rust icon indicating copy to clipboard operation
rust copied to clipboard

Published 20 hours ago verified publisher icon tensorflow

Incompatible with projects using protobuf 2.28

Open kornelski opened this issue 2 years ago • 1 comments

In Cargo dependency versions are deduplicated across the entire workspace (per each major version). The hardcoded dependency protobuf in tensorflow forces all users of tensorflow to use exactly this version of protobuf 2.27.1. It causes a fatal error when resolving dependencies if any dependency anywhere wants protobuf 2.28.

Unfortunately, this version requirement is very public and global. In Cargo the exact = version requirements are quite disruptive. Please don't hardcode the version. If you can't use 2.28, consider forking the crate and depending on the fork, which will not conflict with other uses of the protobuf crate.

https://github.com/tensorflow/rust/blob/62a3019cfa0720c9744b4bd5f97db953bf4066cf/Cargo.toml#L31-L32

kornelski avatar Sep 11 '23 23:09 kornelski

I think the protobuf version limitation is unintended, so you can remove the =. Below is a note of relevant information.

rust-protobuf releases

  • 2.27.1 -> Feb 5th, 2022
  • 2.28.0 -> Sep 26th, 2022
  • 3.2.0 (latest?) -> Sep 26th, 2022

According to the current Readme, rust-protobuf development is scheduled to move to version 3, and version 2 will soon no longer be maintained. Maybe we should migrate too at some point.

https://github.com/stepancheg/rust-protobuf/blob/master/README.md

dskkato avatar Sep 12 '23 15:09 dskkato

Protobuf 2.27.1 is affected by RUSTSEC-2024-0437

Is an upgrade scheduled?

aCaBctx avatar Mar 13 '25 18:03 aCaBctx