Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Set grpcio minimum version to 1.59.3 so that Alpine py3-grpcio can be used #211

Merged
merged 1 commit into from
May 7, 2024
Merged

Set grpcio minimum version to 1.59.3 so that Alpine py3-grpcio can be used #211

merged 1 commit into from
May 7, 2024

Conversation

lhotari
Copy link
Member

@lhotari lhotari commented Apr 30, 2024

Motivation

When using the Alpine base image in Pulsar, there's a need to compile grpcio from source when 1.60.0 version is required. It's better to allow grpcio version 1.59.3 so that Alpine's py3-grpcio can be used to fulfill the requirement.
Please see apache/pulsar#22613 for more context.

Modifications

  • downgrade grpcio dependency to 1.59.3

Additional context

  • there's no specific minimum version constraint originating from pulsar-client-python
  • the grpcio minimum version was set to 1.60.0 in this commit: 162afd5 . The referenced CVE requires 1.53.0 , so there doesn't seem to be any reason why we couldn't downgrade to 1.59.3 .

@lhotari
Set grpcio minimum version to 1.59.3 so that Alpine py3-grpcio 1.59.3…
b057e93 
… can be used

- there's no specific minimum version constraint originating from pulsar-client-python
  - grpcio is required by apache-bookkeeper-client. the dependencies are defined in
    https://github.com/apache/bookkeeper/blob/master/stream/clients/python/setup.py
    the version in this file is >= 1.8.2
@lhotari lhotari requested a review from BewareMyPower April 30, 2024 08:52
@lhotari lhotari self-assigned this Apr 30, 2024
@lhotari lhotari mentioned this pull request Apr 30, 2024
Closed
4 tasks
@nodece
Copy link
Member

nodece commented Apr 30, 2024

I suggest using the 1.53.0 as minimum version, just for consider the multiple os.

@lhotari
Copy link
Member Author

lhotari commented Apr 30, 2024

I suggest using the 1.53.0 as minimum version, just for consider the multiple os.

There might be other CVEs. Which OS do you have in mind?

@nodece
Copy link
Member

nodece commented Apr 30, 2024

There might be other CVEs.

Good catch, see GHSA-p25m-jpj4-qcrr

Must be equal to or greater than 1.55.3.

Which OS do you have in mind?

Now it seems that only alpine-3.18.

For other OS, the users can use the pip to install the grpcio.

@nodece
Copy link
Member

nodece commented May 7, 2024

Any updates?

@nodece nodece requested review from RobertIndie and shibd May 7, 2024 02:40
@merlimat merlimat merged commit c3c12c4 into apache:main May 7, 2024
11 checks passed
@nodece
Copy link
Member

nodece commented May 8, 2024

Do you have a release plan? If not, the pulsar 3.3.0 arm image will take about 2 hours to build the grpcio wheel, please see https://github.com/nodece/pulsar-python-deps-build/actions/runs/8891459473/job/24418839959#step:6:315 for details.

@nodece nodece mentioned this pull request May 17, 2024
Merged
4 tasks
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@nodece nodece nodece approved these changes

@BewareMyPower BewareMyPower Awaiting requested review from BewareMyPower

@RobertIndie RobertIndie Awaiting requested review from RobertIndie

@shibd shibd Awaiting requested review from shibd

Assignees

@lhotari lhotari

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lhotari @nodece @merlimat