Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 98264200D29 for ; Thu, 26 Oct 2017 16:07:05 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 96A3B160BF4; Thu, 26 Oct 2017 14:07:05 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id DD1821609E8 for ; Thu, 26 Oct 2017 16:07:04 +0200 (CEST) Received: (qmail 50566 invoked by uid 500); 26 Oct 2017 14:07:04 -0000 Mailing-List: contact dev-help@pig.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@pig.apache.org Delivered-To: mailing list dev@pig.apache.org Received: (qmail 50555 invoked by uid 500); 26 Oct 2017 14:07:03 -0000 Delivered-To: apmail-hadoop-pig-dev@hadoop.apache.org Received: (qmail 50552 invoked by uid 99); 26 Oct 2017 14:07:03 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 26 Oct 2017 14:07:03 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 4A268C4DE9 for ; Thu, 26 Oct 2017 14:07:03 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -100.001 X-Spam-Level: X-Spam-Status: No, score=-100.001 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id L0AKm1j-pItB for ; Thu, 26 Oct 2017 14:07:02 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 49E605FAC9 for ; Thu, 26 Oct 2017 14:07:02 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 1A931E0D5C for ; Thu, 26 Oct 2017 14:07:01 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 5692C21303 for ; Thu, 26 Oct 2017 14:07:00 +0000 (UTC) Date: Thu, 26 Oct 2017 14:07:00 +0000 (UTC) From: "Nandor Kollar (JIRA)" To: pig-dev@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (PIG-5302) Remove HttpClient dependency MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Thu, 26 Oct 2017 14:07:05 -0000 [ https://issues.apache.org/jira/browse/PIG-5302?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16220472#comment-16220472 ] Nandor Kollar commented on PIG-5302: ------------------------------------ [~rohini] it looks like commons-lang is pulled as a transitive dependency by avro-mapred. Looks like Commons HttpClient 3.1 is not even used as a transitive dependency (see attached Ivy report before applying my patch and removing these deps). What do you think, are these dependencies safe to remove? > Remove HttpClient dependency > ---------------------------- > > Key: PIG-5302 > URL: https://issues.apache.org/jira/browse/PIG-5302 > Project: Pig > Issue Type: Bug > Reporter: Nandor Kollar > Assignee: Nandor Kollar > Attachments: PIG-5302_1.patch, PIG-5302_2.patch, ivy-report.css, org.apache.pig-pig-compile.html > > > Pig depends on Apache Commons HttpClient 3.1 which is an old version with security problems ([CVE-2015-5262|https://cve.mitre.org/cgi-bin/cvename.cgi?name=%20CVE-2015-5262]) > Also, Pig depends on Apache HttpComponents (it also needs update to newer version due to similar reason), which is the successor of HttpClient, thus we should remove HttpClient dependency, and update HttpComponents to 4.4+ -- This message was sent by Atlassian JIRA (v6.4.14#64029)