Skip to content

Update pins: openssl>=3.6.1, wheel>=0.46.2#844

Merged
jolorunyomi merged 5 commits intorelease/26.02from
fix-cves
Jan 30, 2026
Merged

Update pins: openssl>=3.6.1, wheel>=0.46.2#844
jolorunyomi merged 5 commits intorelease/26.02from
fix-cves

Conversation

@jolorunyomi
Copy link
Copy Markdown
Contributor

@jolorunyomi jolorunyomi commented Jan 27, 2026

No description provided.

@jolorunyomi jolorunyomi requested a review from a team as a code owner January 27, 2026 21:43
@jolorunyomi jolorunyomi requested a review from msarahan January 27, 2026 21:43
@msarahan
Copy link
Copy Markdown

msarahan commented Jan 27, 2026

Current tar version is 1.35: https://github.com/conda-forge/tar-feedstock - not sure where you are getting your version from

jameslamb
jameslamb requested changes Jan 27, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jameslamb jameslamb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're discussing this offline.

jameslamb
jameslamb requested changes Jan 30, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jameslamb jameslamb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please see my suggestions on changing how we implement this. And please update the description to match the changes (there are no tar changes in this PR, and "CVE" should be capitalized or omitted completely).

@jolorunyomi jolorunyomi changed the title Fixes for tar and wheel cves Setup conda-meta pinned for packages (OpenSSL and Wheel) Jan 30, 2026
jameslamb
jameslamb requested changes Jan 30, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jameslamb jameslamb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, this is getting closer. Please see my new round of suggestions.

And then before we merge this, we'll want to double-check some of the images to confirm they have the versions we want. You can find the image URIs for images built from PRs in the logs or by looking at https://hub.docker.com/r/rapidsai/stagin

@jameslamb jameslamb changed the title Setup conda-meta pinned for packages (OpenSSL and Wheel) Update pins: openssl>=3.6.1, wheel>=0.43.0 Jan 30, 2026
@jameslamb jameslamb changed the title Update pins: openssl>=3.6.1, wheel>=0.43.0 Update pins: openssl>=3.6.1, wheel>=0.46.2 Jan 30, 2026
jameslamb
jameslamb approved these changes Jan 30, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jameslamb jameslamb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Hope you don't mind, I've updated the title to be a bit easier to understand from the perspective of a user reading the changelog. I think they are more likely to care about the new versions, not that we happened to use conda-meta/pinning to accomplish it.

context/pinned
@@ -0,0 +1,2 @@
openssl >=3.6.1
wheel >=0.46.2
Copy link
Copy Markdown
Member

@jameslamb jameslamb Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do see this pinning being recognized by conda / mamba, great!

I think this is working. I'll type out here how I tested this (I didn't see any comments about whether you had tested, so I double-checked).

Using this build-rapids job: https://github.com/rapidsai/docker/actions/runs/21526839481/job/62032591313?pr=844

conda / mamba recognize the pinning:

#36 13.32 Pinned packages:
#36 13.32 
#36 13.32   - openssl>=3.6.1
#36 13.32 
#36 13.32 Pinned packages:
#36 13.32 
#36 13.32   - wheel>=0.46.2

However, those packages don't show up in any of the environment output. Like this:

