Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade pyo3 to latest #7277

Open
legoktm opened this issue Oct 24, 2024 · 2 comments · May be fixed by #7432
Open

Upgrade pyo3 to latest #7277

legoktm opened this issue Oct 24, 2024 · 2 comments · May be fixed by #7432
Labels
Rust Issues that touch Rust code

Comments

@legoktm
Copy link
Member

legoktm commented Oct 24, 2024

Description

We probably got a bit lucky in that https://rustsec.org/advisories/RUSTSEC-2024-0378 only affects newer versions of pyo3 and not older ones. In terms of our major Rust dependencies, pyo3 is probably the most outdated one since it's a big review burden (and not used by any other audits we import IIRC).

We should proactively get close to latest so we can review it at our leisure (including splitting the load) instead of reacting to an issue in a hurry.
@legoktm legoktm added the Rust Issues that touch Rust code label Oct 24, 2024
@legoktm legoktm mentioned this issue Jan 23, 2025
Merged
3 tasks
@surfingreg
Copy link

Hi, I have a PR ready to go for this. But, I wanted to check in before I sprang it on you, this being my first contribution. It brings the PyO3 version up to 0.23.4 from 0.18.0.

develop...surfingreg:securedrop:develop-bump-pyo3-version

The Rust tests pass. I'm less confident about what will happen outside Rust. Mainly because, in alignment with the newer pyo3 API, I changed the signature for redwood() (https://pyo3.rs/v0.23.4/function.html)...

from:
fn redwood(py: Python, m: &PyModule) -> PyResult<()>

to: 
fn redwood(m: &Bound<'_, PyModule>) -> PyResult<()>

pyo3 migration ref:
https://pyo3.rs/v0.23.4/migration.html?highlight=pybytes#to-python-conversions-changed-for-byte-collections-vec-u8-n-and-smallvec

It does also bump us past this, though it doesn't appear relevant(?).
https://rustsec.org/advisories/RUSTSEC-2024-0409.html

Thoughts? Thanks!
Greg

@legoktm
Copy link
Member Author

legoktm commented Jan 29, 2025

Hi @surfingreg! Thanks for working on this.

I'm less confident about what will happen outside Rust.

The Python application tests should be comprehensive enough if you want to run it locally or in CI. As long as it's exporting roughly the same thing, it should just work.

It does also bump us past this, though it doesn't appear relevant(?).
https://rustsec.org/advisories/RUSTSEC-2024-0409.html

That seems to be a regression in 0.23.0, so we weren't affected. Probably wouldn't have affected us too bad since we only have one version of Python installed in the environment where we build packages.

@surfingreg surfingreg linked a pull request Jan 30, 2025 that will close this issue
Open
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Rust Issues that touch Rust code
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump pyo3 version surfingreg/securedrop
2 participants
@legoktm @surfingreg