https://issues.apache.org/jira/browse/HADOOP-13794: JSON.org<http://JSON.org> license is now forbidden by the ASF From distribution.
Which means we can't make any Hadoop releases with the AWS SDK JARs < =1.11.0 in them, meaning https://issues.apache.org/jira/browse/HADOOP-13050 has moved up from a minor issue to a blocker, and are going to have to worry about the older branches. 1. The latest amazon-AWS SDKs absolutely do not work with shipping jackson version: it even references artifacts that don't appear until Jackson 2.3.3; and needs to on a later version than that to actually work. 2. AWS SDK updates have generally needed code changes (example: HADOOP-12269) For 2.8.x we can increment the AWS SDK, and take this as a time to increment jackson, which an XEE vulnerability was hinting at anwyay ( https://issues.apache.org/jira/browse/HADOOP-12705) . I know this has a risk of problems, but Sean Mackrory has done the due diliegence to show that Jackson 2.7.8 doesn't break existing API use in Hadoop; after that jackson goes incompatible (again). For Branch 2.6.x we may just want to take the easy way out, and not bundle the (very dated) AWS JAR; just strip it out of the final set of artifacts to include in the project dist, and tell people that if they want to use s3a in 2.6.x (which I think people should really avoid, given it to too 2.7.1 to stabilize), then they need to manually install it. Which leaves Hadoop 2.7.x, doesn't it? What to do? People are using s3a, it's working well, and putting the AWS JARs are going to cause problems. But pushing up a Jackson update in a 2.7.x update is going to be traumatic. -Steve
