Hi Dongjoon, I think that priority should be given to user and dev Apache Spark communities and decision made based on what mostly benefits both communities. Said that I am OK with all 3 possible scenarios and will go with the community decision and Spark policies.
This is the list in the order of my preference (based on my thoughts on how community will benefit). 1. Upgrade Spark dependency on 3.5 branch on Apache Parquet to 1.15.2 and handle parquet dependency as any other dependency with CVE that EOL minor version used by the Spark. I assume (based on the existing PR) that such upgrade is safe to complete and there are no any known blocking issues (like conflicting dependencies, incompatible Java version, deadlock, functional regression, etc). Please correct me if I'm wrong. 2. Keep it as is. There may be a confusion on whether CVE-2025-46762 and CVE-2025-30065 affect Spark or not. So, it may be good to document that they are not (see https://github.com/apache/parquet-java/pull/3196#issuecomment-2823186647). 3. Upgrade Spark dependency on 3.5 branch on Apache Parquet to 1.13.2. It depends on the availability of 1.13.2 and it looks that Apache Parquet maintains only single minor release version with 1.13.x and 1.14.x being EOL (I put this option as the last one with the assumption that CVE-2025-46762 and CVE-2025-30065 do not impact Spark. If they do, it would be my second choice). Thank you, Vlad On May 28, 2025, at 5:00 PM, Dongjoon Hyun <dongj...@apache.org> wrote: From Vlad's claims, the following guess is incorrect because the link is an upgrade from Apache ORC 1.9.5 to 1.9.6 which is a maintenance version upgrade. I guess that the similar argument applies to ORC upgrade (https://github.com/apache/spark/pull/50813). [SPARK-52025][BUILD][3.5] Upgrade ORC to 1.9.6 FYI, the Apache ORC community maintains all release branches for 3 years under the Semantic Versioning policy. Since 3-years is longer than Apache Spark's support period, we can say that Apache ORC branch-1.9 has been maintained for Apache Spark branch-3.5. If there is a user request, Apache ORC community provides the maintenance release during that period. To Vlad, this is not a single ASF project issue. I believe the best scenario for all ASF projects is that the Apache Parquet community releases 1.13.2 to provide the CVE and bug fixes properly and safely. Then, Apache Spark 3.5.x can upgrade to Apache Parquet 1.13.2 from 1.13.1. WDYT, Vlad? Dongjoon. On 2025/05/28 04:09:39 Hyukjin Kwon wrote: It's written in https://spark.apache.org/versioning-policy.html. Spark follows semver. Improvements go to the feature version. Bug fixes or critical stuff go to maintenance version. On Wed, 28 May 2025 at 12:38, Jungtaek Lim <kabhwan.opensou...@gmail.com> wrote: +1 (non-binding) pending the discussion on CVEs (not the performance improvement) in the current version of Apache Parquet. On Tue, May 27, 2025 at 11:19 AM L. C. Hsieh <vii...@gmail.com> wrote: +1 On Mon, May 26, 2025 at 6:51 PM Wenchen Fan <cloud0...@gmail.com> wrote: +1. When this release is out, let's also update the release process document to introduce the new way of making releases with GitHub Action jobs. On Tue, May 27, 2025 at 6:22 AM Dongjoon Hyun <dongj...@apache.org> wrote: +1 from my side. Thank you, Hyukjin. Dongjoon On 2025/05/26 22:19:22 Hyukjin Kwon wrote: Thanks guys. BTW for clarification, this is the preparation of more frequent releases so we don't have to wait so long for each release. Let's prepare this first, and roll it faster On Tue, 27 May 2025 at 01:52, Yang Jie <yangji...@apache.org> wrote: +1 On 2025/05/26 01:10:23 Hyukjin Kwon wrote: The key issue was fixed. On Mon, 26 May 2025 at 10:05, Hyukjin Kwon <gurwls...@apache.org> wrote: Probably should avoid backporting it for improvements but If there is a CVE that directly affects Spark, let's upgrade. On Mon, 26 May 2025 at 00:27, Rozov, Vlad <vro...@amazon.com.invalid> wrote: Should parquet version be upgraded to 1.15.1 or 1.15.2? There are 10 CVEs in the current 1.13.1 and even though they may not impact Spark there are other improvements (better performance) that will benefit Spark users. Thank you, Vlad On May 24, 2025, at 8:02 PM, Hyukjin Kwon < gurwls...@apache.org> wrote: Oh let me check. Thanks for letting me know. On Sun, May 25, 2025 at 12:00 PM Dongjoon Hyun < dongj...@apache.org> wrote: I saw 38 commits to make this work. Thank you for driving this, Hyukjin. BTW, your key seems to be new and is not in https://dist.apache.org/repos/dist/dev/spark/KEYS yet. Could you double-check? $ curl -LO https://dist.apache.org/repos/dist/dev/spark/KEYS $ gpg --import KEYS $ gpg --verify spark-3.5.6-bin-hadoop3.tgz.asc gpg: assuming signed data in 'spark-3.5.6-bin-hadoop3.tgz' gpg: Signature made Thu May 22 23:49:54 2025 PDT gpg: using RSA key 0FE4571297AB84440673665669600C8338F65970 gpg: issuer "gurwls...@apache.org" gpg: Can't check signature: No public key Dongjoon. On 2025/05/23 17:56:25 Allison Wang wrote: +1 On Fri, May 23, 2025 at 10:15 AM Hyukjin Kwon < gurwls...@apache.org> wrote: Oh it's actually a test and also to release. Let me know if you have any concern! On Fri, May 23, 2025 at 11:25 PM Mridul Muralidharan < mri...@gmail.com> wrote: Hi Hyukjin, This thread is to test the automated release, right ? Not to actually release it ? Regards, Mridul On Fri, May 23, 2025 at 8:26 AM Ruifeng Zheng < ruife...@apache.org> wrote: +1 On Fri, May 23, 2025 at 5:27 PM Hyukjin Kwon < gurwls...@apache.org wrote: Please vote on releasing the following candidate as Apache Spark version 3.5.6. The vote is open until May 27 (PST) and passes if a majority +1 PMC votes are cast, with a minimum of 3 +1 votes. [ ] +1 Release this package as Apache Spark 3.5.6 [ ] -1 Do not release this package because ... To learn more about Apache Spark, please see https://spark.apache.org/ The tag to be voted on is v3.5.6-rc5 (commit 303c18c74664f161b9b969ac343784c088b47593): https://github.com/apache/spark/tree/303c18c74664f161b9b969ac343784c088b47593 The release files, including signatures, digests, etc. can be found at: https://dist.apache.org/repos/dist/dev/spark/v3.5.6-rc1-bin/ Signatures used for Spark RCs can be found in this file: https://dist.apache.org/repos/dist/dev/spark/KEYS The staging repository for this release can be found at: https://repository.apache.org/content/repositories/orgapachespark-1495/ The documentation corresponding to this release can be found at: https://dist.apache.org/repos/dist/dev/spark/v3.5.6-rc1-docs/ The list of bug fixes going into 3.5.6 can be found at the following URL: https://issues.apache.org/jira/projects/SPARK/versions/12355703 FAQ ========================= How can I help test this release? ========================= If you are a Spark user, you can help us test this release by taking an existing Spark workload and running on this release candidate, then reporting any regressions. If you're working in PySpark you can set up a virtual env and install the current RC via "pip install https://dist.apache.org/repos/dist/dev/spark/v3.5.6-rc1-bin/pyspark-3.5.6.tar.gz " and see if anything important breaks. In the Java/Scala, you can add the staging repository to your projects resolvers and test with the RC (make sure to clean up the artifact cache before/after so you don't end up building with a out of date RC going forward). --------------------------------------------------------------------- To unsubscribe e-mail: dev-unsubscr...@spark.apache.org --------------------------------------------------------------------- To unsubscribe e-mail: dev-unsubscr...@spark.apache.org --------------------------------------------------------------------- To unsubscribe e-mail: dev-unsubscr...@spark.apache.org --------------------------------------------------------------------- To unsubscribe e-mail: dev-unsubscr...@spark.apache.org --------------------------------------------------------------------- To unsubscribe e-mail: dev-unsubscr...@spark.apache.org
