You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@solr.apache.org by GitBox <gi...@apache.org> on 2022/12/27 06:24:53 UTC

[GitHub] [solr] dsmiley opened a new pull request, #1252: SOLR-16598: Upgrade Protobuf to 3.21.12

dsmiley opened a new pull request, #1252:
URL: https://github.com/apache/solr/pull/1252

   from 3.21.8
   Fixes some CVEs.
   
   https://issues.apache.org/jira/browse/SOLR-16598
   
   This is the latest patch version, thus compatible.  I spot-checked some [version notes](https://groups.google.com/g/protobuf/c/ONHxwxTfDxE) from the project for compatibility.
   
   Note this fixes a possible issue of mixed versions.  We depended on protobuf-java-3.21.8 and protobuf-java-util-3.21.4.  I believe this was introduced by the Caffeine upgrade.
   
   I didn't add a CHANGES.txt because I intend to add it to branch_9_1.  I believe post-release, the CHANGES.txt is synchronized out from this.  Any way, it'll be in "Other Changes" and look just like the issue title here, plus my name.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org

[GitHub] [solr] risdenk commented on pull request #1252: SOLR-16598: Upgrade Protobuf to 3.21.12

Posted by GitBox <gi...@apache.org>.

risdenk commented on PR #1252:
URL: https://github.com/apache/solr/pull/1252#issuecomment-1369240914

   So I'm not a fan of putting non Solr direct dependencies in versions.props - basically they will never get removed. We should be upgrading the libraries that use this transitive dependency - which will have the same outcome of using the upgraded protobuf.
   
   PS `com.google.protobuf:protobuf-java*=3.21.12` would probably be better than what was added - this ensures that ALL `protobuf-java` dependencies use the same version instead of just the `protobuf-java-util` dependency.
   
   Was out for the holidays so catching up on stuff.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org

[GitHub] [solr] dsmiley merged pull request #1252: SOLR-16598: Upgrade Protobuf to 3.21.12

Posted by GitBox <gi...@apache.org>.

dsmiley merged PR #1252:
URL: https://github.com/apache/solr/pull/1252


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org

[GitHub] [solr] dsmiley commented on pull request #1252: SOLR-16598: Upgrade Protobuf to 3.21.12

Posted by GitBox <gi...@apache.org>.

dsmiley commented on PR #1252:
URL: https://github.com/apache/solr/pull/1252#issuecomment-1369247648

   > So I'm not a fan of putting non Solr direct dependencies in versions.props - basically they will never get removed. We should be upgrading the libraries that use this transitive dependency - which will have the same outcome of using the upgraded protobuf.
   
   Sure; I'm being pragmatic (trying to get something done *now*).  We can remove this eventually.
   
   > com.google.protobuf:protobuf-java*=3.21.12
   
   Cool!  BTW protobuf-java-util *and* the non-util do get upgraded to 3.21.12 because -util depends on the non-util of the same version :-). Any way, what you suggested is superior.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org