cannot install dask-cuda without pulling in vulnerable dask

[asottile]

the currently released version of dask-cuda pins dask==2021.9.1 which has a critical CVE: https://nvd.nist.gov/vuln/detail/CVE-2021-42343

currently an install forces this:

virtualenv venv
venv/bin/pip install dask-cuda
venv/bin/pip freeze

$ ...
$ venv/bin/pip freeze
click==8.0.3
cloudpickle==2.0.0
dask==2021.9.1
dask-cuda==21.10.0
distributed==2021.9.1
fsspec==2021.11.0
HeapDict==1.0.1
Jinja2==3.0.3
llvmlite==0.37.0
locket==0.2.1
MarkupSafe==2.0.1
msgpack==1.0.2
numba==0.54.1
numpy==1.20.3
packaging==21.3
partd==1.2.0
psutil==5.8.0
pynvml==11.0.0
pyparsing==3.0.6
PyYAML==6.0
sortedcontainers==2.4.0
tblib==1.7.0
toolz==0.11.2
tornado==6.1
zict==2.0.0

it looks like #742 fixes the pin but has not been released / backported

[quasiben]

In this case we'd recommend either installing from source or installing from our nightly package channel:

• pip install git+ssh://[email protected]/rapidsai/dask-cuda.git
• conda install -c rapidsai-nightly dask-cuda=21.12

Note we will have officially released version of dask-cuda 21.12 early December.

[asottile]

neither are available options I'm afraid

would it be possible to backport the patch as a post-release?

[quasiben]

It's unlikely we can backport that patch across the all of RAPIDS. I will talk to folks about what we can do here. If possible, can you elaborate on why upgrading is not a viable option ?

[asottile]

our security team requires us to only install packages from pypi so we do not have access to conda nor git during our installation process

[jakirkham]

There are prereleases on PyPI. Can you use those?

[pentschev]

There are prereleases on PyPI. Can you use those?

Using them isn't possible because RAPIDS 21.10 pinned exactly to 2021.9.1, which is the only version we can guarantee works with Dask-CUDA/RAPIDS 21.10. I'm afraid we don't have many choices here, the only possible workaround I can see is if the patch is backported to 2021.9.1 with a new 2021.9.1.1 release, and even then I'm not sure if 2021.9.1.1 would be fine with the ==2021.9.1 pin from https://github.com/rapidsai/dask-cuda/blob/branch-21.10/requirements.txt#L1-L2 .

[quasiben]

You said your organization can only install from PyPI so your only need is dask-cuda, is that correct ? cuDF and much of the RAPIDS ecosystem is not pip installable

[asottile]

yeah we don't use those at the moment, only dask-cuda

[quasiben]

We do upload pre-releases as @jakirkham mentioned:
https://pypi.org/project/dask-cuda/#history

[github-actions]

This issue has been labeled inactive-30d due to no recent activity in the past 30 days. Please close this issue if no further response or action is needed. Otherwise, please respond with a comment indicating any updates or changes to the original issue and/or confirm this issue still needs to be addressed. This issue will be labeled inactive-90d if there is no activity in the next 60 days.

[pentschev]

I don't think we're able to change that for RAPIDS 21.10 or older, so the recommendation now that 21.12 is out is to upgrade. Therefore I'm closing this, but please reopen if there's a strong reason for which 21.12 can't be used.