Set grpcio minimum version to 1.59.3 so that Alpine py3-grpcio can be used

lhotari commented 2 months ago

Motivation

When using the Alpine base image in Pulsar, there's a need to compile grpcio from source when 1.60.0 version is required. It's better to allow grpcio version 1.59.3 so that Alpine's py3-grpcio can be used to fulfill the requirement. Please see https://github.com/apache/pulsar/pull/22613 for more context.

Modifications

downgrade grpcio dependency to 1.59.3

Additional context

there's no specific minimum version constraint originating from pulsar-client-python
- grpcio is required by apache-bookkeeper-client. the dependencies are defined in https://github.com/apache/bookkeeper/blob/master/stream/clients/python/setup.py the version in this file is >= 1.8.2
- the grpcio minimum version was set to 1.60.0 in this commit: https://github.com/apache/pulsar-client-python/commit/162afd53bda321992223cb209a509ee1c46f870a . The referenced CVE requires 1.53.0 , so there doesn't seem to be any reason why we couldn't downgrade to 1.59.3 .

nodece commented 2 months ago

I suggest using the 1.53.0 as minimum version, just for consider the multiple os.

lhotari commented 2 months ago

I suggest using the 1.53.0 as minimum version, just for consider the multiple os.

There might be other CVEs. Which OS do you have in mind?

nodece commented 2 months ago

There might be other CVEs.

Good catch, see https://github.com/advisories/GHSA-p25m-jpj4-qcrr

Must be equal to or greater than 1.55.3.

Which OS do you have in mind?

Now it seems that only alpine-3.18.

For other OS, the users can use the pip to install the grpcio.

nodece commented 2 months ago

Any updates?

nodece commented 2 months ago

Do you have a release plan? If not, the pulsar 3.3.0 arm image will take about 2 hours to build the grpcio wheel, please see https://github.com/nodece/pulsar-python-deps-build/actions/runs/8891459473/job/24418839959#step:6:315 for details.

apache / pulsar-client-python