix
>  Issue Type: Task
>Reporter: Istvan Toth
>Assignee: Istvan Toth
>Priority: Major
>
> Update the Jetty in tracing-webapp to the latest release.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

icu4j / i18n-util upgrade

[Istvan Toth]

Hi!

Our icu4j version has CVEs.
It is pulled in via com.salesforce.i18n:i18n-util





*[INFO] +- com.salesforce.i18n:i18n-util:jar:1.0.4:compile[INFO] |  +-
commons-lang:commons-lang:jar:2.6:compile[INFO] |  +-
com.ibm.icu:icu4j:jar:60.2:compile[INFO] |  +-
com.ibm.icu:icu4j-localespi:jar:60.2:compile[INFO] |  \-
com.ibm.icu:icu4j-charset:jar:60.2:compile*


https://github.com/salesforce/i18n-util is marked as archived, and the
committer names are not familiar to me.

Do you think that it is possible to have a new release with a recent icu4j
version ?

If not, should we

A.) Dependencymanage icu4j (haven't tested if it works yet)
B.) Copy the necessary i18n-util code directly to the Phoenix codebase, and
drop the dependency (it's small)
?

regards
Istvan

Re: [VOTE] Release of phoenixdb 1.2.1 RC1

[rajeshb...@apache.org]

+1

- Signature: ok
- Checksum: ok
- Build: ok

On Tue, Oct 18, 2022 at 5:59 AM Viraj Jasani  wrote:

> +1
>
> * Signature: ok
> * Checksum: ok
> * Build: ok
> * Tests using docker setup: ok
>
>
>
> On Thu, Oct 13, 2022 at 5:31 AM Richárd Antal 
> wrote:
>
> > Hello Everyone,
> >
> > This is a call for a vote on PhoenixDB 1.2.1 RC1.
> >
> > PhoenixDB is native Python driver for accessing Phoenix via Phoenix Query
> > Server.
> >
> > This version contains the following improvements compared to the previous
> > 1.2.0 release
> >
> > - Defined authentication mechanism for SPNEGO explicitly (PHOENIX-6781)
> > - Fixed failing docker build because of missing files (PHOENIX-6801)
> > - Fixed make_rc.sh script on mac (PHOENIX-6803)
> > - Re-added phoenixdb requirements (PHOENIX-6811)
> > - Fixed flaky tests
> >
> > The source release consists of the contents of the python-phoenixdb
> > directory of the phoenix-queryserver repository.
> >
> > The source tarball, including signatures, digests, etc can be found at:
> >
> >
> >
> https://dist.apache.org/repos/dist/dev/phoenix/python-phoenixdb-1.2.1.rc1/src/
> >
> > Artifacts are signed with my (Richard Antal) "CODE SIGNING KEY":
> > 7813862A85AFBBB4FE71CC95E7B87AA3FFA8EDAD
> >
> > KEYS file available here:
> > https://dist.apache.org/repos/dist/release/phoenix/KEYS
> >
> > The hash and tag to be voted upon:
> >
> >
> >
> https://github.com/apache/phoenix-queryserver/tree/1c6842a78b9b65be72d02780ac2c8221178a5713
> >
> >
> >
> https://github.com/apache/phoenix-queryserver/tree/python-phoenixdb-1.2.1.rc1
> >
> > The vote will be open for at least 72 hours. Please vote:
> >
> > [ ] +1 approve
> > [ ] +0 no opinion
> > [ ] -1 disapprove (and reason why)
> >
> > Thanks,
> > Richard
> >
>

[jira] [Created] (PHOENIX-6815) Bump gson version to 2.9.1

[Istvan Toth (Jira)]

Istvan Toth created PHOENIX-6815:


 Summary: Bump gson version to 2.9.1
 Key: PHOENIX-6815
 URL: https://issues.apache.org/jira/browse/PHOENIX-6815
 Project: Phoenix
  Issue Type: Task
Reporter: Istvan Toth
Assignee: Istvan Toth






--
This message was sent by Atlassian Jira
(v8.20.10#820010)