Hello, +1 for moving to the new version and accepting the minimally increased memory consumption. This is extremely unlikely to cause any issues in practice that cannot be fixed almost instantly on the user side.
This is the right and future proof thing to do. Cheers, Gyula On Thu, Jan 16, 2025 at 4:16 PM Alexander Fedulov < alexander.fedu...@gmail.com> wrote: > cc Norman > > On Thu, 16 Jan 2025 at 16:12, Alexander Fedulov < > alexander.fedu...@gmail.com> > wrote: > > > Hi all, > > > > We have one remaining blocker for the 1.19.2 and 1.20.1 releases, namely > > the issue associated with ticket FLINK-36510: *"Upgrade Pekko from 1.0.1 > > to 1.1.2"* [1]. Here is the context: > > > > - The flink-rpc module is currently based on Pekko 1.0.1, which > > bundles Netty version 3.10.6. Netty 3.10.6 is the last 3.x release and > > officially reached EOL more than eight years ago. It contains at > least 20 > > known critical vulnerabilities [2]. > > - FLINK-36510 [1] upgrades flink-rpc to Pekko 1.1.2, which introduces > > a long-awaited migration to Netty 4.x. > > - Memory allocation in Netty 4.x differs from Netty 3.x and has a > > larger memory footprint with default settings [3]. > > - Norman Mauerer, Netty's project lead, strongly recommends moving > > away from Netty 3 as soon as possible [4]. > > - According to Norman, setting -Dio.netty.allocator.type=unpooled > should > > approximate Netty 3's memory behavior at the expense of performance > > improvements that Netty 4 would otherwise provide. That said, Netty 4 > with > > -Dio.netty.allocator.type=unpooled is not expected to perform worse > > than Netty 3. > > - Although this change might seem too substantial for a patch release, > > I propose proceeding with it due to the accumulated risks of staying > on > > Netty 3.10.6. This will need to be addressed in a 1.20 as a patch > release > > anyway, given that 1.20 is designated as LTS, and we can expect Netty > 3 to > > accrue even more CVEs over time. > > > > Here you can find more details of the ongoing discussion [5]. > > > > Looking forward to hearing the community's thoughts on whether we should > > proceed with the proposed changes. > > > > [1] https://issues.apache.org/jira/browse/FLINK-36510 > > [2] https://mvnrepository.com/artifact/io.netty/netty/3.10.6.Final > > [3] > > > https://issues.apache.org/jira/browse/FLINK-36510?focusedCommentId=17911219&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17911219 > > [4] https://github.com/apache/flink/pull/25866#issuecomment-2595168560 > > [5] https://github.com/apache/flink/pull/25866 > > > > Best, > > Alex > > >
