accumulo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ctubbsii <...@git.apache.org>
Subject [GitHub] accumulo pull request #131: ACCUMULO-4356 Remove bundled jars from -bin.tar....
Date Fri, 22 Jul 2016 16:01:46 GMT
Github user ctubbsii commented on a diff in the pull request:

    https://github.com/apache/accumulo/pull/131#discussion_r71902889
  
    --- Diff: assemble/src/main/scripts/generate-download-script.sh ---
    @@ -0,0 +1,56 @@
    +#! /usr/bin/env bash
    +
    +# Licensed to the Apache Software Foundation (ASF) under one or more
    +# contributor license agreements.  See the NOTICE file distributed with
    +# this work for additional information regarding copyright ownership.
    +# The ASF licenses this file to You under the Apache License, Version 2.0
    +# (the "License"); you may not use this file except in compliance with
    +# the License.  You may obtain a copy of the License at
    +#
    +#     http://www.apache.org/licenses/LICENSE-2.0
    +#
    +# Unless required by applicable law or agreed to in writing, software
    +# distributed under the License is distributed on an "AS IS" BASIS,
    +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    +# See the License for the specific language governing permissions and
    +# limitations under the License.
    +
    +# This script will generate a DEPENDENCIES listing of packaged dependencies
    +
    +in=target/dependencies.raw.txt
    +out=target/download-dependencies
    +
    +cat >"$out" <<'EOF'
    +#! /usr/bin/env bash
    +# This script downloads the following jars, identified by their maven
    +# coordinates, using the maven-dependency-plugin.
    +#
    +# DISCLAIMER: This is only one possible way to download a set of dependencies
    --- End diff --
    
    Guava is an interesting example, because we actually don't require a specific version,
other than "not ancient". Pretty much anything after version 11 will work for our needs. Any
restriction imposed on using newer versions, as far as I'm aware, is inherited from Hadoop.
Guava is actually pretty stable... unless you use their explicitly annotated beta methods...
which Hadoop does (at least, pre-2.6 Hadoop). This inheritance of Hadoop's restrictions is
precisely the reason why dependency convergence is so important for a user to resolve downstream....
we just can't know what version of Hadoop they are going to use, and what dependency restrictions
are going to be inherited.
    
    We can, as you've stated, document what versions we've built with and we're pretty sure
will work, if the user sticks to all those same versions. Of course, I wouldn't recommend
users actually stick to just those versions... otherwise, they'll probably be left vulnerable
to various bugs and security problems which have been fixed in newer versions of those dependencies.
But we can at least document it as a baseline for what versions worked, at the time of release.
    
    There's not an easy answer to the question about how a user can know if a newer version
of a dependency will work. If they have a requirement for Guava 18... they may just have to
try it and report back to the upstream community (us) to let us know if it didn't work. That
seems like business as usual, and the way I'd expect things to work in a healthy open source
community.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message