hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kai Zheng (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-12579) Deprecate and remove WriteableRPCEngine
Date Thu, 14 Jan 2016 01:07:39 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-12579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15097391#comment-15097391
] 

Kai Zheng commented on HADOOP-12579:
------------------------------------

bq. Sure. We should probably remove the PB wrappers in a follow-on change rather than dealing
with it here.
Thanks for the confirm. I'd like to sort my quick trying out and provide a patch for some
comments.

bq. there are many more times when it's simpler and less error-prone just to use the types
directly. The translation code is very verbose, which makes it inconvenient to add or change
anything, and has been a source of bugs in the past when someone forgets to manually copy
a field.
I agree. The manual copy particularly for complex and deep structures is error-prone with
no mechanisms like tests to guard. Would explore some bit in this direction, and probably
find a small place for the initial prototype to see the effect, considering the change and
impact is overall large.

> Deprecate and remove WriteableRPCEngine
> ---------------------------------------
>
>                 Key: HADOOP-12579
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12579
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Haohui Mai
>
> The {{WriteableRPCEninge}} depends on Java's serialization mechanisms for RPC requests.
Without proper checks, it has be shown that it can lead to security vulnerabilities such as
remote code execution (e.g., COLLECTIONS-580, HADOOP-12577).
> The current implementation has migrated from {{WriteableRPCEngine}} to {{ProtobufRPCEngine}}
now. This jira proposes to deprecate {{WriteableRPCEngine}} in branch-2 and to remove it in
trunk.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message