hadoop-mapreduce-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Todd Lipcon <t...@cloudera.com>
Subject Opinions on MAPREDUCE-2980: Jetty "6.1.26.1" for 0.20-security
Date Fri, 30 Sep 2011 16:46:24 GMT
Quick summary of the issue: on many clusters running at scale, we've
seen the upgrade from Jetty 6.1.14 to 6.1.26 to cause a much higher
incidence of fetch failures and other related bugs. Unfortunately
downgrading back to 6.1.14 is unacceptable since it introduces
security holes. The jetty folks don't have a particular timeline for
their next release, so I have prepared a patched Jetty with their
help. The source is available on my github and there's a binary
artifact in Cloudera's maven repository as well.

The question is whether the community thinks it would be a good idea
to depend on this "6.1.26.1" Jetty for 0.20-security until we have a
new upstream Jetty release that addresses the issue. We plan to ship
CDH with the fixed Jetty, and now have some customers moving this
version to production as well.

While I think it's unfortunate to have to ship a non-standard patch, I
think it's the best option as an interim solution to this critical MR
issue.

Please comment on MAPREDUCE-2980.

Thanks
-Todd
-- 
Todd Lipcon
Software Engineer, Cloudera

Mime
View raw message