[GitHub] [flink] rmetzger commented on pull request #14749: [FLINK-21123][fs] Bump beanutils to 1.9.4
rmetzger commented on pull request #14749: URL: https://github.com/apache/flink/pull/14749#issuecomment-766794435 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [flink] rmetzger commented on pull request #14749: [FLINK-21123][fs] Bump beanutils to 1.9.4
rmetzger commented on pull request #14749: URL: https://github.com/apache/flink/pull/14749#issuecomment-766887772 > The test failure is unlikely to be related (I can't see how that could affect things); I'll re-run the e2e tests to be sure. But the same failure occurred in your personal CI as well: https://dev.azure.com/chesnay/flink/_build/results?buildId=685=results Dropping it: I haven't any significant user@ thread asking something about the File system. It was contributed in 2018, and a quick "git blame" on the module doesn't reveal any more changes to it = no new contributions. Are you, or shall I start a discussion for dropping it? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [flink] rmetzger commented on pull request #14749: [FLINK-21123][fs] Bump beanutils to 1.9.4
rmetzger commented on pull request #14749: URL: https://github.com/apache/flink/pull/14749#issuecomment-766794435 Thanks for opening this PR. It seems that the K8s e2e is not passing anymore due to this change. Also, I'm not sure what's more valuable: shipping a "vulnerability free" but maybe broken flink-fs-swift-hadoop implementation vs a vulnerable but maybe broken flink-fs-swift-hadoop impl. From a project perspective, we are having more trouble releasing a fat jar containing a vulnerable dependency than a potentially broken one. If this dependency bump would break the connector, we would at least learn that there's a user (and affected users could still use the 1.12 release of the connector impl while we fix it). This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org