New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pythonPackages.apache-airflow: 1.10.5 -> 1.10.14 #106696
Conversation
e613c1e
to
4f4ea1e
Compare
4f4ea1e
to
89af451
Compare
Ok, got a clean build of apache-airflow. This is ready for review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, not a user, just noticed these CVEs popping up. I'll defer to @bhipple et al.
This looks to me better than the original as it removes the need for custom patching. LGTM |
pkgs/development/python-modules/sqlalchemy-jsonfield/default.nix
Outdated
Show resolved
Hide resolved
@@ -1,15 +1,18 @@ | |||
{ lib | |||
, stdenv | |||
, buildPythonPackage | |||
, fetchPypi | |||
, fetchFromGitHub | |||
, fetchpatch |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
, fetchpatch |
This is a semi-automatic executed nixpkgs-review which is checked by a human on a best effort basis and does not build all packages (e.g. lumo, tensorflow or pytorch). Result of 6 packages failed to build and are new build failures:
9 packages built:
|
89af451
to
238d3ec
Compare
@bhipple @costrouc @ingenieroariel Can anyone of you review this? It's a big change and it worries me that it seems to bitrot already, while there a security issue with the whole thing. |
Dependency of apache-airflow
Dependency of apache-airflow
Dependency of apache-airflow
Dependency of apache-airflow tests.
Apply suggestions.
238d3ec
to
b63c13e
Compare
This is a semi-automatic executed nixpkgs-review which is checked by a human on a best effort basis and does not build all packages (e.g. lumo, tensorflow or pytorch). Result of 4 packages failed to build and are new build failures:
11 packages built:
The following issues got detected with the above build packages. apache-airflow: Please consider this feature to be alpha. A substituteInPlace with an unused --replace got detected:
Please check the offending substituteInPlace for typos or changes in source. |
This is a semi-automatic executed nixpkgs-review which is checked by a human on a best effort basis and does not build all packages (e.g. lumo, tensorflow or pytorch). Result of 3 packages failed to build and are new build failures:
12 packages built:
The following issues got detected with the above build packages. apache-airflow: Please consider this feature to be alpha. A substituteInPlace with an unused --replace got detected:
Please check the offending substituteInPlace for typos or changes in source. Please consider this feature to be alpha. A substituteInPlace with an unused --replace got detected:
Please check the offending substituteInPlace for typos or changes in source. |
@mweinelt I can run the latest version this weekend to verify that the binary and libraries work as expected. Airflow has a lot of dependencies and I am afraid this kind of work will be needed before every NixOS release. :/ |
# fix issues w/ upgrade to pendulum >= 2.0 | ||
substituteInPlace airflow/settings.py \ | ||
--replace "from pendulum import Pendulum" "from pendulum import DateTime as Pendulum" | ||
substituteInPlace tests/core/test_core.py \ | ||
--replace "from pendulum import utcnow" "import pendulum; import functools; utcnow = functools.partial(pendulum.now, 'UTC')" | ||
|
||
substituteInPlace tests/core.py \ | ||
--replace "/bin/bash" "${stdenv.shell}" | ||
# --replace "from pendulum import utcnow" "from datetime import datetime as _dt; utcnow = _dt.utcnow" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be better to provide a second, separate, pendulum_1
derivation on pythonPackages
, and put this patch behind an overridable option... there are lots of bits of Airflow that import pendulum so using pendulum 2 might be the wrong approach here, see https://github.com/apache/airflow/search?q=pendulum
Here's a working override that can point to what's needed for a pendulum_1 derivation:
pendulum = pythonSuper.pendulum.overridePythonAttrs (oldAttrs: rec {
inherit (oldAttrs) pname;
version = "1.4.4";
name = "${pname}-${version}";
src = fetchPypi {
inherit pname version;
sha256 = "0p5c7klnfjw8f63x258rzbhnl1p0hn83lqdnhhblps950k5m47k0";
};
propagatedBuildInputs = oldAttrs.propagatedBuildInputs
++ (with pythonSelf; [ tzlocal ]);
});
disabledTests = [ | ||
# Broken with KeyError: visibility_timeout in "section_dict" | ||
"test_broker_transport_options" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had problems with a few more tests on nixos that look like they come from nixos:
disabledTests = [ | |
# Broken with KeyError: visibility_timeout in "section_dict" | |
"test_broker_transport_options" | |
disabledTests = [ | |
# unable to actually find /bin/echo on nixos | |
"test_deprecated_options_cmd" | |
# has trouble finding the tempfile created on nixos | |
"test_get_section_should_respect_cmd_env_variable" | |
# unable to actually find /bin/bash on nixos | |
"test_bash_operator_kill" | |
# Broken with KeyError: visibility_timeout in "section_dict" | |
"test_broker_transport_options" |
This is not about a pre-release bump, this is about at least three CVEs that need to be addressed during the release cycle. Please see #106671. |
@mweinelt thanks for clearing up my confusion. @drewrisinger I had to add this commit for it to build in OSX: piensa@fa9fc16 I used this shell.nix to try things out:
Once it built, I created a sample dag, by creating a dags subfolder within it and this file in there
With that, I set the airflow home to the folder where I had the checkout (not a great practice, but works for this test):
This creates a few files, but one of them has a value that does not work with the Werkzeug version in this PR, see: apache/airflow#11873 so we need to manually change the following in the generated airflow.cfg:
and then run the webserver and navigated to localhost:8080 to find this: In order for the sample task to actually run, we need to run Then we can trigger the task manually on the UI: and wait for evidence on the scheduler output that the task is running: Functionality wise, and with some small modifications this PR looks good to me. |
Taking another look at this for #122042, @drewrisinger are you still available to rebase? It looks like the only outstanding merge concern a few months ago was missing maintainers on a few python dependencies. You can add me to those. In the meantime there's been an Airflow 2.0.X release, which seems to change around some dependencies: I'd be fine with rebasing/polishing this PR as-is and merging, since it seems strictly better than what we have currently; but going to 2.X would be nice at some point too. It's a shame the dependency closure of Airflow is such a mess. |
I am around too in case there is a need to test. Or to help with the
rebasing too.
…On Sat, 8 May 2021 at 8:18 AM Benjamin Hipple ***@***.***> wrote:
Taking another look at this for #122042
<#122042>, @drewrisinger
<https://github.com/drewrisinger> are you still available to rebase? It
looks like the only outstanding merge concern a few months ago was missing
maintainers on a few python dependencies. You can add me to those.
In the meantime there's been an Airflow 2.0.X release, which seems to
change around some dependencies:
http://airflow.apache.org/docs/apache-airflow/stable/changelog.html
I'd be fine with rebasing/polishing this PR as-is and merging, since it
seems strictly better than what we have currently; but going to 2.X would
be nice at some point too. It's a shame the dependency closure of Airflow
is such a mess.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#106696 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAANNV54ZK222VKYZIVN6F3TMU23DANCNFSM4UXON7IQ>
.
|
Motivation for this change
Update
apache-airflow
to the latest version, to fix CVE security issues (See #106671).Closes #106671.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)