-
Notifications
You must be signed in to change notification settings - Fork 10.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Look for other Maven artifacts that contain Guava classes, and list them in our metadata #6666
Comments
guava-osgi is another one (stackoverflow) |
hive-exec (at least in 2.3.0~2.3.7) |
Oh, thanks, I should definitely have thought of guava-jdk5. Which versions of hive-exec have this problem? I pulled hive-exec-0.9.0.jar, hive-exec-1.2.2-core.jar, hive-exec-2.3.9-core.jar, hive-exec-3.1.3-core.jar, hive-exec-4.0.0-beta-1.jar, and hive-exec-4.0.0-beta-1-fallbackauthorizer.jar, and only 4.0.0-beta-1.jar appeared to contain Guava classes, which thankfully were repackaged and thus not a problem (though I also see other com.google classes in that jar that have not been repackaged, all under com.google.protobuf or com.google.re2j). Not that we can necessarily do much about hive-exec: Since it contains additional classes beyond just Guava's, we can't say to replace its contents with Guava. At most, we might be able to say to replace Guava's contents with it, and I'm not sure that's likely to be a net win :( |
@cpovirk for instance, hive-exec-2.3.7.jar
|
Ah, thanks, I didn't pay close enough attention to that "core" suffix that I was looking at. That's unfortunate. As noted in #6666 (comment), I'm not sure how much we can do when the jar contains more than just Guava (including, it appears, other libraries, like org.json). Maybe apache/hive#4542 will be progress toward having a normal dependency on Guava instead of including it in their jar? [edit: And it does appear that hive-exec is used as a "normal dependency,", not just as some kind of standalone build tool or something.] |
@cpovirk I don't want to extend the topic too much, I list |
@jensdietrich pointed me to https://github.com/github/advisory-database/pull/2444/files, which adds:
[edit: I was also just reminded of |
Oh, but I have to check how many of those use shading, rather than the original package names. |
Just as the current metadata can detect conflicts with
google-collections
, it could detect conflicts with those other artifacts.For example, I keep forgetting that we ourselves released
guava-base
, etc. for exactly one release. And others have done this (example?), too.Here's a person who recently got bit by this.
The text was updated successfully, but these errors were encountered: