So far no opinion for or against the guava upgrade. Would someone review my change if I create a PR for this?
Jeff, thank you for checking. On Fri, Feb 28, 2020 at 12:21 PM Jeff Jirsa <jji...@gmail.com> wrote: > > This isn't an opinion for or against upgrading guava, just a note that the > two classes mentioned in that vulnerability are not actually in the > codebase: > > jjirsa:cassandra jjirsa$ git checkout cassandra-3.11 > Checking out files: 100% (3212/3212), done.) > Switched to branch 'cassandra-3.11' > Your branch is up to date with 'origin/cassandra-3.11'. > jjirsa:cassandra jjirsa$ grep -r CompoundOrdering src/ > jjirsa:cassandra jjirsa$ grep -r AtomicDoubleArray src/ > jjirsa:cassandra jjirsa$ > > > > On Fri, Feb 28, 2020 at 7:33 AM Tomo Suzuki <suzt...@google.com.invalid> > wrote: > > > Hi Cassandra developers, > > > > Today I learned that Guava 18 has "severe" vulnerability [1,2]. As per > > code freezing, Cassandra 3.11 still accepts security related PRs. > > Will Cassandra team accept a pull request to upgrade Guava in 3.11 > > [3], if I create one? > > > > [1]: https://search.maven.org/artifact/com.google.guava/guava/18.0/bundle > > [2]: > > https://ossindex.sonatype.org/vuln/24585a7f-eb6b-4d8d-a2a9-a6f16cc7c1d0 > > [3]: https://issues.apache.org/jira/browse/CASSANDRA-15453 > > > > On Mon, Dec 16, 2019 at 12:45 PM Tomo Suzuki <suzt...@google.com> wrote: > > > > > > Russell, > > > > > > That's great to hear. Then I'll wait for Cassandra 4 release for now. > > > In the meantime, I found an outdated dependency in Cassandra. Ticketed > > > [1]. > > > > > > [1]: CASSANDRA-15455 Upgrade com.carrotsearch:hppc dependency > > > > > > > > > On Mon, Dec 16, 2019 at 12:08 AM Russell Spitzer > > > <russell.spit...@gmail.com> wrote: > > > > > > > > The hadoop formats should be compatible with any Cassandra version > > > > regardless of which Cassandra-all you include since they communicate > > with > > > > the driver under the hood and not Cassandra internal libraries. This > > means > > > > you should feel free to use Cassandra 4 in your integration without > > fear of > > > > losing backwards compatibility. In fact it should be able to speak to > > > > Cassandra 2.x as well. > > > > > > > > On Sun, Dec 15, 2019, 10:24 PM Tomo Suzuki <suzt...@google.com.invalid > > > > > > > wrote: > > > > > > > > > Hi Russell, > > > > > > > > > > Yes, Apache Beam uses hadoop format for Cassandra IO [1]. That test > > > > > (HadoopFormatIOCassandraTest) failed [2] when I tried to upgrade > > Guava > > > > > version. Added this information to the ticket. > > > > > > > > > > [1]: https://beam.apache.org/documentation/io/built-in/hadoop/ > > > > > [2]: > > > > > > > https://github.com/GoogleCloudPlatform/cloud-opensource-java/issues/1028#issuecomment-557680928 > > > > > > > > > > On Sun, Dec 15, 2019 at 10:36 PM Russell Spitzer > > > > > <russell.spit...@gmail.com> wrote: > > > > > > > > > > > > Why does the beam integration rely on Cassandra all, does it use > > the > > > > > hadoop > > > > > > formats? > > > > > > > > > > > > On Sun, Dec 15, 2019, 9:07 PM Tomo Suzuki > > <suzt...@google.com.invalid> > > > > > > wrote: > > > > > > > > > > > > > Hi Cassandra developers, > > > > > > > > > > > > > > I want to backport the Guava version upgrade (CASSANDRA-15248) > > into > > > > > > > 3.11 branch, so that cassandra-all:3.11.X works with higher > > version of > > > > > > > Guava. > > > > > > > I just created a ticket > > > > > > > https://issues.apache.org/jira/browse/CASSANDRA-15453 explaining > > > > > > > background. > > > > > > > > > > > > > > Before committing anything, I'd like to hear any opinion on the > > > > > > > backporting. What do you think? > > > > > > > > > > > > > > Regards, > > > > > > > Tomo > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > > > > > > > For additional commands, e-mail: dev-h...@cassandra.apache.org > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > Regards, > > > > > Tomo > > > > > > > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > > > > > For additional commands, e-mail: dev-h...@cassandra.apache.org > > > > > > > > > > > > > > > > > > > > > > -- > > > Regards, > > > Tomo > > > > > > > > -- > > Regards, > > Tomo > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > > For additional commands, e-mail: dev-h...@cassandra.apache.org > > > > -- Regards, Tomo --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org For additional commands, e-mail: dev-h...@cassandra.apache.org
