-
Notifications
You must be signed in to change notification settings - Fork 47
Upgrade grpcio to 1.60.0 to fix CVE-2023-1428 #174
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
BewareMyPower
merged 2 commits into
apache:main
from
BewareMyPower:bewaremypower/fix-cve
Dec 13, 2023
Merged
Changes from all commits
Commits
Show all changes
2 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not use 1.53.0, the minimum viable version?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO, when upgrading a dependency, it's better to use the latest version at that moment if it does not break the compatibility. Though this repo does not check the compatibility.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the dependency requirement instead of the specific dependency version. It's not like the dependency version control like in maven pom. I think maybe a good practice is to upgrade the requirement to the minimum viable version. What do you think of this point?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it's compatible to install, the version will be minimum required version. I tested it locally and verified 1.60.0 could be installed with other dependencies.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added a workflow to verify the installation in CI. It's not like Maven because sometimes the Python wheel uses the underlying C extension (like the Pulsar Python C++ client) and a specific version of dependency A might not be compatible with dependency B due to the symbols conflict or something else.
However, if all dependencies are compatible, using the latest version is good. Here we use
grpcio>=1.60.0means in future if another dependency breaks the compatibility withgrpc==1.60.0, there will be a chance to install a higher version ofgrpcio.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if users introduce another dependency compatible with grpcio 1.53.0 but not with 1.60? Maybe that dependency depends on a behavior supported in 1.53.0 but not 1.60.0? When installing the Python client, the pip will upgrade the existing grpcio to 1.60.0, which may conflict with other dependencies.
I didn't find any breaking changes from grpcio 1.53.0 to 1.60.0. So I'm OK with this PR. However, I would like to discuss the best practice for the dependency requirements.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another question: what if users introduced another dependency compatible with grpcio 1.60 but not with 1.53.0?
There is no best practice. But in general, a new release should be better than an older one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
However, you assume the existing
grpcioversion is in [1.53, 1.60). If thegrpcioversion is less than 1.53, there will be no difference.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That should be a common case. Support we use
grpcio>=1.53.0, then thatanother dependencyshould define the requirements withgrpcio>=1.60.0. The pip will upgrade the grpcio to 1.60, and everything should be fine.Why? I am assuming the grpcio version <1.60.
Suppose we have another dependency A that requires grpcio version in [1.40,1.55].
If the existing grpcio version < 1.53(Let's suppose it as 1.40) :
grpcio>=1.53.0, the pip will upgrade the grpcio to 1.53.0. All works fine.grpcio>=1.60.0, the pip will uggrade the grpcio to 1.60.0. The dependency A isn't compatible with this.