Re: Upgrade to Netty 4.x (1.19.2, 1.20.1 releases)

Fri, 17 Jan 2025 03:50:16 -0800 

+1 to Netty 4

On 2025/01/16 15:12:40 Alexander Fedulov wrote:
> Hi all,
> 
> We have one remaining blocker for the 1.19.2 and 1.20.1 releases, namely
> the issue associated with ticket FLINK-36510: *"Upgrade Pekko from 1.0.1 to
> 1.1.2"* [1]. Here is the context:
> 
>    - The flink-rpc module is currently based on Pekko 1.0.1, which bundles
>    Netty version 3.10.6. Netty 3.10.6 is the last 3.x release and officially
>    reached EOL more than eight years ago. It contains at least 20 known
>    critical vulnerabilities [2].
>    - FLINK-36510 [1] upgrades flink-rpc to Pekko 1.1.2, which introduces a
>    long-awaited migration to Netty 4.x.
>    - Memory allocation in Netty 4.x differs from Netty 3.x and has a larger
>    memory footprint with default settings [3].
>    - Norman Mauerer, Netty's project lead, strongly recommends moving away
>    from Netty 3 as soon as possible [4].
>    - According to Norman, setting -Dio.netty.allocator.type=unpooled should
>    approximate Netty 3's memory behavior at the expense of performance
>    improvements that Netty 4 would otherwise provide. That said, Netty 4 with
>    -Dio.netty.allocator.type=unpooled is not expected to perform worse than
>    Netty 3.
>    - Although this change might seem too substantial for a patch release, I
>    propose proceeding with it due to the accumulated risks of staying on Netty
>    3.10.6. This will need to be addressed in a 1.20 as a patch release anyway,
>    given that 1.20 is designated as LTS, and we can expect Netty 3 to accrue
>    even more CVEs over time.
> 
> Here you can find more details of the ongoing discussion [5].
> 
> Looking forward to hearing the community's thoughts on whether we should
> proceed with the proposed changes.
> 
> [1] https://issues.apache.org/jira/browse/FLINK-36510
> [2] https://mvnrepository.com/artifact/io.netty/netty/3.10.6.Final
> [3]
> https://issues.apache.org/jira/browse/FLINK-36510?focusedCommentId=17911219&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17911219
> [4] https://github.com/apache/flink/pull/25866#issuecomment-2595168560
> [5] https://github.com/apache/flink/pull/25866
> 
> Best,
> Alex
>

Reply via email to