#36 37.29   Package                 Version  Build            Channel          Size
#36 37.29 ───────────────────────────────────────────────────────────────────────────
#36 37.29   Install:
#36 37.29 ───────────────────────────────────────────────────────────────────────────
#36 37.29 
#36 37.29   + async-lru               2.1.0  pyhcf101f3_0     conda-forge      19kB
#36 37.29   + babel                  2.17.0  pyhd8ed1ab_0     conda-forge       7MB
#36 37.29   + comm                    0.2.3  pyhe01879c_0     conda-forge      15kB
#36 37.29   + coverage               7.13.2  py310h3406613_0  conda-forge     313kB
#36 37.29   + dask-glm                0.3.2  pyhd8ed1ab_0     conda-forge      18kB
#36 37.29   + dask-ml              2025.1.0  pyhd8ed1ab_0     conda-forge     114kB
#36 37.29   + debugpy                1.8.20  py310h25320af_0  conda-forge       2MB
#36 37.29   + execnet                 2.1.2  pyhd8ed1ab_0     conda-forge      39kB
#36 37.29   + h11                    0.16.0  pyhcf101f3_1     conda-forge      39kB
#36 37.29   + httpcore                1.0.9  pyh29332c3_0     conda-forge      49kB
#36 37.29   + httpx                  0.28.1  pyhd8ed1ab_0     conda-forge      63kB
#36 37.29   + importlib_resources     6.5.2  pyhd8ed1ab_0     conda-forge      34kB
#36 37.29   + iniconfig               2.3.0  pyhd8ed1ab_0     conda-forge      13kB
#36 37.29   + ipykernel               7.1.0  pyha191276_0     conda-forge     134kB
#36 37.29   + ipywidgets              8.1.8  pyhd8ed1ab_0     conda-forge     114kB
#36 37.29   + json5                  0.13.0  pyhd8ed1ab_0     conda-forge      34kB
#36 37.29   + jupyter                 1.1.1  pyhd8ed1ab_1     conda-forge       9kB
#36 37.29   + jupyter-lsp             2.3.0  pyhcf101f3_0     conda-forge      60kB
#36 37.29   + jupyter_console         6.6.3  pyhd8ed1ab_1     conda-forge      27kB
#36 37.29   + jupyterlab              4.5.3  pyhd8ed1ab_0     conda-forge       9MB
#36 37.29   + jupyterlab_server      2.28.0  pyhcf101f3_0     conda-forge      52kB
#36 37.29   + jupyterlab_widgets     3.0.16  pyhcf101f3_1     conda-forge     217kB
#36 37.29   + nest-asyncio            1.6.0  pyhd8ed1ab_1     conda-forge      12kB
#36 37.29   + notebook                7.5.3  pyhcf101f3_0     conda-forge      10MB
#36 37.29   + notebook-shim           0.2.4  pyhd8ed1ab_1     conda-forge      17kB
#36 37.29   + patsy                   1.0.2  pyhcf101f3_0     conda-forge     193kB
#36 37.29   + prompt_toolkit         3.0.52  hd8ed1ab_0       conda-forge       7kB
#36 37.29   + py-cpuinfo              9.0.0  pyhd8ed1ab_1     conda-forge      26kB
#36 37.29   + pytest                  8.4.2  pyhcf101f3_1     conda-forge     295kB
#36 37.29   + pytest-benchmark        5.2.3  pyhd8ed1ab_0     conda-forge      44kB
#36 37.29   + pytest-cov              7.0.0  pyhcf101f3_1     conda-forge      29kB
#36 37.29   + pytest-xdist            3.8.0  pyhd8ed1ab_0     conda-forge      39kB
#36 37.29   + python-louvain           0.16  pyhd8ed1ab_1     conda-forge      15kB
#36 37.29   + seaborn                0.13.2  hd8ed1ab_3       conda-forge       7kB
#36 37.29   + seaborn-base           0.13.2  pyhd8ed1ab_3     conda-forge     228kB
#36 37.29   + sniffio                 1.3.1  pyhd8ed1ab_2     conda-forge      16kB
#36 37.29   + sparse                 0.17.0  pyhcf101f3_0     conda-forge     121kB
#36 37.29   + statsmodels            0.14.6  py310hf779ad0_0  conda-forge      10MB
#36 37.29   + tomli                   2.4.0  pyhcf101f3_0     conda-forge      21kB
#36 37.29   + widgetsnbextension     4.0.15  pyhd8ed1ab_0     conda-forge     889kB

That's ok, they might have just been pre-installed and then not need to be updated. Checked by listing the entire environment.

Pulling that image:

docker run \
   --rm \
   -it rapidsai/staging:docker-notebooks-844-26.02a-cuda13-py3.10-amd64 \
    bash

Those are installed and with new-enough versions.

$ conda env list
# conda environments:
#
# * -> active
# + -> frozen
base                 *   /opt/conda

$ conda env export | grep -i -E 'ssl|wheel'
  - openssl=3.6.1=h35e630c_1
  - wheel=0.46.3=pyhd8ed1ab_0

@jameslamb
Copy link
Copy Markdown
Member

jameslamb commented Jan 30, 2026

Unsure what happened here, but CI is stuck waiting for a job called pr-builder / run

image

The one triggered on PRs is called ci / docker / pr-builder / run

image

I think maybe the problem here is that the branch protection for release/26.02 (https://github.com/rapidsai/docker/settings/branch_protection_rules/71769325) expects pr-builder / run

image

While the one for PRs targeting main (https://github.com/rapidsai/docker/settings/branch_protection_rules/68846288) correctly has docker / pr-builder / run

image

I can see on the most recent PR merged here (#843, 4 days ago, targeting main), the check was called docker / pr-builder / run.

image

I've manually updated the release/26.02 branch protection so this can be merged. I'll put up an Ops ticket about this.

@jolorunyomi jolorunyomi merged commit a5c3adb into release/26.02 Jan 30, 2026
64 checks passed
@jameslamb jameslamb deleted the fix-cves branch January 31, 2026 16:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jameslamb jameslamb jameslamb approved these changes

@msarahan msarahan Awaiting requested review from msarahan msarahan is a code owner automatically assigned from rapidsai/packaging-codeowners

Assignees

No one assigned

Labels

improvement non-breaking

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jolorunyomi @msarahan @jameslamb