-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Accelerate release of 0.55 to no longer depend on versions of numpy with buffer overflow #7731
Comments
@trimeta thank you for asking about this. We are currently in the release candidate phase and hope to stabilize the 0.55 release as soon as feasible. As discussed during the developer meeting last Tuesday (https://github.com/numba/numba/wiki/Minutes_2022_01_11): the plan is to release 0.55.0 RC2 next week, Thursday 20th January 2022. However, this obviously depends on first solving all issues in: https://github.com/numba/numba/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Numba+0.55+RC2%22 After the RC2 it depends. If everything goes well, we can release a week or two later. If there are more release critical bugs however, those will have to be fixed first. It is somewhat unfortunate, that this Numpy issue confronts us right in the middle of a release phase. 0.55.0 will add some significant new features and support for previously unsupported versions of our upstream dependencies. So, we will want to ensure that the release candidates are well tested and I am very hesitant to "rush" anything out of the door. If you would like to help accelerate the release please consider looking at this issues in the milestone above and see if you can contribute anything --- and/or help test the release candidate on your own hardware and projects as outlined here: https://numba.discourse.group/t/numba-0-55-0-rc1/1075 Thank you in advance for your understanding and patience! |
The team talked this over, and we're going to truncate the release candidate cycle for 0.55.0 and get it released ASAP with the handful of known issues. There will be a 0.55.1 release shortly thereafter that addresses the remaining items in the 0.55 backlog. |
(Also, thanks for raising this issue with us, as I don't think we initially appreciated the downstream impact of the NumPy CVE.) |
Numba 0.55.0 (and corresponding llvmlite 0.38.0) has been released on PyPI. Conda packages are available in the |
From versions
1.9.0
through1.20
,numpy
had a buffer overflow: numpy/numpy#18939. This was fixed innumpy 1.21
.numba
supportsnumpy 1.21
, per #7483, however this support is only in version0.55RC
: it is not in0.54.1
, the latest released version at time of submitting this issue. As of six days ago, GitHub has begun to open security alerts on all repos which depend on versions ofnumpy
less than1.21
. However, if those repos also depend on (or expect at least some of their users to use)numba
, they cannot fix this by upgrading their minimumnumpy
version to1.21
. The solution would be to releasenumba 0.55
quickly, since that will automatically solve this problem.The text was updated successfully, but these errors were encountered: