[23.11] mlflow: 2.7.0 -> 2.12.1

[veprbl]

Description of changes

Backport of #289834

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[LeSuisse]

The changes looks pretty big for 23.11, it might be preferable to backport the fix directly. mlflow/mlflow@432b8cc applies cleanly on top of the 2.7.0.

The commit message should start with python3Packages.mlflow to trigger OfBorg.

[veprbl]

@LeSuisse the list of different vulnerabilities is pretty long. If you can contribute a PR, that's always welcome.

[LeSuisse]

Yeah OK I did not see https://huntr.com/repos/mlflow/mlflow and they do not mention all the security issues in their release notes...

I might take a look to see if we can only backport the sec fixes but it will likely have to wait this week end.

If the bump to 2.10.2 is considered safe enough to be backported the PR should be rewritten to cherry-pack the patches from master, see https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#how-to-backport-pull-requests

[risicle]

Yeah I don't particularly like it, but there are an awful lot of security issues spread across several releases.

nixpkgs-review reveals no new failures, macos 12 x86_64 & nixos x86_64

[risicle]

I guess the other option is knownVulnerabilities, but offering a second version in parallel for those who would rather upgrade doesn't work quite so well in the python packageset.

[veprbl]

cc @mweinelt @benxiao @bcdarwin

[LeSuisse]

So I took a closer look but even identifying the related PR/commits is a PITA. Some valid reports are flagged as duplicate and link to other non public reports :/

At this point I do not think attempting to backports the fixes is a viable option.

[mweinelt]

We can always deal with regressions later.

[veprbl]

I don't think the python package update would bring breakage, but we could instead restrict update to only apply to mlflow-server.

[nbraud]

Updating the version in the stable release seems reasonable, given how much of a pain backporting is in this instance.
However, v2.11.2 and 2.11.3 fixed more path-traversal vulnerabilities, though I couldn't easily find whether they were present in 2.10.2

[nbraud]

Result of nixpkgs-review pr 289835 run on x86_64-linux 1

2 packages failed to build:

• tts
• tts.dist

62 packages built:

• dbx
• dbx.dist
• mlflow-server
• mlflow-server.dist
• openai-full
• openai-full.dist
• python310Packages.dalle-mini
• python310Packages.dalle-mini.dist
• python310Packages.fastai
• python310Packages.fastai.dist
• python310Packages.k-diffusion
• python310Packages.k-diffusion.dist
• python310Packages.mlflow
• python310Packages.mlflow.dist
• python310Packages.mmcv
• python310Packages.mmcv.dist
• python310Packages.mmengine
• python310Packages.mmengine.dist
• python310Packages.skrl
• python310Packages.skrl.dist
• python310Packages.spacy
• python310Packages.spacy-loggers
• python310Packages.spacy-loggers.dist
• python310Packages.spacy-lookups-data
• python310Packages.spacy-lookups-data.dist
• python310Packages.spacy-transformers
• python310Packages.spacy-transformers.dist
• python310Packages.spacy.dist
• python310Packages.textacy
• python310Packages.textacy.dist
• python310Packages.textnets
• python310Packages.textnets.dist
• python310Packages.wandb
• python310Packages.wandb.dist
• python311Packages.dalle-mini
• python311Packages.dalle-mini.dist
• python311Packages.fastai
• python311Packages.fastai.dist
• python311Packages.k-diffusion
• python311Packages.k-diffusion.dist
• python311Packages.mlflow
• python311Packages.mlflow.dist
• python311Packages.mmcv
• python311Packages.mmcv.dist
• python311Packages.mmengine
• python311Packages.mmengine.dist
• python311Packages.skrl
• python311Packages.skrl.dist
• python311Packages.spacy
• python311Packages.spacy-loggers
• python311Packages.spacy-loggers.dist
• python311Packages.spacy-lookups-data
• python311Packages.spacy-lookups-data.dist
• python311Packages.spacy-transformers
• python311Packages.spacy-transformers.dist
• python311Packages.spacy.dist
• python311Packages.textacy
• python311Packages.textacy.dist
• python311Packages.textnets
• python311Packages.textnets.dist
• python311Packages.wandb
• python311Packages.wandb.dist

[LeSuisse]

Cherry-picked patches to bump to 2.12.1. Too many security patches that are not always mentioned (and it seems the Huntr.com page that was the best places to identify most of them is not available anymore). 2.12.1 release notes mentions:

Security Patch: Addressed a critical Local File Read/Path Traversal vulnerability within the Model Registry, ensuring robust protection against unauthorized access and securing user data integrity.

[nbraud]

Result of nixpkgs-review pr 289835 run on x86_64-linux 1

64 packages built:

• dbx
• dbx.dist
• mlflow-server
• mlflow-server.dist
• openai-full
• openai-full.dist
• python310Packages.dalle-mini
• python310Packages.dalle-mini.dist
• python310Packages.fastai
• python310Packages.fastai.dist
• python310Packages.k-diffusion
• python310Packages.k-diffusion.dist
• python310Packages.mlflow
• python310Packages.mlflow.dist
• python310Packages.mmcv
• python310Packages.mmcv.dist
• python310Packages.mmengine
• python310Packages.mmengine.dist
• python310Packages.skrl
• python310Packages.skrl.dist
• python310Packages.spacy
• python310Packages.spacy-loggers
• python310Packages.spacy-loggers.dist
• python310Packages.spacy-lookups-data
• python310Packages.spacy-lookups-data.dist
• python310Packages.spacy-transformers
• python310Packages.spacy-transformers.dist
• python310Packages.spacy.dist
• python310Packages.textacy
• python310Packages.textacy.dist
• python310Packages.textnets
• python310Packages.textnets.dist
• python310Packages.wandb
• python310Packages.wandb.dist
• python311Packages.dalle-mini
• python311Packages.dalle-mini.dist
• python311Packages.fastai
• python311Packages.fastai.dist
• python311Packages.k-diffusion
• python311Packages.k-diffusion.dist
• python311Packages.mlflow
• python311Packages.mlflow.dist
• python311Packages.mmcv
• python311Packages.mmcv.dist
• python311Packages.mmengine
• python311Packages.mmengine.dist
• python311Packages.skrl
• python311Packages.skrl.dist
• python311Packages.spacy
• python311Packages.spacy-loggers
• python311Packages.spacy-loggers.dist
• python311Packages.spacy-lookups-data
• python311Packages.spacy-lookups-data.dist
• python311Packages.spacy-transformers
• python311Packages.spacy-transformers.dist
• python311Packages.spacy.dist
• python311Packages.textacy
• python311Packages.textacy.dist
• python311Packages.textnets
• python311Packages.textnets.dist
• python311Packages.wandb
• python311Packages.wandb.dist
• tts
• tts.dist

[LeSuisse]

Thanks for the merge, please ping me if a regression is spotted and will see what we can do. Clearly it is not an easy package to maintain.

[LeSuisse]

A bit late but nixpkgs-review is happy on Linux x86_64

Result of nixpkgs-review pr 289835 run on x86_64-linux 1

64 packages built:

• dbx
• dbx.dist
• mlflow-server
• mlflow-server.dist
• openai-full
• openai-full.dist
• python310Packages.dalle-mini
• python310Packages.dalle-mini.dist
• python310Packages.fastai
• python310Packages.fastai.dist
• python310Packages.k-diffusion
• python310Packages.k-diffusion.dist
• python310Packages.mlflow
• python310Packages.mlflow.dist
• python310Packages.mmcv
• python310Packages.mmcv.dist
• python310Packages.mmengine
• python310Packages.mmengine.dist
• python310Packages.skrl
• python310Packages.skrl.dist
• python310Packages.spacy
• python310Packages.spacy-loggers
• python310Packages.spacy-loggers.dist
• python310Packages.spacy-lookups-data
• python310Packages.spacy-lookups-data.dist
• python310Packages.spacy-transformers
• python310Packages.spacy-transformers.dist
• python310Packages.spacy.dist
• python310Packages.textacy
• python310Packages.textacy.dist
• python310Packages.textnets
• python310Packages.textnets.dist
• python310Packages.wandb
• python310Packages.wandb.dist
• python311Packages.dalle-mini
• python311Packages.dalle-mini.dist
• python311Packages.fastai
• python311Packages.fastai.dist
• python311Packages.k-diffusion
• python311Packages.k-diffusion.dist
• python311Packages.mlflow
• python311Packages.mlflow.dist
• python311Packages.mmcv
• python311Packages.mmcv.dist
• python311Packages.mmengine
• python311Packages.mmengine.dist
• python311Packages.skrl
• python311Packages.skrl.dist
• python311Packages.spacy
• python311Packages.spacy-loggers
• python311Packages.spacy-loggers.dist
• python311Packages.spacy-lookups-data
• python311Packages.spacy-lookups-data.dist
• python311Packages.spacy-transformers
• python311Packages.spacy-transformers.dist
• python311Packages.spacy.dist
• python311Packages.textacy
• python311Packages.textacy.dist
• python311Packages.textnets
• python311Packages.textnets.dist
• python311Packages.wandb
• python311Packages.wandb.dist
• tts
• tts.dist