Hi all, We have one remaining blocker for the 1.19.2 and 1.20.1 releases, namely the issue associated with ticket FLINK-36510: *"Upgrade Pekko from 1.0.1 to 1.1.2"* [1]. Here is the context:
- The flink-rpc module is currently based on Pekko 1.0.1, which bundles Netty version 3.10.6. Netty 3.10.6 is the last 3.x release and officially reached EOL more than eight years ago. It contains at least 20 known critical vulnerabilities [2]. - FLINK-36510 [1] upgrades flink-rpc to Pekko 1.1.2, which introduces a long-awaited migration to Netty 4.x. - Memory allocation in Netty 4.x differs from Netty 3.x and has a larger memory footprint with default settings [3]. - Norman Mauerer, Netty's project lead, strongly recommends moving away from Netty 3 as soon as possible [4]. - According to Norman, setting -Dio.netty.allocator.type=unpooled should approximate Netty 3's memory behavior at the expense of performance improvements that Netty 4 would otherwise provide. That said, Netty 4 with -Dio.netty.allocator.type=unpooled is not expected to perform worse than Netty 3. - Although this change might seem too substantial for a patch release, I propose proceeding with it due to the accumulated risks of staying on Netty 3.10.6. This will need to be addressed in a 1.20 as a patch release anyway, given that 1.20 is designated as LTS, and we can expect Netty 3 to accrue even more CVEs over time. Here you can find more details of the ongoing discussion [5]. Looking forward to hearing the community's thoughts on whether we should proceed with the proposed changes. [1] https://issues.apache.org/jira/browse/FLINK-36510 [2] https://mvnrepository.com/artifact/io.netty/netty/3.10.6.Final [3] https://issues.apache.org/jira/browse/FLINK-36510?focusedCommentId=17911219&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17911219 [4] https://github.com/apache/flink/pull/25866#issuecomment-2595168560 [5] https://github.com/apache/flink/pull/25866 Best, Alex
