accumulo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher <ctubb...@apache.org>
Subject Re: [DISCUSS] Minimum JDK in 1.6.1
Date Fri, 20 Jun 2014 21:39:10 GMT
More data points to consider:

mortbay Jetty has known security vulnerabilities (albeit relatively low
ones)
http://www.cvedetails.com/vulnerability-list/vendor_id-9694/product_id-17330/Mortbay-Jetty.html

Jetty 6 was announced as deprecated in January 2012 (for some performance
and security issues)
http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00026.html

Another option is to bump down to Jetty 8 for 1.6.x, which might be a
smaller change that would keep us on JRE 6, and still satisfy ACCUMULO-2786.


--
Christopher L Tubbs II
http://gravatar.com/ctubbsii


On Fri, Jun 20, 2014 at 5:27 PM, Sean Busbey <busbey@cloudera.com> wrote:

> strong -1 on option 1; 1.6.0 went out with Java 6 as a minimum and we
> should not change that in the major release.
>
> +1 on option 2.
>
>
> On Fri, Jun 20, 2014 at 5:22 PM, Mike Drob <madrob@cloudera.com> wrote:
>
> > +1 for option 2.
> >
> > We promised users that they can use Java 6 for 1.6.0 and it would be very
> > jarring to suddenly require 1.7.0.
> >
> > April 2015 is a long time away, and I'm not sure that the world will
> > migrate quickly, given how long it took for Java 7 adoption.
> >
> >
> > On Fri, Jun 20, 2014 at 4:19 PM, Christopher <ctubbsii@apache.org>
> wrote:
> >
> > > As pointed out by Dave on ACCUMULO-2808, it looks like ACCUMULO-2808 /
> > > ACCUMULO-2786 causes the monitor to require Java 7.
> > >
> > > Personally, I'm okay with this, but obviously this was not expected or
> > > intended.
> > >
> > > Since we're still targeting Java 6 in our Accumulo build, the other
> > > Accumulo services will still run in JRE6, and our code is still JRE6
> > > compatible (even if we build with JDK7). If building with JDK7 fixed
> the
> > > issue and produced a monitor service that ran fine in JRE6, I'd say no
> > > problem: we build with JDK7, while targeting JRE6. However, I don't
> think
> > > that will work. I think the monitor will just fail at runtime rather
> than
> > > compile time (if somebody has time to check, I'd appreciate
> > confirmation).
> > >
> > > So, our choices seem to be:
> > >
> > > 1. Make note of this requirement in the release notes for 1.6.1 and
> > target
> > > JRE7 in future 1.6 builds, or
> > > 2. Back out the changes for ACCUMULO-2808 from 1.6.1, and redo
> > > ACCUMULO-2786 with some other implementation.
> > >
> > > (It should be noted that Java 7 is expected to be EOL in April 2015;
> the
> > > announcement was already made, so people should be migrating to 8
> > already,
> > > if possible)
> > >
> > > --
> > > Christopher L Tubbs II
> > > http://gravatar.com/ctubbsii
> > >
> >
>
>
>
> --
> Sean
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message