New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix the etcd api dependency in pkg. And Update Cobra Version to1.4.0 #13802
Fix the etcd api dependency in pkg. And Update Cobra Version to1.4.0 #13802
Conversation
Codecov Report
@@ Coverage Diff @@
## main #13802 +/- ##
==========================================
+ Coverage 72.49% 72.56% +0.06%
==========================================
Files 467 467
Lines 38280 38332 +52
==========================================
+ Hits 27752 27814 +62
+ Misses 8739 8725 -14
- Partials 1789 1793 +4
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
c3e4b96
to
662d7c4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thank you!
The only concern is that the spf13/cobra
1.4.0
was just released 5 days ago. Usually it isn't a best practice to upgrade to a new version too soon.
I share @ahrtr concern to use fresh cobra release, this definitely could not be cherry-picked to v3.5. Is there any reason that we cannot just fix the api dependency without upgrading cobra further thus allow a safe cherry-pick? |
We have discussed this in pull/13797#discussion_r826516645 and pull/13797#discussion_r826596581. In short, I had a quick review on the changes between |
HI @serathius . The main change of cobra 1.4.0, is thinned the dependency tree. https://github.com/spf13/cobra/releases/tag/v1.4.0. But it's only released for 7 days . It we have concern. We can use 1.3.0 (released for 3 month) either, so that it's good to cherry pick to the ETCD 3.5.x :-) How do you think the the change ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it doesn't make sense to force using same cobra version for both main
and release-3.5
branches. We definitely don't want to have dependencies between etcd packages, so upgrading cobra to 1.4.0
on main
is ok.
However for release-3.5
branch we want to make minimal changes required to fix the CVE, while not introducing the dependency. Here 1.3.0
is definitely better than 1.4.0
.
I think we can merge this PR as it is.
cc @ptabor |
Thanks for your advise very much. |
When I try to fix the release 3.5.0 branch with update cobra to 1.3.0. There are still some denpendency cycle error.
So the release 3.5.0 branch cannot upgrade to the cobra 1.3.0. |
HI, @ptabor. |
e8949ae
to
eff7fd4
Compare
HI @serathius , The confict has been resolved |
pkg/go.mod
Outdated
replace ( | ||
go.etcd.io/etcd => ./FORBIDDEN_DEPENDENCY | ||
go.etcd.io/etcd/api/v3 => ./FORBIDDEN_DEPENDENCY | ||
go.etcd.io/etcd/client/pkg/v3 => ../client/pkg |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you move the go.etcd.io/etcd/client/pkg/v3 => ../client/pkg
into a separate replace block above, and keep the comment "Bad imports are sometimes cause attempts to ..." for this replace block?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good Idea.
eff7fd4
to
2b7f5c2
Compare
Looks good to me. |
2b7f5c2
to
d2c0b95
Compare
Please fix conflicts. |
87df81c
to
06e4565
Compare
06e4565
to
f7fe6a3
Compare
HI @serathius , the confict has been fixed. :-) |
Please squash the commits. It doesn't make sense to merge multiple intermediate dev commits into the main branch. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please squash the commits
e8dbb3a
to
d148bae
Compare
d148bae
to
f5b2a9b
Compare
Signed-off-by: Kay Yan <kay.yan@daocloud.io>
f5b2a9b
to
afecd31
Compare
HI @spzala , would you please review the PR? |
Ok, let's merge it to fix dependencies. |
Thank you @serathius @ahrtr very much. |
To solve the CVE-2020-26160, the cobra has been upgrade to 1.2.1 before.
And the api has been add to the pkg dependency.
But it's not necessary. ahrtr advise :
“etcd already contains lots of packages and dependency relationship in-between, we shouldn't introduce unnecessary dependencies without good reason.
So I suggest to bump spf13/cobra to 1.3.0 or 1.4.0, and rollback the change on go.etcd.io/etcd/api/v3 => ./FORBIDDEN_DEPENDENCY. I would suggest to make the change on the main branch firstly, and cherry-picked to 3.5 afterwards.
”
So the go.mod in pkg is needed to rollback , upgrade the corbra to 1.3.0 or 1.4.0 can solve the CVE too.
Refer to: