hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christopher Tubbs (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-11656) Classpath isolation for downstream clients
Date Tue, 18 Apr 2017 18:49:43 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-11656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15973268#comment-15973268

Christopher Tubbs commented on HADOOP-11656:

As the current maintainer of Hadoop in the Fedora Linux distribution, I'm a bit concerned
that the goal here is basically to statically compile everything from the dependencies (bugs,
security issues, and all) into the Hadoop distribution jars. This would make downstream packaging
in Fedora (and other distros which rely on packagers to do dependency convergence) much more
difficult, as static compilation / bundling is essentially disallowed (some exceptions), because
packages don't benefit from system updates of their dependencies, creating security risks
and bad user experiences.

Am I misunderstanding what is being pursued here? Or is this basically bundling?

If this is bundling, I may be able to work around it by patching out the bundled deps for
Fedora builds, but this is somewhat inconvenient, and I'd rather upstream Hadoop do things
that make it easier on downstream community and vendor packaging. If I'm understanding the
situation correctly, perhaps there's a better way to resolve dependency convergence issues?
I've found that often, just following semantic versioning, and keeping dependencies reasonably
up-to-date resolves most issues. (For example, one of the biggest issues I've had depending
on Hadoop is its dependency on the old mortbay jetty, which is so full of security issues
and so out of date, I'm surprised it's not a constant source of CVEs for Hadoop itself.)

Has the upstream Hadoop community considered other possible options, such as better semantic
versioning, modularity, updated dependencies, marking dependencies "optional", relying on
user-defined classpath at runtime, etc., as an alternative to shading/bundling? What is the
basis for selecting shading as the solution instead of some of these other options?

Perhaps I'm completely misunderstanding the situation. If so, please explain where I've misunderstood.


> Classpath isolation for downstream clients
> ------------------------------------------
>                 Key: HADOOP-11656
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11656
>             Project: Hadoop Common
>          Issue Type: New Feature
>            Reporter: Sean Busbey
>            Assignee: Sean Busbey
>            Priority: Blocker
>              Labels: classloading, classpath, dependencies, scripts, shell
>         Attachments: HADOOP-11656_proposal.md
> Currently, Hadoop exposes downstream clients to a variety of third party libraries. As
our code base grows and matures we increase the set of libraries we rely on. At the same time,
as our user base grows we increase the likelihood that some downstream project will run into
a conflict while attempting to use a different version of some library we depend on. This
has already happened with i.e. Guava several times for HBase, Accumulo, and Spark (and I'm
sure others).
> While YARN-286 and MAPREDUCE-1700 provided an initial effort, they default to off and
they don't do anything to help dependency conflicts on the driver side or for folks talking
to HDFS directly. This should serve as an umbrella for changes needed to do things thoroughly
on the next major version.
> We should ensure that downstream clients
> 1) can depend on a client artifact for each of HDFS, YARN, and MapReduce that doesn't
pull in any third party dependencies
> 2) only see our public API classes (or as close to this as feasible) when executing user
provided code, whether client side in a launcher/driver or on the cluster in a container or
within MR.
> This provides us with a double benefit: users get less grief when they want to run substantially
ahead or behind the versions we need and the project is freer to change our own dependency
versions because they'll no longer be in our compatibility promises.
> Project specific task jiras to follow after I get some justifying use cases written in
the comments.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message