Thanks for the summary Alex!

+1 to keep Netty4.

Best,
Ferenc




On Thursday, January 16th, 2025 at 17:02, Tom Cooper <c...@tomcooper.dev> wrote:

> 
> 
> + 1 on keeping the upgraded Pekko for 1.20.1.
> 
> From what I could see, the only issues occurred in a end-to-end test that set 
> the available memory to 7MB.
> As that is unlikely to be a situation seen in the wild, I think the CVE fixes 
> alone are worth it.
> 
> Thanks,
> 
> Tom Cooper
> @tomncooper | tomcooper.dev
> 
> 
> On Thursday, 16 January 2025 at 15:12, Alexander Fedulov 
> alexander.fedu...@gmail.com wrote:
> 
> > Hi all,
> > 
> > We have one remaining blocker for the 1.19.2 and 1.20.1 releases, namely
> > the issue associated with ticket FLINK-36510: "Upgrade Pekko from 1.0.1 to
> > 1.1.2" [1]. Here is the context:
> > 
> > - The flink-rpc module is currently based on Pekko 1.0.1, which bundles
> > Netty version 3.10.6. Netty 3.10.6 is the last 3.x release and officially
> > reached EOL more than eight years ago. It contains at least 20 known
> > critical vulnerabilities [2].
> > - FLINK-36510 [1] upgrades flink-rpc to Pekko 1.1.2, which introduces a
> > long-awaited migration to Netty 4.x.
> > - Memory allocation in Netty 4.x differs from Netty 3.x and has a larger
> > memory footprint with default settings [3].
> > - Norman Mauerer, Netty's project lead, strongly recommends moving away
> > from Netty 3 as soon as possible [4].
> > - According to Norman, setting -Dio.netty.allocator.type=unpooled should
> > approximate Netty 3's memory behavior at the expense of performance
> > improvements that Netty 4 would otherwise provide. That said, Netty 4 with
> > -Dio.netty.allocator.type=unpooled is not expected to perform worse than
> > Netty 3.
> > - Although this change might seem too substantial for a patch release, I
> > propose proceeding with it due to the accumulated risks of staying on Netty
> > 3.10.6. This will need to be addressed in a 1.20 as a patch release anyway,
> > given that 1.20 is designated as LTS, and we can expect Netty 3 to accrue
> > even more CVEs over time.
> > 
> > Here you can find more details of the ongoing discussion [5].
> > 
> > Looking forward to hearing the community's thoughts on whether we should
> > proceed with the proposed changes.
> > 
> > [1] https://issues.apache.org/jira/browse/FLINK-36510
> > [2] https://mvnrepository.com/artifact/io.netty/netty/3.10.6.Final
> > [3]
> > https://issues.apache.org/jira/browse/FLINK-36510?focusedCommentId=17911219&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17911219
> > [4] https://github.com/apache/flink/pull/25866#issuecomment-2595168560
> > [5] https://github.com/apache/flink/pull/25866
> > 
> > Best,
> > Alex

Reply via email to