Skip to content

[io.micrometer:micrometer-registry-otlp] Reliance on opentelemetry-proto:jar #5659

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
patpatpat123 opened this issue Nov 13, 2024 · 3 comments
Closed

[io.micrometer:micrometer-registry-otlp] Reliance on opentelemetry-proto:jar #5659

patpatpat123 opened this issue Nov 13, 2024 · 3 comments
Labels
duplicate A duplicate of another issue

Comments

@patpatpat123
Copy link

Hello team,

Just wanted to reach out regarding a small issue.

The background is that there is this chain of dependencies:

[INFO] +- io.micrometer:micrometer-registry-otlp:jar:1.14.0-RC1:compile
[INFO] |  \- io.opentelemetry.proto:opentelemetry-proto:jar:1.3.2-alpha:runtime
[INFO] |     \- com.google.protobuf:protobuf-java:jar:3.23.4:runtime

There is currently a CVE for protobuf-java:jar:3.23.4 which I would like to highlight.
But the problem is also the following:

From the developers of opentelemetry-proto-java, it seems that (I am just quoting):

unfortunately it looks like this artifact io.micrometer:micrometer-registry-otlp didn't follow [our guidance](https://github.com/open-telemetry/opentelemetry-proto-java#support):

We have no intention of eventually publishing stable artifacts. If you need guarantees, please generate your own bindings, consulting [grpc codegen](https://grpc.io/docs/languages/java/generated-code/#codegen) and possibly [build.gradle.kts](https://github.com/open-telemetry/opentelemetry-proto-java/blob/main/build.gradle.kts)

open-telemetry/opentelemetry-proto-java#19 (comment)

If this is the case, and it seems the underlying library is not "stable", can micrometer decouple from this unstable dependency?

Thank you for your time on this issue.
@jonatan-ivanov jonatan-ivanov added duplicate A duplicate of another issue and removed waiting-for-triage labels Nov 13, 2024
@jonatan-ivanov
Copy link
Member

Duplicate of #5658

@jonatan-ivanov jonatan-ivanov marked this as a duplicate of #5658 Nov 13, 2024
@jonatan-ivanov jonatan-ivanov closed this as not planned Won't fix, can't repro, duplicate, stale Nov 13, 2024
@jonatan-ivanov
Copy link
Member

jonatan-ivanov commented Nov 13, 2024
edited
Loading

Thank you for the issue!
Lets continue the discussion on #5658. We also need to discuss our options internally.

Regarding the quote above, I think it worths to mention that it seems the readme was clarified yesterday(7f3d19c) and a note about this was added earlier this year (e2efe5f). Before that, the readme only contained how to use the published artifact publicly available in Maven Central. We added OTLP support back in 2022 where there was no sign that this artifact should not be used. As of today, Maven Central does not have any note that users should not use these artifacts, neither the javadoc of the published sources. The artifact name does not indicate that it is not intended for eventual production use either and/or it should be only used by OTel test suites.

@patpatpat123
Copy link
Author

I didn't realize someone opened #5658
I had my tab opened before the weekend.

Thanks

@jonatan-ivanov jonatan-ivanov mentioned this issue Nov 13, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate A duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jonatan-ivanov @patpatpat123