Ensure a more recent version of tokio is used #702
Conversation
This is required to address RUSTSEC-2021-0124: https://rustsec.org/advisories/RUSTSEC-2021-0124.html Signed-off-by: Flavio Castelli <fcastelli@suse.com>
|
Once the following merge I will publish a new crate version for Krator: |
|
@flavio |
|
I believe that the advisories are a known issue, but the windows tests are probably caused by the same |
This is required to ensure a more recent version of tokio is used.
I've just tried to build with the latest changes I submitted on a windows box. Everything builds fine. However, the really old tokio 0.2 crate is used on windows because kubelet/src/grpc_sock/windows/mod.rs makes heavy use of it. It looks like this piece of code should need some refactoring... |
The Windows failure looks like it is related to the Windows runner and not our e2e tests. Maybe a flake? I will rerun it. Regarding Tokio 0.2, yes we had to use the compatibility layer when Tokio 0.3 came out, my understanding is that there were some API changes that would not be easy to work around with that module specifically. Will that prevent us from addressing this CVE? @thomastaylor312 would know more. |
|
@bacongobbler @thomastaylor312 The rerun of Windows e2e failed. It looks like Docker never becomes ready. I'm not familiar with how this runner is configured or who hosts it. |
|
Yeah, the custom windows runner is currently experiencing issues. @bacongobbler and I are working on fixing it @flavio The tokio 0.2 stuff is there because there is no easy way to add async unix sockets on Windows. Someone had written something for 0.2, which is what we adopted into the project. Because tokio completely removed |
|
What if we just dropped Windows support? |
|
Like, entirely? I mean, I'd love to, but that kinda defeats the purpose of having this do Wasm on any platform |
I agree. That being said, our early experiments with Krustlet have already proven that. We proved that an app compiled to WebAssembly can run on any platform and we have demonstrations/recordings on YouTube to support that statement. It's not like dropping Windows support due to outdated library support or CI build failures disproves that point... It just demonstrates that Windows devs need to put some skin in the (Rust) game :P From my point of view, I'm more concerned about letting others build their own providers on top of core, and I'd hate to see new community members writing providers on top of a core with major security flaws. I'd rather us move to resolve the CVEs in core first, then come back and re-introduce Windows support if there's enough demand for it again. Thoughts? |
|
Let's open up a separate issue so as to not clog up this PR further and then discuss at the community meeting |
|
Dropping the windows support would definitely make this security fix easier, and also prevent over flaky tests I've seen on other PRs. I cannot attend the community meetings due to timezone issues. Please me posted here or just write on the slack channel the final outcome of the discussion. In the meantime, I'm changing the status of this PR from "draft" to "reviewable". |
flavio
requested review from
bacongobbler,
kflansburg,
technosophos and
thomastaylor312
as code owners
This is required to address RUSTSEC-2021-0124.
This is currently WIP:
Address issue #701