Summary: New maintenance release | projects state | vulnerabilities in dependencies (CVE's)

Question

Summary: New maintenance release | projects state | vulnerabilities in dependencies (CVE's)

Lonzak opened this issue a year ago · comments

First I would like to express my gratitude to all of the project maintainers who kept and keep working on this project. It is heavily used so your work is appreciated.

Originally I just came here to confirm that this project is dead but then surprisingly I saw that this is not the case. After a bit of digging I found lots of requests / pleas for an update for different reasons. Over a year ago some has been summarized here and in countless other tickets. I will try to summarize and categorize some of them here.
It would be appreciated if this ticket would not be closed too quickly - then others don't need to open new tickets for their update request. This will thus hopefully save you some time which could be spent on more important things...

Reason for not updating (yet):
Some answers which were given:

"We will release when we release. This library has not been a priority recently, but is otherwise stable and working.
In general, both in the past over the history of the project and in the future, we will never do a release to solely address an issue bump for a transitive dependency. Those come along for the ride with new features and bug fixes within this library."

and

"Unfortunately the project isn't quite in a state that I'm comfortable releasing so it requires some time to get back to a releasable state."

and

"I'm on paternity leave. Perhaps when I get back."

Many maintainers contribute and maintain in their (private) spare time. This can not be stressed enough and deserves respect.

But I also see that three years of "bug fixes and maintenance" would and should be quite a reason to make a maintenance release.
Due to supply-chain attacks, transitive dependencies become more and more important and critical. Those third party dependencies belong to a project because they are distributed along with it. (Just look at all the projects which were updated due to the bug in log4j...)

Sure there are mechanisms to manually or automatically exclude them but it means always extra effort to do so. Our project for instance has way over 100 dependencies and each unmaintained lib means additional work (and discussion with the security guys etc.). And this is only the security side. There are bugs listed below which need manual intervention to circumvent those.
In the end we are all just trying to say that the community would appreciate a maintenance release from time to time :-) (where time < 3 years)

Now a list of tickets follows which (for different reasons) all have the same topic:

Vulnerabilities in (transitive) dependencies

3711 mentions:
- Guava CVE-2020-8908
- Junit CVE-2020-15250
- jackson-databind CVE-2020-36518
- jackson-databind CVE-2020-25649
- okhttp CVE-2021-0341 (Fixed starting from version [4.10])(square/okhttp#6724)
maven central mentions additional ones:
- Guava CVE-2023-2976
- Kotlin CVE-2022-24329
- Kotlin CVE-2020-29582
SimpleXML 2.7.1 XXE vulnerability 3625
Okio 3.4.0 CVE-2023-3635
gson 3928, 3745, 3691, 3652
okhttp 3742, 3508, 3611
moshi 3738
jackson 3546
...

Bugs (excerpt):

#3585
#3424
#3563
#3880 Fix: Manually add commit
#3802 Fix: Add the latest okhttp version and explicitly add it to the dependencies
#3858
#3678
#3601
#3594
#3536
...

General Project state questions:

#3791
#3753
...

Yuval Gnessin · Answer 1 · Thu Oct 26 2023 03:05:18 GMT+0800 (China Standard Time)

Thank you for this write-up. I'd like to add another point in response to:

"Unfortunately the project isn't quite in a state that I'm comfortable releasing so it requires some time to get back to a releasable state."

Anyone who has required Retrofit changes from the past 3 years has probably been relying on version 2.10.0-SNAPSHOT. This is the case in my own projects.

No matter the current state of the project, surely it's better to provide stability through an official release than to have consumers increasingly rely on volatile Snapshot versions?

Thanks again to the maintainers for all their hard work on this.

Thomas May · Answer 2 · Fri Nov 03 2023 06:03:20 GMT+0800 (China Standard Time)

Anyone who has required Retrofit changes from the past 3 years has probably been relying on version 2.10.0-SNAPSHOT

For our organization, relying on a SNAPSHOT build in a production deploy is banned. So the only way we could access these changes is either by forking the repo and releasing periodically or by forcing up transitive dependencies. So far we've been pushing forward the transitive dependencies.

This is one of my favorite http clients and I love all the work that's gone into it. A release would be very appreciated.

Lonzak · Answer 3 · Mon Nov 20 2023 21:57:09 GMT+0800 (China Standard Time)

Today version 2.9.0 celebrates its 3 year and 6th month anniversary! 🥳🎉🥂
Hope that it'll have a short life ahead of it 😆

Sergio C · Answer 4 · Sat Dec 02 2023 02:47:42 GMT+0800 (China Standard Time)

Time to find a Retrofit alternative?

Zongle Wang · Answer 5 · Fri Dec 29 2023 14:47:48 GMT+0800 (China Standard Time)

For ones who need this support, you can try out my fork, use io.github.goooler.retrofit2:retrofit:2.10.0, check https://github.com/Goooler/retrofit/releases/tag/2.10.0

4535992 · Answer 6 · Fri Jan 05 2024 22:30:31 GMT+0800 (China Standard Time)

I must say that this is the only library that I have been able to integrate with any kind of project whether very old or recent, I really hope it is not abandoned altogether.

Jake Wharton · Answer 7 · Fri Jan 26 2024 00:40:04 GMT+0800 (China Standard Time)

In the issue you have linked to two separate places where I discussed the status and yet still needed to file an additional issue? I don't like repeating myself.

I really hope it is not abandoned altogether.

It isn't!

Lonzak · Answer 8 · Fri Jan 26 2024 01:21:13 GMT+0800 (China Standard Time)

For an instant I thought when I saw the notification mail that there is a new release. Unfortunately that is not the case and even worse the ticket is closed as [not planned] 😞

In the issue you have linked to two separate places where I discussed the status and yet still needed to file an additional issue? I don't like repeating myself.

You can be certain - I won't open any ticket again. But did you read the ticket?

I will try to summarize and categorize some of them here. [...] then others don't need to open new tickets for their update request. This will thus hopefully save you some time which could be spent on more important things...

Since I opened that "summery" ticket there have been drastically less tickets asking for a new versions / updated deps / security vulnerabilities and the like. Most people usually don't search closed tickets... But you'll see: since this ticket is closed now such requests will start popping up again.

It isn't!

and

not planned

Doesn't fit together imho. Time for me to migrate.

Lonzak · Answer 9 · Wed Apr 03 2024 02:38:25 GMT+0800 (China Standard Time)

Update: Something happened: Two updates within one week?!

Update II:
I checked the version and some (vulnerable) dependencies have been upgraded, however some remain.
It still depends on okhttp 3.14.9 which in turn uses the old okio 1.17.2. The reason for not upgrading okhttp are described here and here.

Remaining issues:

okio

okio Okio GzipSource DOS (CVSS Base score: 7.5)
CVE-2023-3635
=> Fixed in okio 1.17.6

JUnit (doesn't matter since only for testing)
CVE-2020-15250

okhttp

CVE-2023-0833
=> Fixed in okhttp 4.9.2