As discussed in [1], the gRPC community recommended Netty 4.1.110.Final [2] for gRPC 1.67.x and above, since gRPC has a corruption bug for the newer Netty versions [3, 4]. However, Netty 4.1.110.Final had known CVEs [5]. In other words, there does not exist a gRPC-Netty combination which is both CVE free and corruption bug free.
So, how about we have two Thirdparty releases at the same time? - Ratis Thirdparty 1.0.9a: gRPC 1.71.0 and Netty 4.1.110 (No corruption bug, Known CVEs) - Ratis Thirdparty 1.0.9b: gRPC 1.71.0 and Netty 4.1.119 (Known corruption bug, No CVEs) Then, the projects using Ratis can use maven dependency inclusion-exclusion to choose the gRPC-Netty combination. BTW, the versions in 1.0.8 are shown below. - Ratis Thirdparty 1.0.8: gRPC 1.69.0 and Netty 4.1.115.Final (Known corruption bug, No CVEs) Tsz-Wo [1] https://issues.apache.org/jira/browse/RATIS-2265 [2] https://github.com/grpc/grpc-java/blob/master/SECURITY.md#netty [3] https://github.com/grpc/grpc-java/pull/11912 [4] https://github.com/grpc/grpc-java/issues/11284 [5] https://mvnrepository.com/artifact/io.netty/netty-all/4.1.110.Final On Sun, Apr 6, 2025 at 4:08 PM Tsz-Wo Nicholas Sze <[email protected]> wrote: > Attila, thanks a lot for working on the release! > > - ✅ Verified all checksums and signatures. > > - ⚠️ Checked LICENSE and NOTICE. > > Found that the year in NOTICE is 2024. > > - ✅ Compared the files in the src tarball with the files in git. > > - ✅ Built from source successfully. > > - ✅ Passed all unit tests. > > We need to update the year; filed RATIS-2278. > > Tsz-Wo > > > On Sun, Apr 6, 2025 at 7:12 AM Attila Doroszlai <[email protected]> > wrote: > >> > https://github.com/apache/ratis-thirdparty/tree/1.0.9-rc0 >> > https://dist.apache.org/repos/dist/dev/ratis/thirdparty/1.0.9/rc0/ >> > https://repository.apache.org/content/repositories/orgapacheratis-1165/ >> >> Starting with my +1. >> >> * Verified checksum, signature, git hash >> * Compared tarball to repo at the given tag >> * Built from source, ran unit test >> * Verified build result against staged Maven repo >> >> -Attila >> >
