hbase-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Purtell <andrew.purt...@gmail.com>
Subject Re: [DISCUSS] Changing hadoop check versions in our hbase-personality?
Date Tue, 23 Oct 2018 01:59:19 GMT
We should react to all CVEs if we’re going to. Fine to start now. 

> On Oct 22, 2018, at 6:50 PM, Sean Busbey <busbey@apache.org> wrote:
> 
> Has the Hadoop PMC put out a public notice on the impact of that CVE yet?
> Specifically have they stated what versions are vulnerable? Are we flagging
> all versions impacted by it as "HBase says keep away"?
> 
> Is there some reason this particular CVE especially impacts users of HBase?
> I presume not since we're talking about this on dev@ and in JIRA instead of
> on private@.
> 
> Why are we reacting to this CVE when we don't seem to react to any other
> Hadoop CVEs? Or is this the start of a change wrt that?
> 
> What about other dependencies with open CVEs?
> 
>> On Mon, Oct 22, 2018, 20:33 张铎(Duo Zhang) <palomino219@gmail.com> wrote:
>> 
>> See here:
>> 
>> https://access.redhat.com/security/cve/cve-2018-8009
>> 
>> All 2.7.x releases before 2.7.7 have the problem. And for 2.6.x, the hadoop
>> team seems to drop the support as there is no release about two years, so
>> either we keep the original support versions, or we just drop the support
>> for the 2.6.x release line.
>> 
>> Zach York <zyork.contribution@gmail.com> 于2018年10月23日周二 上午8:51写道:
>> 
>>> What is the main reason for the change? Build time speedup?
>>> 
>>> Any reason for testing all of the 2.6.x line, but not the 2.7.x line? We
>>> don't check at all for 2.8.x?
>>> 
>>> Can we be more consistent with how we test compatibility? (Do we only
>> care
>>> about the latest patch release in a line?)
>>> 
>>> Sorry If I'm missing some of the reasoning, but at a surface level it
>> seems
>>> fairly arbitrary which releases we are cutting.
>>> 
>>>> On Mon, Oct 22, 2018 at 5:44 PM Sean Busbey <busbey@apache.org> wrote:
>>>> 
>>>> Please leave me time to review before it is committed.
>>>> 
>>>>> On Mon, Oct 22, 2018, 13:58 Stack <stack@duboce.net> wrote:
>>>>> 
>>>>> Duo has a patch up on HBASE-20970 that changes the Hadoop versions we
>>>> check
>>>>> at build time. Any objections to committing to branch-2.1+?
>>>>> 
>>>>> It makes following changes:
>>>>> 
>>>>> 2.6.1 2.6.2 2.6.3 2.6.4 2.6.5 2.7.1 2.7.2 2.7.3 2.7.4
>>>>> 
>>>>> becomes
>>>>> 
>>>>> 2.6.1 2.6.2 2.6.3 2.6.4 2.6.5 2.7.7
>>>>> 
>>>>> And...
>>>>> 
>>>>> 3.0.0
>>>>> 
>>>>> goes to
>>>>> 
>>>>> 3.0.3
>>>>> 
>>>>> Shout if you are against the change else will commit tomorrow.
>>>>> 
>>>>> Thanks,
>>>>> S
>>>>> 
>>>> 
>>> 
>> 

Mime
View raw message