hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matt Foley (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-13382) remove unneeded commons-httpclient dependencies from POM files in Hadoop and sub-projects
Date Mon, 08 Aug 2016 17:15:20 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-13382?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Matt Foley updated HADOOP-13382:
--------------------------------
    Description: 
In branch-2.8 and later, the patches for various child and related bugs listed in HADOOP-10105,
most recently including HADOOP-11613, HADOOP-12710, HADOOP-12711, HADOOP-12552, and HDFS-10623,
eliminate all use of "commons-httpclient" from Hadoop and its sub-projects (except for hadoop-tools/hadoop-openstack;
see HADOOP-11614).

However, after incorporating these patches, "commons-httpclient" is still listed as a dependency
in these POM files:
* hadoop-project/pom.xml
* hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/pom.xml

We wish to remove these, but since commons-httpclient is still used in many files in hadoop-tools/hadoop-openstack,
we'll need to _add_ the dependency to
* hadoop-tools/hadoop-openstack/pom.xml
(We'll add a note to HADOOP-11614 to undo this when commons-httpclient is removed from hadoop-openstack.)
In 2.8, this was mostly done by HADOOP-12552, but the version info formerly inherited from
hadoop-project/pom.xml also needs to be added, so that is in the branch-2.8 version of the
patch.

Other projects with undeclared transitive dependencies on commons-httpclient, previously provided
via hadoop-common or hadoop-client, may find this to be an incompatible change.  Of course
that also means such project is exposed to the commons-httpclient CVE, and needs to be fixed
for that reason as well.


  was:
In branch-2.8 and later, the patches for various child and related bugs listed in HADOOP-10105,
most recently including HADOOP-11613, HADOOP-12710, HADOOP-12711, HADOOP-12552, and HDFS-10623,
eliminate all use of "commons-httpclient" from Hadoop and its sub-projects (except for hadoop-tools/hadoop-openstack;
see HADOOP-11614).

However, after incorporating these patches, "commons-httpclient" is still listed as a dependency
in these POM files:
* hadoop-project/pom.xml
* hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/pom.xml

We wish to remove these, but since commons-httpclient is still used in many files in hadoop-tools/hadoop-openstack,
we'll need to _add_ the dependency to
* hadoop-tools/hadoop-openstack/pom.xml
(We'll add a note to HADOOP-11614 to undo this when commons-httpclient is removed from hadoop-openstack.)
In 2.8, this was mostly done by HADOOP-12552, but the version info formerly inherited from
hadoop-project/pom.xml also needs to be added, so that is in the branch-2.8 version of the
patch.



> remove unneeded commons-httpclient dependencies from POM files in Hadoop and sub-projects
> -----------------------------------------------------------------------------------------
>
>                 Key: HADOOP-13382
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13382
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: build
>    Affects Versions: 2.8.0
>            Reporter: Matt Foley
>            Assignee: Matt Foley
>             Fix For: 2.8.0
>
>         Attachments: HADOOP-13382-branch-2.000.patch, HADOOP-13382-branch-2.8.000.patch,
HADOOP-13382.000.patch
>
>
> In branch-2.8 and later, the patches for various child and related bugs listed in HADOOP-10105,
most recently including HADOOP-11613, HADOOP-12710, HADOOP-12711, HADOOP-12552, and HDFS-10623,
eliminate all use of "commons-httpclient" from Hadoop and its sub-projects (except for hadoop-tools/hadoop-openstack;
see HADOOP-11614).
> However, after incorporating these patches, "commons-httpclient" is still listed as a
dependency in these POM files:
> * hadoop-project/pom.xml
> * hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/pom.xml
> We wish to remove these, but since commons-httpclient is still used in many files in
hadoop-tools/hadoop-openstack, we'll need to _add_ the dependency to
> * hadoop-tools/hadoop-openstack/pom.xml
> (We'll add a note to HADOOP-11614 to undo this when commons-httpclient is removed from
hadoop-openstack.)
> In 2.8, this was mostly done by HADOOP-12552, but the version info formerly inherited
from hadoop-project/pom.xml also needs to be added, so that is in the branch-2.8 version of
the patch.
> Other projects with undeclared transitive dependencies on commons-httpclient, previously
provided via hadoop-common or hadoop-client, may find this to be an incompatible change. 
Of course that also means such project is exposed to the commons-httpclient CVE, and needs
to be fixed for that reason as well.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message