Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MODULE.bazel depends on a bad protobuf version (for Java) #98

Open
ejona86 opened this issue Jul 30, 2024 · 3 comments
Open

MODULE.bazel depends on a bad protobuf version (for Java) #98

ejona86 opened this issue Jul 30, 2024 · 3 comments

Comments

@ejona86
Copy link

ejona86 commented Jul 30, 2024

MODULE.bazel is using protobuf 27.0-rc2 and disagrees with bazel/repository_locations.bzl which uses 21.5. For starters, why use an RC version?

Protobuf versions after 23.x start a new major version in Java to 4.x. However, the ecosystem is blocked on protocolbuffers/protobuf#17247 before they can upgrade. Yes, you build from source with Bazel, but Bazel in Java still pulls many things from Maven Central (via maven_install) and so could have been compiled with older versions of protobuf, and thus be incompatible with 27.0-rc2.

In grpc-java we were trying to swap to xds from BCR, but noticed the newer protobuf, which means we can't upgrade as it is simply too dangerous/confusing to users. I'm happy to see #96, but it seems the versions should become somewhat aligned with repository_locations.bzl and protobuf downgraded to 21.7.

I looked through the transitive dependencies, and didn't see any that used such a new protobuf version. But I didn't actually try a build to verify.

CC @keith, @sergiitk

@keith
Copy link
Contributor

keith commented Jul 30, 2024

I think I had to use that version because of various other broken things. We could try to downgrade but I guess it depends on other common transitives and their versions really. grpc depends on 26 so realistically we have to go at least that high?

@ejona86
Copy link
Author

ejona86 commented Jul 30, 2024

grpc 1.56.3.bcr.1 (in the MODULE.bazel) depends on protobuf 3.19.2. grpc 1.59.1 (in repository_locations.bzl) isn't available on BCR, but yeah, the next version in BCR 1.62.1 does depend on protobuf 26. But grpc itself at 1.62.2 depended on protobuf 25. So that is just a BCR "bug."

I don't see this repository needing to depend on a newer version of grpc than 1.56, as downstream users can upgrade to later grpc themselves. I may also talk to the grpc repo folks and suggest they downgrade protobuf. Many users will be prohibited from upgrading until this is resolved.

@keith
Copy link
Contributor

keith commented Jul 30, 2024

I think my testing working on this I was trying to integrate it with more downstream deps like envoyproxy/envoy#34355 and the old versions of protobuf didn't work. I think until 27.x there were a lot of protobuf issues with bzlmod, so I think we'd probably hit some if we were trying to downgrade. I didn't try to bring along the WORKSPACE versions as long as they could co-exist

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants