Update to proto 4.X

[rafael-andrade-3010]

Hello! I would like to check with you if you have plans to update this lib to use protoc 4.X, I tried a bit locally but no success.

Thanks in advance

[RomanIakovlev]

Hi! From what I understand, protoc as such has current version of 26.X, while protobuf for Java have current version 4.26.x, or some such. Having said that, when you suggest upgrading to protoc 4.X you probably mean protobuf 4.X, right? Because protoc version range is already in twenties.

I wonder if you have tried bumping the version here?

timeshape/build.sbt

Line 82 in 7007953

PB.gens.java("3.21.12") -> (Compile / sourceManaged).value

If that doesn't work right away, maybe upgrading the sbt-protoc plugin and "com.thesamet.scalapb" %% "compilerplugin" library in https://github.com/RomanIakovlev/timeshape/blob/master/project/plugins.sbt first would help?

Putting those technicalities aside, I think there's also a question of backwards compatibility here. Increasing the major version from 3 to 4 is a breaking change, so people who still rely on major version 3 of protobuf won't be able to use the new releases of Timeshape if it switches to major version 4. I've just realized the version 3.21.12 that's currently used is quite ancient, so it would definitely make sense to upgrade to 3.25.x, but going directly to major version 4 is probably too early.

Speaking of when we could switch to protobuf major version 4, I would follow this version support guide here: https://protobuf.dev/support/version-support/#java:

That is, I'd upgrade to major version 4 somewhere towards the end of this year, or in early 2025, when the public support ends.

To get support for major version 4 earlier, it will be necessary to build a new artifact, e.g. net.iakovlev:timeshape-pb4:x, or something like that, and publish it in parallel with the standard net.iakovlev:timeshape:x. In all honesty I'm not too keen on doing that myself, because that would complicate the build definition somewhat, and I personally don't have a need for that.

If you need it, the easiest way would probably be for you to (temporarily) fork Timeshape, build that -pb4 version for yourself, and use it until the main version switches to the protobuf major 4 version.

[AeroSecGeek]

Just a head's up call: there was a vulnerability detected in the protobuf library, for details you can visit: https://nvd.nist.gov/vuln/detail/CVE-2024-7254
Unfortunately, at the moment there is no fix available but I think it would be great to update the library as soon as a fix is available.

[danio]

protobuf-jav 3.25.5 was released 18th Sept which addresses
CVE-2024-7254

I think it's worth upgrading to that at least @RomanIakovlev

[RomanIakovlev]

Thanks for the heads up @AeroSecGeek and @danio! An upgrade in the 3.x series is very much uncontroversial, so feel free to send a PR and I'll merge it and make a release.

[RomanIakovlev]

I've just released Timeshape version 2024a.23 with protobuf 3.25.5. Thanks @AeroSecGeek for your contribution!

[danio]

great news, thank you both!

[AeroSecGeek]

@RomanIakovlev I think you need to do also a new release of net.iakovlev.geojson-proto since the protobuf library is used in there?

[RomanIakovlev]

@AeroSecGeek yes, you're absolutely right, I've overlooked it. This means, a new release of Timeshape will be needed as well, because it's going to depend on a new build of geojson-proto.

[RomanIakovlev]

Ok it's done properly now, Timeshape 2024a.24 is released with geojson-proto 1.1.4 (which has upgraded protobuf).

[AeroSecGeek]

@RomanIakovlev Thank you very much, highly appreciated!