https://pinot.apache.org/ logo
#general
Title
# general
z

Zsolt Takacs

02/10/2022, 2:40 PM
Is there a reason why the docker image uses an uberjar? Most SCA tools can't work with them, and replacing a dependency jar with patched one is much more tedious (i.e. rolling out log4j2 updates quickly).
m

Mayank

02/10/2022, 2:47 PM
@User
x

Xiang Fu

02/10/2022, 6:40 PM
It’s same jar we use from the pinot release process, the single built from pinot-distribution, major issue here is about library shading issue. Actually pinot-tools has all the dependency jars in
libs
directory.
@User do you see any issue move to tweak release process a bit for this?
s

Seunghyun

02/10/2022, 8:41 PM
i think that we originally used separate lib jars + shaded jars but we moved to the uber jar from the certain point.
I think that it’s fine to fall back to the previous approach as long as our release can execute our code correctly
another quicker way is to upgrade Pinot with the docker image with log4j2 fix..
m

Mayank

02/10/2022, 9:52 PM
I think @User already did the upgrade with all the fixes, iirc.
z

Zsolt Takacs

02/10/2022, 9:53 PM
The log4j2 issue was just an example, if someone had a tight deadline for upgrades waiting for the official image was too slow.
x

Xiang Fu

02/10/2022, 9:53 PM
The log4j fix is already there, this is more like a general setup problem
z

Zsolt Takacs

02/10/2022, 10:22 PM
The bigger issue is that most SCA tools can't scan uberjars, which can be a compliance problem.