Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.0-alpha2
    • Fix Version/s: 3.0.0-alpha2
    • Component/s: build
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed
    • Release Note:
      Bump the version of third party dependency jaxb-api to 2.2.11.

      Description

      We're currently pulling in version 2.2.2 - I think we should upgrade to the latest 2.2.12.

      1. HADOOP-13659.001.patch
        0.4 kB
        Sean Mackrory
      2. HADOOP-13659.002.patch
        0.4 kB
        Sean Mackrory

        Issue Links

          Activity

          Hide
          hadoopqa Hadoop QA added a comment -
          -1 overall



          Vote Subsystem Runtime Comment
          0 reexec 13m 49s Docker mode activated.
          +1 @author 0m 0s The patch does not contain any @author tags.
          -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
          +1 mvninstall 9m 44s trunk passed
          +1 compile 0m 13s trunk passed
          +1 mvnsite 0m 13s trunk passed
          +1 mvneclipse 0m 10s trunk passed
          +1 javadoc 0m 10s trunk passed
          +1 mvninstall 0m 8s the patch passed
          +1 compile 0m 6s the patch passed
          +1 javac 0m 6s the patch passed
          +1 mvnsite 0m 9s the patch passed
          +1 mvneclipse 0m 9s the patch passed
          +1 whitespace 0m 0s The patch has no whitespace issues.
          +1 xml 0m 2s The patch has no ill-formed XML file.
          +1 javadoc 0m 7s the patch passed
          +1 unit 0m 7s hadoop-project in the patch passed.
          +1 asflicense 0m 22s The patch does not generate ASF License warnings.
          26m 11s



          Subsystem Report/Notes
          Docker Image:yetus/hadoop:9560f25
          JIRA Issue HADOOP-13659
          JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12830410/HADOOP-13659.001.patch
          Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit xml
          uname Linux dcde49fe6881 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
          Build tool maven
          Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
          git revision trunk / 8e06d86
          Default Java 1.8.0_101
          Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/10601/testReport/
          modules C: hadoop-project U: hadoop-project
          Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/10601/console
          Powered by Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org

          This message was automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 13m 49s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 mvninstall 9m 44s trunk passed +1 compile 0m 13s trunk passed +1 mvnsite 0m 13s trunk passed +1 mvneclipse 0m 10s trunk passed +1 javadoc 0m 10s trunk passed +1 mvninstall 0m 8s the patch passed +1 compile 0m 6s the patch passed +1 javac 0m 6s the patch passed +1 mvnsite 0m 9s the patch passed +1 mvneclipse 0m 9s the patch passed +1 whitespace 0m 0s The patch has no whitespace issues. +1 xml 0m 2s The patch has no ill-formed XML file. +1 javadoc 0m 7s the patch passed +1 unit 0m 7s hadoop-project in the patch passed. +1 asflicense 0m 22s The patch does not generate ASF License warnings. 26m 11s Subsystem Report/Notes Docker Image:yetus/hadoop:9560f25 JIRA Issue HADOOP-13659 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12830410/HADOOP-13659.001.patch Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit xml uname Linux dcde49fe6881 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / 8e06d86 Default Java 1.8.0_101 Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/10601/testReport/ modules C: hadoop-project U: hadoop-project Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/10601/console Powered by Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org This message was automatically generated.
          Hide
          stevel@apache.org Steve Loughran added a comment -
          • Can you always link HADOOP-9991 to any POM dependency patches; gives us one place to look up the version history.
          • I presume this is for trunk; could you set the version/target fields, component=build.
          • What depends on jaxb; what is likely to break? In particular, will we have to update Jackson in sync?
          Show
          stevel@apache.org Steve Loughran added a comment - Can you always link HADOOP-9991 to any POM dependency patches; gives us one place to look up the version history. I presume this is for trunk; could you set the version/target fields, component=build. What depends on jaxb; what is likely to break? In particular, will we have to update Jackson in sync?
          Hide
          mackrorysd Sean Mackrory added a comment -

          YARN servers, and a lot of the Hadoop client artifacts depend on it.

          Show
          mackrorysd Sean Mackrory added a comment - YARN servers, and a lot of the Hadoop client artifacts depend on it.
          Hide
          mackrorysd Sean Mackrory added a comment -

          This is primarily used in the YARN web UI - I've also done some manual testing of that to make sure nothing seems broken. Unit test runs continue to give virtually identical results to before this change (I say "virtually" because of transient failures I both seen and not seen both with and without this change - none of them appear related to this change anyway). So I'd like to move ahead with this update...

          Show
          mackrorysd Sean Mackrory added a comment - This is primarily used in the YARN web UI - I've also done some manual testing of that to make sure nothing seems broken. Unit test runs continue to give virtually identical results to before this change (I say "virtually" because of transient failures I both seen and not seen both with and without this change - none of them appear related to this change anyway). So I'd like to move ahead with this update...
          Hide
          jojochuang Wei-Chiu Chuang added a comment -

          So this one is interesting. The development website of jaxb-api states the latest version is 2.2.11, which was released on October 14, 2014. There's no mention of 2.2.12. But maven repository does have 2.1.12 and its release date is October 20, 2014.

          Show
          jojochuang Wei-Chiu Chuang added a comment - So this one is interesting. The development website of jaxb-api states the latest version is 2.2.11, which was released on October 14, 2014. There's no mention of 2.2.12. But maven repository does have 2.1.12 and its release date is October 20, 2014.
          Hide
          mackrorysd Sean Mackrory added a comment - - edited

          Is the website you're looking at this: https://jaxb.java.net/? This gets really confusing because they have pages with 2.2.11 in the URL (and the page doesn't exist if you replace it with 2.2.12), but the page content says 2.2.12: https://jaxb.java.net/2.2.11/docs/api/javax/xml/bind/JAXB.html.

          I think what's happened is jaxb-ri, the reference implementation, is on 2.2.11. jaxb-api is a distinct artifact and is on version 2.2.12. The mailing list archives show a 2.2.11 release of jaxb-ri happening (https://java.net/projects/jaxb/lists/commits/archive/2014-10/message/5), and then an update to jaxb-api 2.2.12 (https://java.net/projects/jaxb/lists/commits/archive/2014-10/message/12), and then I can't find a record of a release of jaxb-ri 2.2.12.

          So I think the correct version for us to target is 2.2.12, but I'm struggling to find any official-looking source of information about jaxb-api releases, so I could be wrong.

          Show
          mackrorysd Sean Mackrory added a comment - - edited Is the website you're looking at this: https://jaxb.java.net/? This gets really confusing because they have pages with 2.2.11 in the URL (and the page doesn't exist if you replace it with 2.2.12), but the page content says 2.2.12: https://jaxb.java.net/2.2.11/docs/api/javax/xml/bind/JAXB.html . I think what's happened is jaxb-ri, the reference implementation, is on 2.2.11. jaxb-api is a distinct artifact and is on version 2.2.12. The mailing list archives show a 2.2.11 release of jaxb-ri happening ( https://java.net/projects/jaxb/lists/commits/archive/2014-10/message/5 ), and then an update to jaxb-api 2.2.12 ( https://java.net/projects/jaxb/lists/commits/archive/2014-10/message/12 ), and then I can't find a record of a release of jaxb-ri 2.2.12. So I think the correct version for us to target is 2.2.12, but I'm struggling to find any official-looking source of information about jaxb-api releases, so I could be wrong.
          Hide
          jojochuang Wei-Chiu Chuang added a comment - - edited

          So... I checked out the code (fortunately they use git)
          and looking at pom.xml, the version history was like 2.1.11-SNAPSHOT --> 2.1.11 --> 2.1.12-SNAPSHOT --> 2.3.0-SNAPSHOT
          It seems the last release was 2.1.11, and then they planned to do 2.1.12 but then move up to 2.3.0

          Also the repo has branch jaxb-2_2_11-branch but no jaxb-2_2_12-branch

          EDIT: I was referring to jaxb-ri repo, so maybe it's not what you're looking for. Sorry for the confusion.

