-
Notifications
You must be signed in to change notification settings - Fork 345
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resolve the Component Governance issue in the dotnet-helix-machines repository #13186
Comments
!30725 is merged! |
The changes to pyopenssl and cryptography are being reverted in https://dnceng.visualstudio.com/internal/_git/dotnet-helix-machines/pullrequest/30805. When we attempt this again, we need to make sure to test the changes in the following OSes by using the FORCE_QUEUE feature:
which are the older versions, and therefore the most sensitive to package updates. |
I have extended the CG alert related to these changes while we figure how to get these older OSes compliant: https://dev.azure.com/dnceng/internal/_componentGovernance/dotnet-helix-machines/alert/7672729?typeId=15087584 |
I'm tempted to try just bumping More generally, anyone know whether Python is something we can upgrade on older SLES and RHEL OSes❔ |
Not without a lot of pain. SLES 12 especially has always been very sensitive to any python changes. |
I can double-check but I believe SLES 12 is the reason for the current minimum version. Upgrading was never deemed a reasonable option. |
The current image we have for SLES12 contains The version that CG finds acceptable for I tried checking out how hard would upgrading the Python version be, so I created a VM out of the produced image in Azure. On that VM, I cannot even install Python's dependencies to compile it due to: :~> sudo zypper update -y
Refreshing service 'SUSE_Linux_Enterprise_Server_x86_64'.
Unexpected exception.
Receive: script died unexpectedly
History:
- [11-Resource temporarily unavailable]
Please file a bug report about this.
See http://en.opensuse.org/Zypper/Troubleshooting for instructions. Tried several ways of fixing the issue, no luck so far. I might be missing something or maybe there is a different way to verify if upgrading the version is a complete no-go. Moreover, I see
Is there a reason for why its upgrade is also required @andriipatsula? (since you were the author of the issue) Additionally, maybe @garath or @riarenas have context into why upgrading Python on SLES 12 was never a reasonable option |
IIRC there is no official, tested build of Python after 3.4 available for SLES12. |
Thanks for the info I tried today on to upgrade SLES 12 to Python 3.6 and it was quite headachy - the distro does not have the Python version we need, so it would need to be compiled from source. That alone had some issues with missing DLLs / C header files. I also don't know if having two Python installation (with the 3.6 one having a different executable name) is something we can even support. All in all, it seems like a no-go due to problematic execution / potential high maintenance. With this in mind - would it make more sense to review the support for SLES 12 in the first place? If we still have to support it, how problematic would it be to silence this specific CG alert all together? Additionally, our RedHat 7 image has Python 3.6.12, so |
The image factory logs are long gone, but redhat 7 was failing to pip install with the upgrade. I don't remember if it was due to cartography or pyopenssl. Submitting a test pr that forces the queue along with the update would give you fresh logs. |
It's certainly worth a discussion, but given that SLES12 is officially supported by .NET 6 and 7, we will likely need to have some ability to use this OS until 2024. Unfortunately, this is also mostly a "dnceng" problem because it's only the Helix client that requires python. If we had, say, a .NET version, we could use that as long as .NET remains supported.
This is possible with a security review. Let's discuss the details internally. |
Suggest we focus on the |
See test build !30980 |
Found problem when
Will try just going to v39.0.1. This may be the reason we originally bumped |
Side question @oleksandr-didyk:
Where did you confirm |
FYI, de-assigned myself from the issue since I'm no longer on FR in Prague |
@oleksandr-didyk - you were working on this the past week, what is the summary of your findings? What are your recommendations to follow up with? |
@tkapin it is outlined in this comment -> #13186 (comment) TLDR: having SLES 12 use Python 3.6.X is too expensive from implementation / maintenance perspective, we should look into other approaches (such as the requesting permission to silence this specific alert mentioned above). One thing that I forgot to mention is that I created a post in our internal communications channels based on the suggestion from Michael, which resulted in creation of the issue that Doug has linked (#7377) |
What version of SLES do we have? There is the SP5 released per https://www.suse.com/lifecycle/#suse-linux-enterprise-server-12, do we have the latest SP? |
We have SP5, which is the latest (source) |
To some up my findings - as stated in the two CG reports for The recommended version of The newest version we can possibly install on SLES 12 is I haven't tried building the |
What are the available options to solve this problem then @oleksandr-didyk ? |
Initially we could:
As such from my perspective it looks like seeking an exception for the alert is the way to go. |
update: on RHEL 7. v37.0.4 is the last binary distribution of a few things may help:
I stopped trying to use the newer Python source packages for
I'm not sure how to confirm these packages work end to end w/o rebuilding on the Helix Machines CI but that's probably fine. |
wow, my new VM didn't need anything other than a my new suspicion is that holding back the |
After much experimentations and unblocking many problems (e.g., w/ |
Fix rolled out on 12 July 2023. |
The issue is blocking: #13166 and any PR to the dotnet-helix-machines repository.
Component Governance Component Detection: https://dev.azure.com/dnceng/internal/_build/results?buildId=2160248&view=logs&j=3dc8fd7e-4368-5a92-293e-d53cefc8c4b3&t=833edf1b-3669-5dbb-11e6-ee7d22230825&l=1967
Release Note Category
Release Note Description
Increased the installed Python
cryptography
andpyopenssl
versions on most build and test agents to41.0.1
and23.2.0
, respectively. Due to restrictions in our infrastructure, this change will be reflected on https://helix.dot.net as>=39.0.1
and>=23.0.0
rather than the exact versions installed.The
cryptography
andpyopensll
versions on all SLES 12 and Ubuntu 16.04 are significantly older due to platform issues we have not yet resolved. See dotnet/dnceng#293 and dotnet/dnceng#294 for details.The text was updated successfully, but these errors were encountered: