phoenix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Istvan Toth <st...@apache.org>
Subject [DISCUSS] Solving the Guava situation by creating phoenix-thirdparty
Date Wed, 15 Jul 2020 05:37:13 GMT
Hi!

I've just opened https://issues.apache.org/jira/browse/PHOENIX-6010 that
introduces a pre-shaded Hbase-style phoenx-thirdparty repo with pre-shaded
Guava.

Please check it out, and share your thoughts on it!

Copying most of the ticket here, in the hope of getting more eyes on it:

We have long-standing and well-documented problems with Guava, just like
the rest of the Hadoop components.

Adopt the solution used by HBase:

   - create phoenix-thirdparty repo
   - create a pre-shaded phoenix-shaded-guava artifact in it
   - Use the pre-shaded Guava in every phoenix component

The advantages are well-known, but to name a few:

   - Phoenix will work with Hadoop 3.1.3+
   - One less CVE in our direct dependencies
   - No more conflict with our consumer's Guava versions


Notes:

   - I've chosen 29.0-android for the thirdparty Guava version, as we need
   Java 7 compatibility.
      - The alternative would be Guava 20 (the last non-android release
      that supports Java 7), which has CVEs.
   - Tephra doesn't use phoenix-thirdparty, instead it is shaded with Twill
   and Guava 13, as its Twill dependency doesn't work with recent Guavas.
      - The long-term solution would be removing the EOL twill dependency
      from it, and then converting to thirdparty, but that's quite a
lot of work,
      and I wanted to have something that works now.
   - This is less of an issue for 4.x, where every component is on Guava 13
   - ish, but I think once it's done, it'd be worth backporting this to 4.x as
   well, if only to make backporting easier.
   - If/when we agree on doing this, and have worked out the details, I'll
   add the sub-tasks for getting this in master:
      - create a new repo for phoenix-thirdparty and release it
      - update and release Tephra with the shaded artifact
      - update and release Omid with the the thirdparty stuff
      - update the Omid and Tephra dependencies in Phoenix, and convert it
      to use thirdparty as well.

Please share your thoughts, opinion, and questions!

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message