pig-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nandor Kollar (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (PIG-5302) Remove HttpClient dependency
Date Mon, 13 Nov 2017 11:23:00 GMT

    [ https://issues.apache.org/jira/browse/PIG-5302?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16249414#comment-16249414
] 

Nandor Kollar commented on PIG-5302:
------------------------------------

Thanks [~rohini], yes, you're right, it is not a good idea to depend on transitive dependencies.
I missed the fact that commons-lang3 is in a different package, thus moving to it requires
changes in the Java files too. Should we have a separate Jira for that? Since it doesn't have
CVEs, I'm not sure it worths the effort, despite it is old. Attached PIG-5302_4.patch which
doesn't remove commons-lang dependency, but use 2.6 instead of 2.4.

> Remove HttpClient dependency
> ----------------------------
>
>                 Key: PIG-5302
>                 URL: https://issues.apache.org/jira/browse/PIG-5302
>             Project: Pig
>          Issue Type: Bug
>            Reporter: Nandor Kollar
>            Assignee: Nandor Kollar
>         Attachments: PIG-5302_1.patch, PIG-5302_2.patch, PIG-5302_3.patch, PIG-5302_4.patch,
ivy-report.css, org.apache.pig-pig-compile.html
>
>
> Pig depends on Apache Commons HttpClient 3.1 which is an old version with security problems
([CVE-2015-5262|https://cve.mitre.org/cgi-bin/cvename.cgi?name=%20CVE-2015-5262])
> Also, Pig depends on Apache HttpComponents (it also needs update to newer version due
to similar reason), which is the successor of HttpClient, thus we should remove HttpClient
dependency, and update HttpComponents to 4.4+



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message