-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove Phoenix5 connector #20739
Remove Phoenix5 connector #20739
Conversation
This pull request has gone a while without any activity. Tagging the Trino developer relations team: @bitsondatadev @colebow @mosabua |
Has the upstream project been informed about this mess? I dont think we should remove the connector? Anybody concerned about the binary files can just delete the plugin directory. But we should try to get this improved by the Phoenix project and maybe we can avoid using a shaded jar. Do we have any contacts to talk to ? |
@mosabua it was on the mailing list. The answer was that this won't be improved upon. |
Jeez .. great. So is the project dead? Can we somehow remove a lot of that shaded stuff? |
@mosabua major effort with a little benefit |
Fair .. maybe we just let it linger for now |
We could ask in the community about usage and willingness to help .. or replace it with a hbase connector instead of just removing it |
Could we switch the connector to use https://phoenix.apache.org/server.html |
@electrum maybe yes but I don't have neither knowledge nor an experience to do so |
By looking at #21251, i suspect not many people are using the connector |
My former experience is that no longer uses this connector in production, one of the major reason is that phoenix services lack effective maintenance, but the test environment still has this connector. @willzgw |
My 2 cents is that this connector has little benefit being maintained by Trino at this point. Any technology on its way out will always have some users somewhere and that shouldn't determine if Trino will spend the communities resources on maintaining Phoenix or HBase. That doesn't mean they cease to exist and anyone using this is screwed, it just means someone currently using it will take ownership of patches etc... We definitely should bring this up in the next contributor call, but with all the other valuable ways maintainers could be spending their time, I think it's kinder to everyone to know when to cut ties. It also hurts folks who are writing these PRs. They have some expectation and hope that they won't have to maintain this connector. If Trino isn't supporting this then it's a clear signal to the engineer and their company that to stay on Phoenix they must accept the burden to maintain it. Better we rip off the bandaid than to let the unhealthy relationship drag on. Sorry Phoenix, it's not you, it's your CVEs and lackluster maintenance. 👋 |
7f0beb5
to
4f2e2e7
Compare
@mosabua can you send an invitation to the phoenix maintainers whether they would like to join our contributors call in 2 weeks? |
4f2e2e7
to
59f87ab
Compare
Will do. |
Posted on Phoenix channel in ASF slack. if necessary I will post on their dev mailing list as well |
@mosabua you know... places 😃 |
FYI, as the majority of the CVEs are coming from Hadoop, we have recently bumped the version to 3.2.4: apache/phoenix@e988b64 Moreover, Hadoop has released 3.4.0 recently, but it might require a bit more time before both HBase and Phoenix can use the upgraded version. |
Here is a suggestions from Istvan Toth @stoty on ASF slack: I would strongly suggest moving to the new phoenix-mapreduce-byo-hbase artifact introduced in 5.2. |
@mosabua 5.2 is not yet released so there is nothing to update to. It's been 15 months since the last Phoenix release |
The other option I think we might want to consider is keeping the plugin in the codebase and maintaining it going forward and updating as much as we can as well as removing and shaded dependencies that we can get rid of. And in addition .. no longer include the plugin in the default built tarball, rpm and docker container. We can update the docs to tell users to download the plugin from Maven Central separatly and copy it into the plugins folder on their install or create a custom tarball/container/rpm with it. Not as user friendly but avoids the security hit for the majority of users while still providing a pathway for Phoenix users. Of course it would be really good if Phoenix could upgrade more and faster too. |
59f87ab
to
850f793
Compare
I know.. supposedly coming soon though |
@mosabua switching to some new library is a work that needs to be done. I'm not sure how complex the switch will be and who can do this. |
I think it would not work anyway since we dont have a hadoop fork to drop into it. |
FYI using the new Phoenix artifact does not require any code changes, it only requires changing the dependencies / JARs included. As for the schedule the 5.2.0 release is process is already underway, and the next RC is expected next week. |
@stoty any update about the release? |
@kokosing I'd like to proceed with dropping Phoenix connector from Trino. We can move it to a separate repository |
Shaded Phoenix 5.1.3 client brings over 60 Critical and High CVEs into the Trino codebase. 5.1.4-SNAPSHOT version doesn't bring any significant improvement to this situation.
850f793
to
7c19f43
Compare
The vote is open for the 5.2.0 release @kokosing. |
@stoty is it GA release or RC? |
It's the GA release vote for the hopefully final RC. |
i..e The current RC will be the GA release when the vote passes. |
The vote should be completed in a day or two. |
5.2.0 is released, I am performing a few additional completion steps but the artifacts are already released: |
Shaded Phoenix 5.1.3 client brings over 75+ Critical and High CVEs into the Trino codebase (90% of the CVE count for the entire codebase consisting of 800+ dependencies).
Neither 5.1.4-SNAPSHOT nor 5.2.0-SNAPSHOT versions bring any significant improvement to this situation.
Description
Additional context and related issues
Release notes
( ) This is not user-visible or is docs only, and no release notes are required.
( ) Release notes are required. Please propose a release note for me.
( ) Release notes are required, with the following suggested text: