guava icon indicating copy to clipboard operation
guava copied to clipboard

Published 20 hours ago verified publisher icon google

Look for other Maven artifacts that contain Guava classes, and list them in our metadata

Open cpovirk opened this issue 2 years ago • 9 comments

Just as the current metadata can detect conflicts with google-collections, it could detect conflicts with those other artifacts.

For example, I keep forgetting that we ourselves released guava-base, etc. for exactly one release. And others have done this (e.g., diffplug), too.

Here's a person who recently got bit by this.

cpovirk avatar Aug 02 '23 16:08 cpovirk

guava-osgi is another one (stackoverflow)

ben-manes avatar Aug 03 '23 07:08 ben-manes

guava-jdk5

pan3793 avatar Aug 21 '23 07:08 pan3793

hive-exec (at least in 2.3.0~2.3.7)

pan3793 avatar Aug 21 '23 07:08 pan3793

Oh, thanks, I should definitely have thought of guava-jdk5.

Which versions of hive-exec have this problem? I pulled hive-exec-0.9.0.jar, hive-exec-1.2.2-core.jar, hive-exec-2.3.9-core.jar, hive-exec-3.1.3-core.jar, hive-exec-4.0.0-beta-1.jar, and hive-exec-4.0.0-beta-1-fallbackauthorizer.jar, and only 4.0.0-beta-1.jar appeared to contain Guava classes, which thankfully were repackaged and thus not a problem (though I also see other com.google classes in that jar that have not been repackaged, all under com.google.protobuf or com.google.re2j).

Not that we can necessarily do much about hive-exec: Since it contains additional classes beyond just Guava's, we can't say to replace its contents with Guava. At most, we might be able to say to replace Guava's contents with it, and I'm not sure that's likely to be a net win :(

cpovirk avatar Aug 21 '23 14:08 cpovirk

@cpovirk for instance, hive-exec-2.3.7.jar

$ wget https://repo1.maven.org/maven2/org/apache/hive/hive-exec/2.3.7/hive-exec-2.3.7.jar
$ jar -tf hive-exec-2.3.7.jar | grep 'com/google/common'
com/google/common/
com/google/common/annotations/
com/google/common/annotations/Beta.class
com/google/common/annotations/GwtCompatible.class
com/google/common/annotations/GwtIncompatible.class
com/google/common/annotations/VisibleForTesting.class
com/google/common/base/
com/google/common/base/Absent.class
com/google/common/base/AbstractIterator$1.class
com/google/common/base/AbstractIterator$State.class
...

pan3793 avatar Aug 22 '23 07:08 pan3793

Ah, thanks, I didn't pay close enough attention to that "core" suffix that I was looking at.

That's unfortunate. As noted in https://github.com/google/guava/issues/6666#issuecomment-1686451209, I'm not sure how much we can do when the jar contains more than just Guava (including, it appears, other libraries, like org.json). Maybe https://github.com/apache/hive/pull/4542 will be progress toward having a normal dependency on Guava instead of including it in their jar?

[edit: And it does appear that hive-exec is used as a "normal dependency,", not just as some kind of standalone build tool or something.]

cpovirk avatar Aug 22 '23 13:08 cpovirk

@cpovirk I don't want to extend the topic too much, I list hive-exec.jar here just because it contains Guava classes. Actually, upgrading Hive(even for patched version) may have more risks and difficulties than upgrading Guava in Hadoop ecosystem projects. hive-exec-2.3.7.jar is actually a standalone jar, and hive-exec-2.3.7-core.jar is actually the original normal jar. Unfortunately, hive-exec-2.3.7.jar seems to be abused as a normal dependency widely.

pan3793 avatar Aug 22 '23 18:08 pan3793

@jensdietrich pointed me to https://github.com/github/advisory-database/pull/2444/files, which adds:

  • de.mhus.ports:vaadin-shared-deps
  • org.apache.servicemix.bundles:org.apache.servicemix.bundles.guava
  • org.hudsonci.lib.guava:guava
  • org.sonatype.sisu:sisu-guava

[edit: I was also just reminded of net.tribe7.seeds]

cpovirk avatar Aug 30 '23 18:08 cpovirk

Oh, but I have to check how many of those use shading, rather than the original package names.

cpovirk avatar Aug 30 '23 18:08 cpovirk