hadoop-mapreduce-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wei-Chiu Chuang <weic...@apache.org>
Subject How should we do about dependency update?
Date Mon, 21 Oct 2019 17:33:05 GMT
Hi Hadoop developers,

I've always had this question and I don't know the answer.

For the last few months I finally spent time to deal with the vulnerability
reports from our internal dependency check tools.

Say in HADOOP-16152 <https://issues.apache.org/jira/browse/HADOOP-16152>
we update Jetty from 9.3.27 to 9.4.20 because of CVE-2019-16869, should I
cherrypick the fix into all lower releases?
This is not a trivial change, and it breaks downstreams like Tez. On the
other hand, it doesn't seem reasonable if I put this fix only in trunk, and
left older releases vulnerable. What's the expectation of downstream
applications w.r.t breaking compatibility vs fixing security issues?


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message