Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Branch-4.16] Downgrade grpc and protobuf to avoid introducing breaking change #4001

Merged
merged 2 commits into from
Jun 26, 2023
Merged

[Branch-4.16] Downgrade grpc and protobuf to avoid introducing breaking change #4001

merged 2 commits into from
Jun 26, 2023

Conversation

zymap
Copy link
Member

@zymap zymap commented Jun 25, 2023

Motivation

We upgrade grpc and protobuf to address CVE-2023-32732. But it requires the protobuf 3.22+. In protobuf 3.22.0, it introduces a breaking change. It requires all the sub-project, which depend on the bookkeeper to upgrade protobuf to 3.22.0+. It should not be acceptable in a minor release.

So we use a lower version of grpc and protobuf to address the CVE issue.

See more context: #3997

@zymap
Downgrade gprc to 1.54.1
7469062 
---

### Motivation

We upgrade grpc and protobuf to address CVE-2023-32732.
But it requires the protobuf 3.22+. In protobuf 3.22.0,
it introduces a breaking change. It require all the
sub-project, which depends on the bookkeeper to upgrade
protobuf to 3.22.0+. It should not be acceptable in a minor
release.

So we use a lower version of grpc and protobuf to address
the CVE issue.

See more context: apache#3997
@zymap zymap requested review from hangc0276 and eolivelli June 25, 2023 08:33
@zymap zymap self-assigned this Jun 25, 2023
@zymap
Copy link
Member Author

zymap commented Jun 25, 2023

@lhotari PTAL, thanks

@zymap zymap changed the title Downgrade gprc to 1.54.1 Downgrade grpc and protobuf to avoid introducing breaking change Jun 25, 2023
hangc0276
hangc0276 approved these changes Jun 25, 2023
View reviewed changes
Copy link
Contributor

@hangc0276 hangc0276 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good job!

@hangc0276 hangc0276 mentioned this pull request Jun 25, 2023
Closed
4 tasks
@zymap
Copy link
Member Author

zymap commented Jun 25, 2023
edited
Loading

protocolbuffers/protobuf#11393 Another compatible issue with jdk8, I need to downgrade the protobuf to 3.21.9.
They have fixed but not released protocolbuffers/protobuf#12036

@hangc0276
Copy link
Contributor

LGTM

@hangc0276 hangc0276 changed the title Downgrade grpc and protobuf to avoid introducing breaking change [Branch-4.16] Downgrade grpc and protobuf to avoid introducing breaking change Jun 25, 2023
@zymap zymap merged commit 9f63cf7 into apache:branch-4.16 Jun 26, 2023
zymap added a commit that referenced this pull request Dec 7, 2023
@zymap
[Branch-4.16] Downgrade grpc and protobuf to avoid introducing breaki…
bcd7f67 
…ng change (#4001)

* Downgrade grpc to 1.54.1
---

### Motivation

We upgrade grpc and protobuf to address CVE-2023-32732.
But it requires the protobuf 3.22+. In protobuf 3.22.0,
it introduces a breaking change. It require all the
sub-project, which depends on the bookkeeper to upgrade
protobuf to 3.22.0+. It should not be acceptable in a minor
release.

So we use a lower version of grpc and protobuf to address
the CVE issue.

See more context: #3997

(cherry picked from commit 9f63cf7)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lhotari lhotari lhotari approved these changes

@hangc0276 hangc0276 hangc0276 approved these changes

@eolivelli eolivelli Awaiting requested review from eolivelli

Assignees

@zymap zymap

Labels
cherry-picked/branch-4.15 release/4.15.5 release/4.16.2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@zymap @hangc0276 @lhotari