          Show
          jojochuang Wei-Chiu Chuang added a comment - - edited So... I checked out the code (fortunately they use git) and looking at pom.xml, the version history was like 2.1.11-SNAPSHOT --> 2.1.11 --> 2.1.12-SNAPSHOT --> 2.3.0-SNAPSHOT It seems the last release was 2.1.11, and then they planned to do 2.1.12 but then move up to 2.3.0 Also the repo has branch jaxb-2_2_11-branch but no jaxb-2_2_12-branch EDIT: I was referring to jaxb-ri repo, so maybe it's not what you're looking for. Sorry for the confusion.
          Hide
          mackrorysd Sean Mackrory added a comment -

          Pinging the mailing list to see if I can clear this up: https://java.net/projects/jaxb/lists/users/archive/2016-10/message/1. It is concerning how hard it is to find any information about jaxb-api itself outside of maven repositories and sites that index them...

          Show
          mackrorysd Sean Mackrory added a comment - Pinging the mailing list to see if I can clear this up: https://java.net/projects/jaxb/lists/users/archive/2016-10/message/1 . It is concerning how hard it is to find any information about jaxb-api itself outside of maven repositories and sites that index them...
          Hide
          mackrorysd Sean Mackrory added a comment -

          For what it's worth while we wait for a response, upgrading to 2.2.11 is a perfectly acceptable outcome here to me. 2.2.2 is referenced by several CVEs. While I don't think any of them are critical (IIRC they're considered low risk, maybe medium at worst), it's a step in the right direction to upgrade, all other things being equal. 2.2.11 resolves all those issues too.

          Show
          mackrorysd Sean Mackrory added a comment - For what it's worth while we wait for a response, upgrading to 2.2.11 is a perfectly acceptable outcome here to me. 2.2.2 is referenced by several CVEs. While I don't think any of them are critical (IIRC they're considered low risk, maybe medium at worst), it's a step in the right direction to upgrade, all other things being equal. 2.2.11 resolves all those issues too.
          Hide
          jojochuang Wei-Chiu Chuang added a comment -

          I am all for 2.2.11 if you do not find an answer.

          Show
          jojochuang Wei-Chiu Chuang added a comment - I am all for 2.2.11 if you do not find an answer.
          Hide
          mackrorysd Sean Mackrory added a comment -

          How about we do that then... I have not heard back from the mailing list, and the archives show it has been completely inactive most months in the last 2 years. A few questions, not a lot of answers. Attaching a patch to move to 2.2.11. It compiles, tests all run well, some manual testing of the UIs showed now problems.

          Show
          mackrorysd Sean Mackrory added a comment - How about we do that then... I have not heard back from the mailing list, and the archives show it has been completely inactive most months in the last 2 years. A few questions, not a lot of answers. Attaching a patch to move to 2.2.11. It compiles, tests all run well, some manual testing of the UIs showed now problems.
          Hide
          hadoopqa Hadoop QA added a comment -
          -1 overall



          Vote Subsystem Runtime Comment
          0 reexec 0m 16s Docker mode activated.
          +1 @author 0m 0s The patch does not contain any @author tags.
          -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
          +1 mvninstall 7m 10s trunk passed
          +1 compile 0m 9s trunk passed
          +1 mvnsite 0m 12s trunk passed
          +1 mvneclipse 0m 9s trunk passed
          +1 javadoc 0m 9s trunk passed
          +1 mvninstall 0m 7s the patch passed
          +1 compile 0m 6s the patch passed
          +1 javac 0m 6s the patch passed
          +1 mvnsite 0m 8s the patch passed
          +1 mvneclipse 0m 6s the patch passed
          +1 whitespace 0m 0s The patch has no whitespace issues.
          +1 xml 0m 1s The patch has no ill-formed XML file.
          +1 javadoc 0m 6s the patch passed
          +1 unit 0m 6s hadoop-project in the patch passed.
          +1 asflicense 0m 16s The patch does not generate ASF License warnings.
          9m 34s



