dask-image
dask-image copied to clipboard
dask
Bump the minimum allowable version of Dask
Should we bump the minimum allowable dask version? I just got a dependabot alert in another repo indicating an update to dask=2021.10.0 is necessary:
An issue was discovered in Dask (aka python-dask) through 2021.09.1. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.
Bumping the dask version would need to happen in the setup.py file here https://github.com/dask/dask-image/blob/8e784e044bc268e6574ebc2e55529c64f966a589/setup.py#L32
Originally posted by @GenevieveBuckley in https://github.com/dask/dask-image/issues/257#issuecomment-1033583468
Here's a copy of the rest of the comments on this topic from the original thread
Thanks for the heads up! I think this PR should be good as is if you bump the dask dependency, as I pinned to
2022.1.1(the most recent compatible version).We should probably opt to bump Dask either as a follow up to or directly in this PR, since the change would break the current CI environments that are pinned to an older version of Dask:
https://github.com/dask/dask-image/blob/8e784e044bc268e6574ebc2e55529c64f966a589/continuous_integration/environment-3.8.yml#L14
If we are bumping Dask, there is old code we should cleanup. Do we want to do this here? If not, would it make sense to keep an older Dask version in at least some CI tests?
I think code cleanup is a lower priority than security. So we should prioritize bumping the version of Dask (either in this PR or a new one, whatever is quickest/easiest), and then if necessary we can defer a code cleanup PR to a later time if need be.
The newest Dask version is used in the Python 3.9 job. So this is getting tested (users of course can install the newer version as well where most security issues are likely to surface).
So this is a question of continuing to make things work for the versions we claim support for.
Again no objection to dropping old code and bumping the version, but maybe that should be deferred to a separate PR with those changes?
@jakirkham what old code would need to be removed if we bumped the dask version?
The minimum Dask version was bumped to version 1.1.0 here: https://github.com/dask/dask-image/pull/286. That went very smoothly, but is still lower than the recommended version suggested here, which I'd forgotten about. ...so I guess we should:
- try bumping it again to dask=2021.10.0
- ~~enable dependabot on this repo?~~ John has already added dependabot here: https://github.com/dask/dask-image/pull/279
- Make another release (which would also address https://github.com/dask/dask-image/issues/271)
.