network: Update libp2p to 0.54.1 #5996
Comments
|
CC @paritytech/networking |
|
It's definitely something we want to do! I would wait a bit to update libp2p to the latest version:
After we update libp2p to latest version, we could start looking at performance issues: #5221 |
|
We jump onto latest version of libp2p at https://github.com/autonomys/subspace fairly quickly and while I agree it is annoying to do all the changes needed to migrate to new version, it typically takes me a couple of hours to do. And I am yet to see show-stopping issues after upgrade itself (though we do not have as robust testing and benchmarking capabilities yet). I can probably do this upgrade for you (in two steps: first to 0.53.x and then to 0.54.x to make review easier), but it takes you guys a really long time to review with regular merge conflicts in between (I have 4 PRs that I opened that are waiting for review for over a week each, some are waiting for way longer than a week), so while I understand you probably have good reasons for this, it is a big investment. Let me know if you're willing to commit to timely review and I'll take a look at doing this in the near future myself, it isn't a big deal. Substrate is a large source of outdated dependencies that triggered RUSTSEC alerts in the past already as well as causing other issues, like pulling old version of |
|
@nazar-pc We would love to get some help on this if you have some extra bandwidth! 🙏 I'll have a pass soon for the remaining networking PRs, thanks for contributing again! |
|
Noted, I'll update once I get to it |
|
0.53.2 is done here: #6248 Please assign this issue to me, I'll take care of the rest too. UPD: 0.54.1 is also there, it was too easy to do to delay it further. |
|
Now https://rustsec.org/advisories/RUSTSEC-2024-0421.html affects us due to old libp2p version as well |
|
@nazar-pc what is the impact of https://rustsec.org/advisories/RUSTSEC-2024-0421.html issue for your team? IIUC, https://rustsec.org/advisories/RUSTSEC-2024-0421.html can lead to privilege escalation if and only if host domain name check is part of a privilege check / authorization check. From the substrate perspective, we use crypto/noise on top of every connection, we verify and validate the remote is in possession of the private keys derived from the PeerID. In other words, even if the DNS resolver decides that Let me know if my understanding is correct 🙏 |
|
Probably not very large, but I really don't like to suppress advisories and I had to do that more than once due to old libp2p and litep2p versions in Substrate already. |
|
Yep totally understandable, thanks for the swift reply 🙏 We'll test until the EoW the libp2p update which should enable us to easily upgrade to the latest unaffected version 👍 |
Substrate currently uses libp2p 0.52.4 with lots of outdated dependencies, libp2p 0.53.0 was released 11 months ago and 0.54.0 was released 2 months ago in time for September's release cut.
This is way too slow, please consider upgrading libp2p to not lag behind for a year or more, this is bad for downstream users due to lots of duplicated and outdated dependencies, can also be problematic from security standpoint.
The text was updated successfully, but these errors were encountered: