-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GH-41100: [Python][Packaging] Update vcpkg to avoid compromised version of xz #41106
Conversation
|
@github-actions crossbow submit -g wheel |
Revision: 9226c87 Submitted crossbow builds: ursacomputing/crossbow @ actions-d9ae2f8864 |
@@ -92,13 +92,13 @@ DEVTOOLSET_VERSION= | |||
# Used through docker-compose.yml and serves as the default version for the | |||
# ci/scripts/install_vcpkg.sh script. Prefer to use short SHAs to keep the | |||
# docker tags more readable. | |||
VCPKG="a42af01b72c28a8e1d7b48107b33e4f286a55ef6" # 2023.11.20 Release | |||
VCPKG="a34c873a9717a888f58dc05268dea15592c2f0ff" # 2024.03.25 Release |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should not use this revision. Because this uses xz 5.6.0: https://github.com/microsoft/vcpkg/tree/2024.03.25/ports/liblzma
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @kou , so this is the newer we can use until vcpkg creates a new tag:
https://github.com/microsoft/vcpkg/tree/2024.02.14/ports/liblzma
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. But it seems that we don't need this PR because https://github.com/tukaani-project/xz is enabled again.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed: microsoft/vcpkg#37841 (comment). That should mean it should just work again (the vcpkg version we are currently using is an older one that has non-affected version of liblzma)
I am closing this PR as unnecessary then. I'll try to update vcpkg once a new tag is created. |
It's good to update the vcpkg tag from time to time, but that's not critical for the release I think (we updated it relatively recently) |
Rationale for this change
New wheels are currently failing to build.
What changes are included in this PR?
Updating vcpkg
Are these changes tested?
Via archery
Are there any user-facing changes?
No