brendan-ward
commented
2 months ago Looks like we need to wait for at least GDAL 3.8.5 to land in vcpkg to update wheels because 3.8.4 coincides with the compromised version of liblzma and as far as I can tell the GDAL vcpkg port does not use a version constraint against liblzma that would force pulling in an older version. Also as far as I can tell, we shouldn't be pulling in liblzma at all because it is in the default-features for the GDAL port not the recommended-features set that we use.
According to the logs, it is indeed pulling in liblzma, so we definitely need to avoid pulling in the compromised versions.
(wheels are building again against the older liblzma version)
jorisvandenbossche
Also see GDAL's messsage about it: https://lists.osgeo.org/pipermail/gdal-dev/2024-March/058792.html
liblzmais included in our binary wheels through the vcpkg build of GDAL (although it should typically not be used through pyogrio usage, given GDAL only uses it for raster drivers AFAIK)>But to be very explicit here: our wheels don't included the comprised versions. Our last GDAL / vcpkg update was https://github.com/geopandas/pyogrio/commit/e6e6e4274360b518520b9e1ecdb848a4614f58b3, and so that is from before the affected versions were released (the wheels currently being built main contain liblzma 5.4.4)
One consequence though is that our wheels building is failing right now, because github has taken down the repos, and so the vcpkg build script that tries to fetch those sources fails (https://github.com/microsoft/vcpkg/issues/37839)