          Subsystem Report/Notes
          Docker Image:yetus/hadoop:9560f25
          JIRA Issue HADOOP-13659
          JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12835129/HADOOP-13659.002.patch
          Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit xml
          uname Linux 95570bc884ad 3.13.0-95-generic #142-Ubuntu SMP Fri Aug 12 17:00:09 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
          Build tool maven
          Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
          git revision trunk / dbd2057
          Default Java 1.8.0_101
          Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/10890/testReport/
          modules C: hadoop-project U: hadoop-project
          Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/10890/console
          Powered by Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org

          This message was automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 0m 16s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 mvninstall 7m 10s trunk passed +1 compile 0m 9s trunk passed +1 mvnsite 0m 12s trunk passed +1 mvneclipse 0m 9s trunk passed +1 javadoc 0m 9s trunk passed +1 mvninstall 0m 7s the patch passed +1 compile 0m 6s the patch passed +1 javac 0m 6s the patch passed +1 mvnsite 0m 8s the patch passed +1 mvneclipse 0m 6s the patch passed +1 whitespace 0m 0s The patch has no whitespace issues. +1 xml 0m 1s The patch has no ill-formed XML file. +1 javadoc 0m 6s the patch passed +1 unit 0m 6s hadoop-project in the patch passed. +1 asflicense 0m 16s The patch does not generate ASF License warnings. 9m 34s Subsystem Report/Notes Docker Image:yetus/hadoop:9560f25 JIRA Issue HADOOP-13659 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12835129/HADOOP-13659.002.patch Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit xml uname Linux 95570bc884ad 3.13.0-95-generic #142-Ubuntu SMP Fri Aug 12 17:00:09 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / dbd2057 Default Java 1.8.0_101 Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/10890/testReport/ modules C: hadoop-project U: hadoop-project Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/10890/console Powered by Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org This message was automatically generated.
          Hide
          jojochuang Wei-Chiu Chuang added a comment -

          +1. Will postpone the commit to let watchers to comment for any concerns.

          Show
          jojochuang Wei-Chiu Chuang added a comment - +1. Will postpone the commit to let watchers to comment for any concerns.
          Hide
          jojochuang Wei-Chiu Chuang added a comment -

          Committed the patch 002 to trunk. Thanks to Sean Mackrory for the patch and Steve Loughran for the comment!

          Show
          jojochuang Wei-Chiu Chuang added a comment - Committed the patch 002 to trunk. Thanks to Sean Mackrory for the patch and Steve Loughran for the comment!
          Hide
          hudson Hudson added a comment -

          SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #10684 (See https://builds.apache.org/job/Hadoop-trunk-Commit/10684/)
          HADOOP-13659. Upgrade jaxb-api version. Contributed by Sean Mackrory. (weichiu: rev 24a83febea4bef4d52f1ab952138d2fff0fa2445)

          • (edit) hadoop-project/pom.xml
          Show
          hudson Hudson added a comment - SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #10684 (See https://builds.apache.org/job/Hadoop-trunk-Commit/10684/ ) HADOOP-13659 . Upgrade jaxb-api version. Contributed by Sean Mackrory. (weichiu: rev 24a83febea4bef4d52f1ab952138d2fff0fa2445) (edit) hadoop-project/pom.xml
          Hide
          brahmareddy Brahma Reddy Battula added a comment -

          Updated the fix version.

          Show
          brahmareddy Brahma Reddy Battula added a comment - Updated the fix version.

            People

            • Assignee:
              mackrorysd Sean Mackrory
              Reporter:
              mackrorysd Sean Mackrory
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development