[
https://issues.apache.org/jira/browse/CASSANDRA-20994?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Vladimir Sitnikov updated CASSANDRA-20994:
------------------------------------------
Description:
Currently Cassandra uses only a few classes from commons-lang3, and it would
probably be worth dropping the dependency for the following reasons:
1) Better security. {{commons-*}} follows "all features in a single jar"
pattern, so a CVE in one of the classes would impact Cassandra
2) Fewer bytes to ship with binary distribution. `commons-lang3` is ~690K
I have raised a suggestion to make {{commons-lang3}} modular and extract
modules like {{commons-stringutils}}, {{commons-arrayutils}}, however, Commons
team does not seem to like the idea.
Commons PMC members often suggest that users should clone the code or shade
commons-lang, see
https://lists.apache.org/thread/xzdhv57o9rnxtzn5fqbtkzj0hdkbm339
So I wonder what do you think of dropping commons-lang3 and replacing it with
core Java?
was:
Currently Cassandra uses only a few classes from commons-lang3, and it would
probably be worth dropping the dependency for the following reasons:
1) Better security. {{commons-*}} follows "all features in a single jar"
pattern, so a CVE in one of the classes would impact Cassandra
2) Fewer bytes to ship with binary distribution. `commons-lang3` is ~650K
I have raised a suggestion to make {{commons-lang3}} modular and extract
modules like {{commons-stringutils}}, {{commons-arrayutils}}, however, Commons
team does not seem to like the idea.
Commons PMC members often suggest that users should clone the code or shade
commons-lang, see
https://lists.apache.org/thread/xzdhv57o9rnxtzn5fqbtkzj0hdkbm339
So I wonder what do you think of dropping commons-lang3 and replacing it with
core Java?
> Drop commons-lang3 dependency
> -----------------------------
>
> Key: CASSANDRA-20994
> URL: https://issues.apache.org/jira/browse/CASSANDRA-20994
> Project: Apache Cassandra
> Issue Type: Improvement
> Reporter: Vladimir Sitnikov
> Priority: Normal
>
> Currently Cassandra uses only a few classes from commons-lang3, and it would
> probably be worth dropping the dependency for the following reasons:
> 1) Better security. {{commons-*}} follows "all features in a single jar"
> pattern, so a CVE in one of the classes would impact Cassandra
> 2) Fewer bytes to ship with binary distribution. `commons-lang3` is ~690K
> I have raised a suggestion to make {{commons-lang3}} modular and extract
> modules like {{commons-stringutils}}, {{commons-arrayutils}}, however,
> Commons team does not seem to like the idea.
> Commons PMC members often suggest that users should clone the code or shade
> commons-lang, see
> https://lists.apache.org/thread/xzdhv57o9rnxtzn5fqbtkzj0hdkbm339
> So I wonder what do you think of dropping commons-lang3 and replacing it with
> core Java?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
