docs: Drop sphinxcontrib-openapi fork, switch back to upstream #23118
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
qmonnet
added
release-note/misc
qmonnet
added
the
area/documentation
|
Netlify preview breaks on the change :/. |
qmonnet
force-pushed
the
pr/openapi-upstream
branch
from
152aaea
to
c44a461
Compare
This comment was marked as outdated.
This comment was marked as outdated.
maintainer-s-little-helper
bot
added
the
dont-merge/needs-sign-off
This comment was marked as outdated.
This comment was marked as outdated.
qmonnet
force-pushed
the
pr/openapi-upstream
branch
from
c3d1b41
to
d0e8fe4
Compare
This comment was marked as outdated.
This comment was marked as outdated.
qmonnet
force-pushed
the
pr/openapi-upstream
branch
from
d0e8fe4
to
9bd398d
Compare
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-sign-off
|
Struggling to find the latest Netlify preview (I can't log in), but I think the latest build is here, working fine. |
|
Do we need a fresh version of the docs-builder image with this? I see that Travis is failing to build docs due to a dependency conflict. |
Once upon a time, Cilium docs used the openapi Sphinx add-on to generate its API reference based on the code. And things were good. One day, Dependabot raised a security alert, stating that Mistune v2.0.2 was vulnerable to catastrophic backtracking [0] - this is a regex parsing thing. Mistune was a dependency to m2r, an add-on to parse Markdown in Sphinx, which in turn was a dependency to openapi. The easy path would have been to update m2r to use the latest, fixed Mistune version; but m2r was incompatible with Mistune >= 2.0.0, and also it was no longer in development. There was a fork, m2r2, which had little activity, and would avoid the security issue by very simply pinning the Mistune version to 0.8.4 (which would either fail to build Cilium's reference correctly, or bring some incompatibilities with other dependencies, at this point the narrator does not remember for sure). There was a fork of the fork, sphinx-mdinclude. We could use that project to update openapi, except that it was not compatible with recent versions of docutils, and that this would cause openapi's test suite to fail to pass. ... So we ended up forking the openapi repository to update the dependency to sphinx-mdinclude locally, and this is what we've been using since last summer. And things were good again. But things are even better when they go upstream [citation needed]. We also filed the issue for docutils compatibility in sphinx-mdinclude [1]. It was fixed (thanks!). We submitted a PR to have openapi switch to sphinx-mdinclude [2]. It was adjusted (thanks!), merged, and a new tag was created. Now at last, we can switch back to the upstream version of openapi! [And the build system lived happily ever after.] [0]: GHSA-fw3v-x4f2-v673 [1]: omnilib/sphinx-mdinclude#8 [2]: sphinx-contrib/openapi#127 I did _not_ run `make -C Documentation update-requirements`, because the resulting changes seemed to break the Netlify preview [3]. I stuck to openapi and bumped sphinx-mdinclude to >= 0.5.2, as required by openapi. [3] https://app.netlify.com/sites/docs-cilium-io/deploys/63c55fcc5531c6000838b87c Signed-off-by: Quentin Monnet <quentin@isovalent.com>
qmonnet
force-pushed
the
pr/openapi-upstream
branch
from
9bd398d
to
3eee19a
Compare
Yes please. It shouldn't be strictly necessary for the docs to keep building, but it would allow us to delete the cilium/openapi fork. I warned the folks who had started to rely on it, they're switching back to upstream as well.
Good catch, thanks! I don't understand why I failed to observe this either locally or in the CI workflow for docs or on the Netlify build 🤔. I bumped sphinx-mdinclude in requirements.txt, let's see how it goes now. |
qmonnet
added
the
needs-backport/1.13
joestringer
approved these changes
Feb 4, 2023
|
I've triggered a new docs-builder job with these changes, tag |
|
Thanks, I'll send a PR to update the image. I see that the 1.12 branch is also using the fork, so I'll tag the current PR for backport there. I think it should be safe to backport, although I haven't tested. |
pchaigno
added
backport-pending/1.13
aanm
added
backport-done/1.13
pchaigno
added
backport-pending/1.12
backport-done/1.12
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Once upon a time, Cilium docs used the openapi Sphinx add-on to generate its API reference based on the code. And things were good.
One day, Dependabot raised a security alert, stating that Mistune v2.0.2 was vulnerable to catastrophic backtracking - this is a regex parsing thing. Mistune was a dependency to m2r, an add-on to parse Markdown in Sphinx, which in turn was a dependency to openapi.
The easy path would have been to update m2r to use the latest, fixed Mistune version; but m2r was incompatible with Mistune >= 2.0.0, and also it was no longer in development.
There was a fork, m2r2, which had little activity, and would avoid the security issue by very simply pinning the Mistune version to 0.8.4 (which would either fail to build Cilium's reference correctly, or bring some incompatibilities with other dependencies, at this point the narrator does not remember for sure).
There was a fork of the fork, sphinx-mdinclude. We could use that project to update openapi, except that it was not compatible with recent versions of docutils, and that this would cause openapi's test suite to fail to pass.
... So we ended up forking the openapi repository to update the dependency to sphinx-mdinclude locally, and this is what we've been using since last summer. And things were good again.
But things are even better when they go upstream [citation needed]. We also filed the issue for docutils compatibility in sphinx-mdinclude. It was fixed (thanks!). We submitted a PR to have openapi switch to sphinx-mdinclude. It was adjusted (thanks!), merged, and a new tag was created.
Now at last, we can switch back to the upstream version of openapi!
And the build system lived happily ever after.
I did not run
make -C Documentation update-requirements, because the resulting changes seemed to break the Netlify preview. I stuck to openapi and bumped sphinx-mdinclude to >= 0.5.2, as required by openapi.