I agree with your idea. We can apply hadoop-thirdparty-1.2.0 in the 3.3.x version after its release to mitigate security issues.
hadoop-thirdparty-1.2.0 will be used in hadoop-3.4.0. If hadoop-thirdparty-1.2.0 is released, we will incorporate it into hadoop-3.4.0-RC2. Apache Hadoop Thirdparty 1.2.0 RC1 is now being prepared for voting, and I look forward to your review and vote. Best Regards, Shilun Fan. Original From:"Steve Loughran"< ste...@cloudera.com.INVALID >; Date:2024/2/5 22:28 To:"PJ Fanning"< fannin...@apache.org >; CC:"common-dev"< common-dev@hadoop.apache.org >; Subject:Re: [VOTE] Release Apache Hadoop Thirdparty 1.2.0 RC0 I'd like to get a 3.3.x out with the release too, so as to end the emails we get to security@ listing everything someone's security scanner has found and demanding a timeline for a fix. Actually I should get back to the last such reporter and ask them to test the new RC and 3.4.x on the basis that they will be expected to upgrade, and now is the chance to identify any problems On Wed, 31 Jan 2024 at 20:13, PJ Fanning wrote: > +1 (non-binding) > > * I validated the checksum and signature on the src tgz > * LICENSE/NOTICE present > * ASF headers > * no unexpected binaries > * can build using mvn > * tested the thirdparty protobuf jar in hadoop main build > > Is the idea that there will be a Hadoop 3.4.0 RC2 that uses the thirdparty > jars after they are released? > > > On 2024/01/31 02:16:47 slfan1989 wrote: > > Thank you for the review and vote! Looking forward to other forks helping > > with voting and verification. > > > > Best Regards, > > Shilun Fan. > > > > On Tue, Jan 30, 2024 at 6:20 PM Xiaoqiao He > wrote: > > > > > Thanks Shilun for driving it and making it happen. > > > > > > +1(binding). > > > > > > [x] Checksums and PGP signatures are valid. > > > [x] LICENSE files exist. > > > [x] NOTICE is included. > > > [x] Rat check is ok. `mvn clean apache-rat:check` > > > [x] Built from source works well: `mvn clean install` > > > [x] Built Hadoop trunk with updated thirdparty successfully (include > update > > > protobuf shaded path). > > > > > > BTW, hadoop-thirdparty-1.2.0 will be included in release-3.4.0, hope we > > > could finish this vote before 2024/02/06(UTC) if there are no concerns. > > > Thanks all. > > > > > > Best Regards, > > > - He Xiaoqiao > > > > > > > > > > > > On Mon, Jan 29, 2024 at 10:42 PM slfan1989 > wrote: > > > > > > > Hi folks, > > > > > > > > Xiaoqiao He and I have put together a release candidate (RC0) for > Hadoop > > > > Thirdparty 1.2.0. > > > > > > > > The RC is available at: > > > > > > > > https://dist.apache.org/repos/dist/dev/hadoop/hadoop-thirdparty-1.2.0-RC0 > > > > > > > > The RC tag is > > > > > > > > https://github.com/apache/hadoop-thirdparty/releases/tag/release-1.2.0-RC0 > > > > > > > > The maven artifacts are staged at > > > > > https://repository.apache.org/content/repositories/orgapachehadoop-1398 > > > > > > > > Comparing to 1.1.1, there are three additional fixes: > > > > > > > > HADOOP-18197. Upgrade Protobuf-Java to 3.21.12 > > > > https://github.com/apache/hadoop-thirdparty/pull/26 > > > > > > > > HADOOP-18921. Upgrade to avro 1.11.3 > > > > https://github.com/apache/hadoop-thirdparty/pull/24 > > > > > > > > HADOOP-18843. Guava version 32.0.1 bump to fix CVE-2023-2976 > > > > https://github.com/apache/hadoop-thirdparty/pull/23 > > > > > > > > You can find my public key at : > > > > https://dist.apache.org/repos/dist/release/hadoop/common/KEYS > > > > > > > > Best Regards, > > > > Shilun Fan. > > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org > For additional commands, e-mail: common-dev-h...@hadoop.apache.org > >
