hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sean Busbey (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-16260) Audit dependencies for Category-X
Date Tue, 26 Jul 2016 11:21:20 GMT

    [ https://issues.apache.org/jira/browse/HBASE-16260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15393646#comment-15393646

Sean Busbey commented on HBASE-16260:

I suggest we move forward with the revert, downgrade this issue from blocker, and free up

+1. we'll need to have a good release note that calls out we're vulnerable to whatever web
stuff was mitigated. also please JIRA(s) for getting mitigations in place without blacklisted

 I looked briefly at the rat module source code, it appears to be only designed to enforce
the presence of approved headers in distributed files. There's nothing I can find about checking
metadata on dependencies. Are we reduced to consuming the DEPENDENCIES report mentioned earlier?
Maybe Sean Busbey knows more voodoo than I...

The best I can think of is generating a dependency list of licenses via maven, preferably
in a way that leverages the supplemental info we already track for our generated LICENSE/NOTICE
files. I don't know if the DEPENDENCIES file does that, but it should be easy enough to check.
I can think of how we could make the velocity template that makes LICENSE/NOTICE fail if there
are only cat-x licenses, but I think we've seen how poor the error messaging out of that is.

> Audit dependencies for Category-X
> ---------------------------------
>                 Key: HBASE-16260
>                 URL: https://issues.apache.org/jira/browse/HBASE-16260
>             Project: HBase
>          Issue Type: Task
>          Components: community, dependencies
>    Affects Versions: 2.0.0, 1.2.0, 1.3.0, 1.2.1, 1.1.4, 1.0.4, 1.1.5, 1.2.2
>            Reporter: Sean Busbey
>            Assignee: Sean Busbey
>            Priority: Blocker
>             Fix For: 2.0.0, 1.1.6, 1.2.3
> Make sure we do not have category x dependencies.
> right now we atleast have an LGPL for xom:xom (thanks to PHOENIX-3103 for the catch)

This message was sent by Atlassian JIRA

View raw message