Thanks for the summary Alex! +1 to keep Netty4.
Best, Ferenc On Thursday, January 16th, 2025 at 17:02, Tom Cooper <c...@tomcooper.dev> wrote: > > > + 1 on keeping the upgraded Pekko for 1.20.1. > > From what I could see, the only issues occurred in a end-to-end test that set > the available memory to 7MB. > As that is unlikely to be a situation seen in the wild, I think the CVE fixes > alone are worth it. > > Thanks, > > Tom Cooper > @tomncooper | tomcooper.dev > > > On Thursday, 16 January 2025 at 15:12, Alexander Fedulov > alexander.fedu...@gmail.com wrote: > > > Hi all, > > > > We have one remaining blocker for the 1.19.2 and 1.20.1 releases, namely > > the issue associated with ticket FLINK-36510: "Upgrade Pekko from 1.0.1 to > > 1.1.2" [1]. Here is the context: > > > > - The flink-rpc module is currently based on Pekko 1.0.1, which bundles > > Netty version 3.10.6. Netty 3.10.6 is the last 3.x release and officially > > reached EOL more than eight years ago. It contains at least 20 known > > critical vulnerabilities [2]. > > - FLINK-36510 [1] upgrades flink-rpc to Pekko 1.1.2, which introduces a > > long-awaited migration to Netty 4.x. > > - Memory allocation in Netty 4.x differs from Netty 3.x and has a larger > > memory footprint with default settings [3]. > > - Norman Mauerer, Netty's project lead, strongly recommends moving away > > from Netty 3 as soon as possible [4]. > > - According to Norman, setting -Dio.netty.allocator.type=unpooled should > > approximate Netty 3's memory behavior at the expense of performance > > improvements that Netty 4 would otherwise provide. That said, Netty 4 with > > -Dio.netty.allocator.type=unpooled is not expected to perform worse than > > Netty 3. > > - Although this change might seem too substantial for a patch release, I > > propose proceeding with it due to the accumulated risks of staying on Netty > > 3.10.6. This will need to be addressed in a 1.20 as a patch release anyway, > > given that 1.20 is designated as LTS, and we can expect Netty 3 to accrue > > even more CVEs over time. > > > > Here you can find more details of the ongoing discussion [5]. > > > > Looking forward to hearing the community's thoughts on whether we should > > proceed with the proposed changes. > > > > [1] https://issues.apache.org/jira/browse/FLINK-36510 > > [2] https://mvnrepository.com/artifact/io.netty/netty/3.10.6.Final > > [3] > > https://issues.apache.org/jira/browse/FLINK-36510?focusedCommentId=17911219&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17911219 > > [4] https://github.com/apache/flink/pull/25866#issuecomment-2595168560 > > [5] https://github.com/apache/flink/pull/25866 > > > > Best, > > Alex