Looks like shading the dependency is a good idea. It can break the dependency cycle.
+1 to shade the dependency Best regards, Yong On Fri, 15 Dec 2023 at 02:58, Lari Hotari <lhot...@apache.org> wrote: > I would like to make a minor correction to my previous email: > > The pull request https://github.com/apache/bookkeeper/pull/3992 has been > merged into the master branch and not rolled back. Consequently, > CVE-2023-32732 has been resolved in the master branch with gRPC 1.56.0. > However, this change was only rolled back in the branch-4.16 due to the > compatibility issues described in the previous email. > > Looking ahead, once version 4.17 is released from the master branch, we > should be able to use it in Pulsar. This will enable us to upgrade gRPC and > protobuf to match the versions used in Bookkeeper, as we have done > previously. However, it would be great if we could find a solution to break > this dependency cycle. > > -Lari > > On 2023/12/14 18:42:04 Lari Hotari wrote: > > Dear all, > > > > I'm reaching out to discuss an ongoing issue in Pulsar related to > CVE-2023-32732, which necessitates upgrading gRPC in Pulsar. Although this > CVE isn't critical, it's flagged by CVE scanners, and addressing it > requires careful coordination of upgrades for gRPC and Protobuf libraries > in both Pulsar and Bookkeeper. > > > > Currently, we face a challenge due to a strong dependency on gRPC and > Protobuf library versions: upgrades must first occur in Bookkeeper and then > in Pulsar to maintain compatibility. > > On the Pulsar side, the primary issues stem from Protobuf version > upgrades in addition to the gRPC incompatibility with the Bookkeeper > StateStore client. > > > > In June I made an attempt to upgrade grpc and protobuf in both Pulsar > and Bookkeeper: > > https://github.com/apache/pulsar/pull/20602 (this was never merged due > to failing tests) > > https://github.com/apache/bookkeeper/pull/3992 (this was merged, but it > had to be roll backed) > > https://github.com/apache/bookkeeper/pull/4000 (closed as invalid > solution) > > > > In Bookkeeper, we had cherry-picked the upgrade to branch-4.16 and that > had to be downgraded > > with https://github.com/apache/bookkeeper/pull/4001, because of > compatibility issues. > > > > A discovery during these changes was the compatibility policy of > protobuf (https://protobuf.dev/support/cross-version-runtime-guarantee/), > which states that cross-version runtime support isn't guaranteed. I have > also understood that grpc has a similar policy. This policy poses a > challenge, as it necessitates the use of identical grpc and protobuf > versions across both Pulsar and Bookkeeper. > > > > To address this, one potential solution could be shading grpc & protobuf > in the bookkeeper client that exposes these dependencies. This might > resolve the compatibility issue in the bookkeeper client libraries. > > > > I welcome your thoughts and suggestions on this matter. > > > > Best regards, > > > > Lari > > >
