[SPARK-43489][BUILD] Remove protobuf 2.5.0 #41153
Conversation
pan3793
changed the title
| <useSubDirectoryPerType>true</useSubDirectoryPerType> | ||
| <includeArtifactIds> | ||
| guava,jetty-io,jetty-servlet,jetty-servlets,jetty-continuation,jetty-http,jetty-plus,jetty-util,jetty-server,jetty-security,jetty-proxy,jetty-client | ||
| guava,protobuf-java,jetty-io,jetty-servlet,jetty-servlets,jetty-continuation,jetty-http,jetty-plus,jetty-util,jetty-server,jetty-security,jetty-proxy,jetty-client |
There was a problem hiding this comment.
protobuf is in the same position w/ guava and jetty: spark uses it internally, shades and relocates it into spark-core.jar instead of including it into binary tgz directly, to avoid leaking downstream
There was a problem hiding this comment.
Seems reasonable if it works. The less we expose protobuf the better
dongjoon-hyun
left a comment
dongjoon-hyun
left a comment
There was a problem hiding this comment.
Thank you for doing this with nice analysis. Ya, definitely, this was the goal. BTW, could you send an email to dev@spark because this is an important removal of dependency, @pan3793 ?
dongjoon-hyun
left a comment
dongjoon-hyun
left a comment
There was a problem hiding this comment.
+1, LGTM from my side.
cc @mridulm , too
|
spark/connector/kafka-0-10-assembly/pom.xml Lines 62 to 66 in 46332d9 This one should be |
+1, Agree |
|
@dongjoon-hyun @LuciferYang FYI, I have sent a mail to the mailing list |
@LuciferYang The version here does not matter. What's matter is the |
LuciferYang
left a comment
LuciferYang
left a comment
There was a problem hiding this comment.
+1, LGTM from my side.
|
Merged to master |
…rom `kinesis-asl-assembly` ### What changes were proposed in this pull request? This PR aims to remove the shaded `protobuf-java` 2.6.1 dependency from `kinesis-asl-assembly`. ### Why are the changes needed? Technically, this is a revert of SPARK-14421. - At that time, Apache Spark 2.0.0 distribution contains `protobuf-java-2.5.0.jar`. - #13054 - SPARK-43489 removed `protobuf-java-2.5.0.jar` from Apache Spark 3.5+ distribution. - #41153 ### Does this PR introduce _any_ user-facing change? No, but the user can inject the required protobuf-jar from application layers. ### How was this patch tested? Pass the CIs and manual review. **BEFORE** ``` $ build/mvn dependency:tree -pl connector/kinesis-asl-assembly -Pkinesis-asl | grep protobuf-java ... [INFO] +- com.google.protobuf:protobuf-java:jar:2.6.1:provided ``` **AFTER** ``` $ build/mvn dependency:tree -pl connector/kinesis-asl-assembly -Pkinesis-asl | grep protobuf-java ... [INFO] | | +- com.google.protobuf:protobuf-java:jar:3.25.1:provided ``` ### Was this patch authored or co-authored using generative AI tooling? No. Closes #45096 from dongjoon-hyun/SPARK-47038. Authored-by: Dongjoon Hyun <[email protected]> Signed-off-by: Dongjoon Hyun <[email protected]>
5 participants
What changes were proposed in this pull request?
Spark does not use protobuf 2.5.0 directly, instead, it comes from other dependencies, with the following changes, now, Spark does not require protobuf 2.5.0 (please let me know if I miss something),
Why are the changes needed?
Remove the obsolete dependency, which is EOL long ago, and has CVEs CVE-2022-3510 CVE-2022-3509 CVE-2022-3171 CVE-2021-22569
Does this PR introduce any user-facing change?
No.
How was this patch tested?
Pass GA.