New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bump golang.org/grpc to v1.56.3 #121364
bump golang.org/grpc to v1.56.3 #121364
Conversation
Welcome @sxd! |
Hi @sxd. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/triage accepted |
Please run |
/retest-required |
@@ -75,7 +75,6 @@ | |||
"status": { | |||
"unwantedReferences": { | |||
"cloud.google.com/go": [ | |||
"cloud.google.com/go/compute", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
huh... I'm happy to see this drop out, but later / current versions of cloud.google.com/go/compute
still depend on cloud.google.com/go
, so I won't be surprised to see it come back.
The big win will be when cloud.google.com/go/compute/metadata
stops depending on cloud.google.com/go/compute
, and all the other things we have depending on cloud.google.com/go/compute
below start dropping out. I think that will happen early next year along with the genproto cleanup.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Uff sad to hear that, the problem is that with that inside the test fails and this update is required to fix the security issue
@liggitt how do you think we can proceed with this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I started with the even newer version 1.59.0 but that was a lot of more changes required including s2a-go package which it's also unwanted, if we can go with 1.59.0 and remove that unwanted one it's ok
The version 1.56.3 it's the one that requires less changes in the code and manage to fix the security issue with few changes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the s2a-go issue in particular was discussed in slack here:
John Howard
The new version of cloud.google.com/go/compute pulls in an "unwanted dependency" s2a-go. Any action we need to do here? Remove from unwanted? Complain to go/compute repo? Don't update go/compute? Running into this in #120241. Can work around it in that PR sort of, though.Stephen Kitt
... or add it to the status for cloud.google.com/go/compute in unwanted-dependencies.json — the former is already an unwanted module, so adding a cloud dependency to an existing unwanted cloud dependency doesn’t change much in the grand scheme of things IMOStephen Kitt
What would be really unwanted would be adding s2a-go as a dependency for a non-unwanted module, or a direct k/k dependency.liggitt
there were two reasons it was marked as unwanted:
- unstable (due to vestigial content in the readme from when it was under development) that has since been removed - update readme google/s2a-go#120
- a transitive dependency it had on appengine code (cloud dependencies) that has since been removed - remove appengine dialer google/s2a-go#119
the current state of that library means it doesn't pull in objectionable transitive dependencies any more
that said, we don't want more dependencies in general, so we look hard at any additions. in this case, it looks like the only referencer is cloud.google.com/go/compute, which we have a timeline of ~next March for dropping. +1 to Stephen Kitt’s comment about tracking the things that pull in s2a-go and limiting it to cloud deps we have a plan to drop, so this will drop out along with them
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wasn't in that channel, ok so it make sense to restrict the s2a-go dependency to the already existed dependency that as I checked it was only the go/compute thing, probably @dims can target version 1.59.0 on his PR and we can drop this one that actually fix only the gprc because I thought #121338 was only about OTEL :D
Closing this one to let the other one proceed
oh! well that will make sense since this will not have a big impact and I'm guessing it can be backported easily |
/lgtm |
LGTM label has been added. Git tree hash: 913ba5d646ba6725dce0a85ccadf255e40edc160
|
/retest |
/kind bug |
This PR bumps the Shouldn't this be updating to |
@orsenthil see https://github.com/grpc/grpc-go/releases/tag/v1.56.3 has the same fix |
Do we have any plan merging this PR to other release versions v1.26-v1.28 rather than master/v1.29 release? |
1.26/1.27/1.28 are here, 1.25 is out of support starting tomorrow, so won't file one for that: |
…-upstream-release-1.28 Automated cherry pick of #121364: bump golang.org/grpc to v1.56.3
…-upstream-release-1.27 Automated cherry pick of #121364: bump golang.org/grpc to v1.56.3
…-upstream-release-1.26 Automated cherry pick of #121364: bump golang.org/grpc to v1.56.3
Bumping golang.org/grpc in light of CVE-2023-44487.
What type of PR is this?
What this PR does / why we need it:
Fix the issues reported by CVE-2023-44487 fixed in release 1.58.3
Does this PR introduce a user-facing change?