There was some discussion about backporting OSS module to branch 2.x and per Chris's suggestion we should do it in the dev list.
-----Original Message----- From: Chris Douglas [mailto:cdoug...@apache.org] Sent: Thursday, November 16, 2017 1:20 AM To: Zheng, Kai <kai.zh...@intel.com<mailto:kai.zh...@intel.com>> Cc: Junping Du <j...@hortonworks.com<mailto:j...@hortonworks.com>>; Konstantin Shvachko <shv.had...@gmail.com<mailto:shv.had...@gmail.com>>; s...@apache.org<mailto:s...@apache.org>; Jason Lowe <jl...@oath.com<mailto:jl...@oath.com>>; Steve Loughran <steve.lough...@gmail.com<mailto:steve.lough...@gmail.com>>; Jonathan Hung <jyhung2...@gmail.com<mailto:jyhung2...@gmail.com>>; Arun Suresh <asur...@apache.org<mailto:asur...@apache.org>>; Vinod Kumar Vavilapalli <vino...@apache.org<mailto:vino...@apache.org>>; secur...@hadoop.apache.org<mailto:secur...@hadoop.apache.org> Subject: Re: Potential security issue of XXE in Hadoop We should move this part of the thread back to the dev list. On Wed, Nov 15, 2017 at 2:33 AM, Zheng, Kai <kai.zh...@intel.com<mailto:kai.zh...@intel.com>> wrote: > We have some wish to backport Ali OSS support for some releases based on > 2.7/2.8/2.9. So per the discussion 2.9 should be fine; for 2.7 and 2.8, as we > haven't cut the 2.7.5 and 2.8.3 yet, I'm hoping we could still be able to do > that. We Intel folks would like to do some taking like the testing and > verifying. The backport work is tracked in [1] and currently Steve has some > concerns for 2.7 and 2.8, we're working the best to solve the concerns, > basically we'd avoid any package change (like httpclient) and make the > changes self-contained just in the Hadoop oss connector module. The backport > patches will be available soon. We did not allow a backport of ADLS to branch-2.7 when it was released in 2.8.0. There were technical reasons- new dependencies could conflict with existing 2.7 client code, patch releases would release at a slower cadence, etc.- but popularity of an older release is not a sufficient reason to change our version policy on features. We tried to get away with that in 0.16 (and a few other times) and it's never gone well. Moreover, one should be able to use a jar compiled for 2.9 in a 2.7 cluster, so the value of releasing this module with 2.7.5 or 2.8.3 is questionable. Did anyone raise the Aliyun OSS backport during the 2.9.0 release discussion? I don't recall seeing it in the wiki or in any thread on the topic, but I may well have missed it. Since the vote on RC3 closes on Friday and looks likely to pass, this is very late to propose a new feature. Please raise this on the 2.9 release thread, so we can figure out how to handle it. Version numbers are cheap, but cutting 2.10 only to include this module will create an annoying maintenance burden for a low payoff. Correspondingly, a 2.9.1 release with "only a few" new features is a repeat of history we should avoid. -C > @Konstantin, would you let me know when you'd cut the 2.7.5 release? Sounds > good to have the oss backport work? Note the module has been in trunk for > quite some time and the codes have been production exercised. Is there > anything we could take and help with? Our pleasure to do. Thanks! > > @Junping, for 2.8.3, my similar ask and we would also help. > > [1] https://issues.apache.org/jira/browse/HADOOP-14964 > > Regards, > Kai >
