This is an automated email from the ASF dual-hosted git repository.
mmerli pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/pulsar-client-python.git
The following commit(s) were added to refs/heads/main by this push:
new e463ef3 Bump manylinux versions for CVEs (#250)
e463ef3 is described below
commit e463ef394aa7ba7d6c378f6d4ef65f2b1461a565
Author: Yunze Xu <xyzinfern...@163.com>
AuthorDate: Wed Apr 23 00:06:16 2025 +0800
Bump manylinux versions for CVEs (#250)
* Bump manylinux versions for CVEs
The `libgcc.so` is packaged for Linux wheels via `auditwheel`. However,
currently the `manylinux2014` and `musllinux_1_1` images are used, where
the GCC version is 9.3.0 that has CVEs.
This patch bumps the images to `manylinux_2_28` and `musllinux_1_2` to
have a higher version `libgcc`.
* Use ubuntu-latest runner
* Fix build script
---
.github/workflows/ci-build-release-wheels.yaml | 4 ++--
.github/workflows/ci-pr-validation.yaml | 8 ++++----
pkg/build-wheel-inside-docker.sh | 6 +++---
pkg/{manylinux2014 => manylinux}/Dockerfile | 2 +-
pkg/{manylinux2014 => manylinux}/pulsar-client-cpp-3.7.0.patch | 0
pkg/manylinux_musl/Dockerfile | 2 +-
6 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/.github/workflows/ci-build-release-wheels.yaml
b/.github/workflows/ci-build-release-wheels.yaml
index 3909efa..0e47360 100644
--- a/.github/workflows/ci-build-release-wheels.yaml
+++ b/.github/workflows/ci-build-release-wheels.yaml
@@ -31,14 +31,14 @@ jobs:
linux-wheel:
name: Wheel ${{matrix.image.name}} - Py ${{matrix.python.version}} -
${{matrix.cpu.platform}}
- runs-on: ubuntu-22.04
+ runs-on: ubuntu-latest
timeout-minutes: 300
strategy:
fail-fast: false
matrix:
image:
- - {name: 'manylinux2014', py_suffix: ''}
+ - {name: 'manylinux', py_suffix: ''}
- {name: 'manylinux_musl', py_suffix: '-alpine'}
python:
- {version: '3.9', spec: 'cp39-cp39'}
diff --git a/.github/workflows/ci-pr-validation.yaml
b/.github/workflows/ci-pr-validation.yaml
index db4a622..01a3543 100644
--- a/.github/workflows/ci-pr-validation.yaml
+++ b/.github/workflows/ci-pr-validation.yaml
@@ -29,7 +29,7 @@ concurrency:
jobs:
check-and-lint:
name: Lint and check code
- runs-on: ubuntu-20.04
+ runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
@@ -48,7 +48,7 @@ jobs:
unit-tests:
name: Run unit tests for Python ${{matrix.version}}
- runs-on: ubuntu-22.04
+ runs-on: ubuntu-latest
timeout-minutes: 120
strategy:
@@ -105,14 +105,14 @@ jobs:
linux-wheel:
name: Wheel ${{matrix.image.name}} - Py ${{matrix.python.version}} -
${{matrix.cpu.platform}}
needs: unit-tests
- runs-on: ubuntu-22.04
+ runs-on: ubuntu-latest
timeout-minutes: 300
strategy:
fail-fast: false
matrix:
image:
- - {name: 'manylinux2014', py_suffix: ''}
+ - {name: 'manylinux', py_suffix: ''}
- {name: 'manylinux_musl', py_suffix: '-alpine'}
python:
- {version: '3.13', spec: 'cp313-cp313'}
diff --git a/pkg/build-wheel-inside-docker.sh b/pkg/build-wheel-inside-docker.sh
index d3cd6e5..8ed4875 100755
--- a/pkg/build-wheel-inside-docker.sh
+++ b/pkg/build-wheel-inside-docker.sh
@@ -31,14 +31,14 @@ fi
PULSAR_CPP_VERSION=$(cat ./dependencies.yaml | grep pulsar-cpp | awk '{print
$2}')
if [ $CPP_BINARY_TYPE == "rpm" ]; then
- # The pre-built RPM packages have incompatible ABI with manylinux2014, so
we have to build from source
+ # The pre-built RPM packages have incompatible ABI with manylinux, so we
have to build from source
download_dependency ./dependencies.yaml pulsar-cpp
cd apache-pulsar-client-cpp-${PULSAR_CPP_VERSION}
git clone https://github.com/microsoft/vcpkg.git
cd vcpkg
- # manylinux2014 does not have ninja in the system package manager
+ # manylinux does not have ninja in the system package manager
git clone https://github.com/ninja-build/ninja.git
cd ninja
git checkout release
@@ -48,7 +48,7 @@ if [ $CPP_BINARY_TYPE == "rpm" ]; then
./bootstrap-vcpkg.sh
cd ..
if [ $PULSAR_CPP_VERSION == "3.7.0" ]; then
- patch lib/CMakeLists.txt
$ROOT_DIR/pkg/manylinux2014/pulsar-client-cpp-3.7.0.patch
+ patch lib/CMakeLists.txt
$ROOT_DIR/pkg/manylinux/pulsar-client-cpp-3.7.0.patch
fi
cmake -B build-cpp -DINTEGRATE_VCPKG=ON -DCMAKE_BUILD_TYPE=Release
-DBUILD_TESTS=OFF -DBUILD_DYNAMIC_LIB=ON -DBUILD_STATIC_LIB=ON
cmake --build build-cpp -j8 --target install
diff --git a/pkg/manylinux2014/Dockerfile b/pkg/manylinux/Dockerfile
similarity index 96%
rename from pkg/manylinux2014/Dockerfile
rename to pkg/manylinux/Dockerfile
index 63948cd..a283d6a 100644
--- a/pkg/manylinux2014/Dockerfile
+++ b/pkg/manylinux/Dockerfile
@@ -18,7 +18,7 @@
#
ARG ARCH
-FROM quay.io/pypa/manylinux2014_${ARCH}
+FROM quay.io/pypa/manylinux_2_28_${ARCH}
ARG PYTHON_VERSION
ARG PYTHON_SPEC
diff --git a/pkg/manylinux2014/pulsar-client-cpp-3.7.0.patch
b/pkg/manylinux/pulsar-client-cpp-3.7.0.patch
similarity index 100%
rename from pkg/manylinux2014/pulsar-client-cpp-3.7.0.patch
rename to pkg/manylinux/pulsar-client-cpp-3.7.0.patch
diff --git a/pkg/manylinux_musl/Dockerfile b/pkg/manylinux_musl/Dockerfile
index 2681b88..29438a2 100644
--- a/pkg/manylinux_musl/Dockerfile
+++ b/pkg/manylinux_musl/Dockerfile
@@ -18,7 +18,7 @@
#
ARG ARCH
-FROM quay.io/pypa/musllinux_1_1_${ARCH}
+FROM quay.io/pypa/musllinux_1_2_${ARCH}
ARG PYTHON_VERSION
ARG PYTHON_SPEC
