-
Notifications
You must be signed in to change notification settings - Fork 219
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tracking issue for manylinux_2_34 image #1585
Comments
Thanks for the tracking issue. manylinux_2_34 is already supported by auditwheel so there's no need for a new version: pypa/auditwheel#405 While UBI added support for gcc-toolset, it might still not support some
Indeed, we only aim for ABI-compatibility. |
I would suggest not going further on this road. Instead, give the existing users enough time to transit to an alternative solution. For example, as you said half of the pypi users already have glibc>=2.34, which means they also have a decent GCC compiler and very new libstdc++, which dims the need of using devtoolset when time goes by. |
So far all relevant1 manylinux images have been based on RHEL-derivatives, and this system has worked very well. Red Hat itself - though a single vendor - is about as far as possible from a supply chain risk as any single company can be. Your proposal in #1012 is not feasible (in my opinion). Your argument against UBI in #1282 may be correct, but then we can still stay with alma (which will fix security issues also in the rpms).
Try telling maintainers that they should halve their user base. Said differently, a lot of projects care about providing support that is a broad as possible across many different uses (many of which get stuck on old distros for whatever reason), and raising their glibc baseline is done extremely conservatively. This creates an obvious tension between needing to support old systems while wanting to use +/- contemporary compilers. The only sustainable solution to this over the relevant lifecycles has been the devtoolset. Footnotes
|
Functionally the existing Alma based images work very well, but if you run a security scanner to see if any of the components in the images needs be patched, it will be a different story. So my concern is more from supply chain point of view. If the toolchains you use has a known vulnerability, it could be get used to inject a backdoor in the package you are building. We do not see a reliable way to get security patches for the RHEL-derivatives, mainly because Red Hat doesn't want to provide them for free. |
RHEL Universal Base Image is free (and redistributable), fwiw. https://catalog.redhat.com/software/base-images I believe many of the downsides of CentOS Stream were addressed since the previous discussion also, although the 5 year lifecycle remains. For that reason either UBI or Alma images would (I assume) probably be preferred. |
Yes, the image is free. But anything users installed to the image are not covered. |
@carlwgeorge ^ can you speak to those concerns |
They're not, please see my other reply for the full breakdown.
For packages in the UBI content set, Red Hat does provide them, for free, under freely redistributable terms. If something needs to be added to that content set for UBI to be a viable solution, I'm happy to advocate for that.
This is all bogus, for the reasons I described in my other reply. For that GMP security vulnerability, do you know who has that patched? CentOS Stream 8, RHEL 8.8 EUS, and RHEL 8.6 EUS. That's it. RHEL 8.9, Alma 8, and Rocky 8 don't have it. Somehow that fix snuck out in the UBI 8 image (not the repos) ahead of the RHEL 8.10 release, which is likely a mistake but not evidence of UBI repo package not being maintained. |
Great to know that. Thanks! |
From a docs PoV, it would be helpful to have a concise list of the key distro versions shipping glibc 2.34 or later (similar to the list I am suggesting to add for For glibc 2.34, that would be:
|
If musl 1.1 was already at 2.5% (of musllinux!) downloads ~2 months ago, is it really necessary/beneficial to wait until November to remove it? Independently of that, I don't see why the release of other 2_34 images would necessarily need to wait for musllinux; those could come later as constraints get resolved. |
Nice milestone: glibc 2.34 is now supported over 50% of consumer systems using Python. glibc 2.35 is also supported on more than half of the systems, probably since Ubuntu 22.04 has glibc 2.35 bundled by default (and has a huge marketshare). |
Seems like something is in the pipeline: https://gitlab.com/redhat/centos-stream/rpms/gcc-toolset-14-gcc Where would a published version appear? |
CentOS Stream 9 has gcc-toolset-14 available for installation right now.
|
I'll most likely merge the new image next week unless there are reviews delaying that. |
RHEL 9.5 was released last week, so UBI 9 has gcc-toolset-14 now. This confirms the availability ordering described in the chart in the first comment.
Is there anything missing from UBI that prevents it from being used? |
FYI, AlmaLinux released 9.5 today and it includes |
As time goes by, projects start using new glibc features not present in old versions, hence requiring a newer manylinux baseline version to be defined.
For example:
Also, according to the manylinux-timeline, around ~40% of users on non-EOL Python versions have better than glibc 2.34 already.
IMO the discussion in #1282 (and the failure of Debian-based
2_24
, c.f. #1012) showed comprehensively that we should stick with a RHEL-derivative also for the next manylinux standard - the devtoolset backports make all the difference w.r.t. to longevity, and all those flavours are ABI compatible.This would also continue the pattern for all major manylinux standards so far (again excepting
2_24
):Updating the flavour table from #1282:
Obviously Alma (as the base for
2_28
) is a strong candidate, though since then, RHEL has announced it will not provide its sources anymore, creating some doubts initially how Alma will continue, though in the end, they decided they have everything they need to keep going. They'll keep ABI-compatibility (which is by far the most important), but will drop bug-for-bug compatibility (which is IMO not a big deal for us). Still, this might influence the decision; at the time of #1282, the main argument against using UBI was the lack of a gcc-toolset, but this has since been added (both to UBI 8 & 9).1: including Maintenance Support, https://access.redhat.com/support/policy/updates/errata/#Life_Cycle_Dates
2: https://pkgs.org/download/gcc-toolset-13
3: https://www.centos.org/centos-stream/
4: at least gcc 12, probably on gcc 13 already
5: https://hub.docker.com/r/redhat/ubi9-minimal/tags
6: https://github.com/AlmaLinux/cloud-images / https://hub.docker.com/r/almalinux/9-minimal
7: https://hub.docker.com/r/rockylinux/rockylinux/tags
The checklist is short, since wheel and pip, which both use packaging, and warehouse do not require additional PRs.
Publisher-side Support:
Documentation:
Additional projects to double-check for support, perhaps these are already done?
The text was updated successfully, but these errors were encountered: