Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set grpcio minimum version to 1.59.3 so that Alpine py3-grpcio can be used #211

Merged
merged 1 commit into from
May 7, 2024
Merged

Set grpcio minimum version to 1.59.3 so that Alpine py3-grpcio can be used #211

merged 1 commit into from
May 7, 2024

Conversation

lhotari
Copy link
Member

@lhotari lhotari commented Apr 30, 2024

Motivation

When using the Alpine base image in Pulsar, there's a need to compile grpcio from source when 1.60.0 version is required. It's better to allow grpcio version 1.59.3 so that Alpine's py3-grpcio can be used to fulfill the requirement.
Please see apache/pulsar#22613 for more context.

Modifications

  • downgrade grpcio dependency to 1.59.3

Additional context

  • there's no specific minimum version constraint originating from pulsar-client-python
  • the grpcio minimum version was set to 1.60.0 in this commit: 162afd5 . The referenced CVE requires 1.53.0 , so there doesn't seem to be any reason why we couldn't downgrade to 1.59.3 .

@lhotari
Set grpcio minimum version to 1.59.3 so that Alpine py3-grpcio 1.59.3…
b057e93 
… can be used

- there's no specific minimum version constraint originating from pulsar-client-python
  - grpcio is required by apache-bookkeeper-client. the dependencies are defined in
    https://github.com/apache/bookkeeper/blob/master/stream/clients/python/setup.py
    the version in this file is >= 1.8.2
@lhotari lhotari self-assigned this Apr 30, 2024
@lhotari lhotari mentioned this pull request Apr 30, 2024
Closed
4 tasks
@nodece
Copy link
Member

nodece commented Apr 30, 2024

I suggest using the 1.53.0 as minimum version, just for consider the multiple os.

@lhotari
Copy link
Member Author

lhotari commented Apr 30, 2024

I suggest using the 1.53.0 as minimum version, just for consider the multiple os.

There might be other CVEs. Which OS do you have in mind?

@nodece
Copy link
Member

nodece commented Apr 30, 2024

There might be other CVEs.

Good catch, see GHSA-p25m-jpj4-qcrr

Must be equal to or greater than 1.55.3.

Which OS do you have in mind?

Now it seems that only alpine-3.18.

For other OS, the users can use the pip to install the grpcio.

@nodece
Copy link
Member

nodece commented May 7, 2024

Any updates?

@nodece nodece requested review from RobertIndie and shibd May 7, 2024 02:40
@merlimat merlimat merged commit c3c12c4 into apache:main May 7, 2024
11 checks passed
@nodece
Copy link
Member

nodece commented May 8, 2024

Do you have a release plan? If not, the pulsar 3.3.0 arm image will take about 2 hours to build the grpcio wheel, please see https://github.com/nodece/pulsar-python-deps-build/actions/runs/8891459473/job/24418839959#step:6:315 for details.

@nodece nodece mentioned this pull request May 17, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nodece nodece nodece approved these changes

@BewareMyPower BewareMyPower Awaiting requested review from BewareMyPower

@RobertIndie RobertIndie Awaiting requested review from RobertIndie

@shibd shibd Awaiting requested review from shibd

Assignees

@lhotari lhotari

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lhotari @nodece @merlimat