MINOR: [Java] Bump io.grpc:grpc-bom from 1.65.0 to 1.65.1 in /java

[dependabot]

Bumps io.grpc:grpc-bom from 1.63.0 to 1.65.1.

Release notes

Sourced from io.grpc:grpc-bom's releases.

v1.65.1

What's Changed

• netty: Restore old behavior of NettyAdaptiveCumulator, but avoid using that class if Netty is on version 4.1.111 or later

v1.65.0

grpc-netty in this release is compatible with Netty 4.1.111; it fixes the incompatibility that caused data corruption. grpc-netty-shaded is still using Netty 4.1.100.

New Features

• New module grpc-gcp-csm-observability (df8cfe9dd)

Improvements

• api: Add ClientStreamTracer.inboundHeaders(Metadata) (960012d76). This is the same as the existing inboundHeaders(), but is provided the Metadata
• api: Fix various typos in the documentation (#11144) (6ec744f2a)
• core: When queuing RPCs, don’t request picks from the LB twice (8844cf7b8). This could be viewed as a small performance optimization, but mainly reduces the amount of race-handling code
• util: Improve AdvancedTlsX509KeyManager’s documentation, verification, and testing. (#11139) (781b4c457) This change shows @ExperimentalApi being removed, but it was re-added in 3c97245 before the release
• examples: Fix broken command in reflection readme (#11131) (c31dbf48a)
• binder: Add a connection timeout (#11255) (791f894e2)

Bug fixes

• core: Exit idle mode when delayed transport is in use (fea577c80). This was a long-standing race that could cause RPCs to hang, but was very unlikely to be hit. Avoiding the double-picking (8844cf7b8) made the race more visible
• netty: Fix Netty composite buffer merging to be compatible with Netty 4.1.111 (#11294) (0fea7dd). The previous behavior easily caused data corruption
• okhttp: Workaround SSLSocket not noticing socket is closed (a28357e19). Previously, shutting down when a new connection was being established could result in the server never becoming terminated
• inprocess: Fix listener race if transport is shutdown while starting (e4e7f3a06). This issue was unlikely to be hit outside of specialized tests
• services: restore //services:binarylog bazel target (#11292) (d57f271). This fixes a regression introduced in 1.62.2
• binder: Wait for all server transports to terminate before returning the security policy executor to the object pool (#11240) (34ee600dc)
• binder: Reject further SETUP_TRANSPORT requests post-BinderServer shutdown (#11260) (1670e97f7)
• bazel: Include missing com_google_protobuf_javalite in MODULE.bazel (#11147) (f995c121e)

Thanks to

@​hakusai22 @​firov @​mateusazis @​Mir3605 @​niloc132

v1.64.2

What's Changed

• netty: Restore old behavior of NettyAdaptiveCumulator, but avoid using that class if Netty is on version 4.1.111 or later

v1.64.1

What's Changed

• netty:Fix Netty composite buffer merging to be compatible with Netty 4.1.111 (1.64.x backport) by @​larry-safran in grpc/grpc-java#11303

v1.64.0

Avoid upgrading your application to Netty 4.1.111, as there is a possible corruption. Still investigating. See grpc/grpc-java#11284 .

API Changes

• compiler: the option jakarta_omit was renamed @generated=omit (#11086) (8a21afcc9)

New Features

... (truncated)

Commits

• a2adefa Bump version to 1.65.1
• f1a0af2 Update README etc to reference 1.65.1
• 97aa34f Restore old behavior of NettyAdaptiveCumulator, but avoid using that class if...
• c2a3ed3 compiler: Upgrade from CentOS 7 to AlmaLinux 8 (#11370)
• b2665c0 Bump version to 1.65.1-SNAPSHOT
• 6296726 Bump version to 1.65.0
• 4d25c34 Update README etc to reference 1.65.0
• fb761a1 services: restore //services:binarylog bazel target (#11292)
• 3c97245 util: Add ExperimentalApi to AdvancedTlsX509KeyManager
• c11b560 Remove unused imports from CSM Observability example (#11307) (#11310)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[vibhatha]

@github-actions crossbow submit -g java

[github-actions]

Revision: ee4f809

Submitted crossbow builds: ursacomputing/crossbow @ actions-dda7f3e8cc

Task	Status
java-jars
test-conda-python-3.11-spark-master
verify-rc-source-java-linux-almalinux-8-amd64
verify-rc-source-java-linux-conda-latest-amd64
verify-rc-source-java-linux-ubuntu-20.04-amd64
verify-rc-source-java-linux-ubuntu-22.04-amd64
verify-rc-source-java-macos-amd64

[danepitkin]

1.65.0 -> 1.65.1 is a noop when using netty v4.1.111.Final+ (Arrow is using v4.1.112)

[danepitkin]

Looks like CI is broken though..

[danepitkin]

@dependabot rebase

[vibhatha]

@danepitkin there is a protobuf related issue in https://github.com/apache/arrow/actions/runs/10100575453/job/27932234113?pr=43264#step:7:4064

[lidavidm]

Error:  PROTOC FAILED: /build/java/flight/flight-core/target/protoc-plugins/protoc-gen-grpc-java-1.65.1-linux-x86_64.exe: /lib64/libstdc++.so.6: version `CXXABI_1.3.8' not found (required by /build/java/flight/flight-core/target/protoc-plugins/protoc-gen-grpc-java-1.65.1-linux-x86_64.exe)
/build/java/flight/flight-core/target/protoc-plugins/protoc-gen-grpc-java-1.65.1-linux-x86_64.exe: /lib64/libstdc++.so.6: version `CXXABI_1.3.9' not found (required by /build/java/flight/flight-core/target/protoc-plugins/protoc-gen-grpc-java-1.65.1-linux-x86_64.exe)
/build/java/flight/flight-core/target/protoc-plugins/protoc-gen-grpc-java-1.65.1-linux-x86_64.exe: /lib64/libstdc++.so.6: version `GLIBCXX_3.4.21' not found (required by /build/java/flight/flight-core/target/protoc-plugins/protoc-gen-grpc-java-1.65.1-linux-x86_64.exe)
--grpc-java_out: protoc-gen-grpc-java: Plugin failed with status code 1.

Looks like they started building against a newer libc++. Might be worth poking upstream...

[danepitkin]

Yep, you're right. I didn't expect them to throw that into a minor release: grpc/grpc-java@c2a3ed3

[danepitkin]

Removing approval

[laurentgo]

Could it be a new build requirement? We already switched to Java 11, could we possibly require a newer Linux version to build Arrow Java (but it would not change the runtime requirement as it generates java classes?)

[lidavidm]

I think we're doing our best to maintain CentOS 7 compatibility for now (despite the deprecation). That said yes, requiring a newer version for builds might be an option. CC @assignUser for opinions/options perhaps?

[assignUser]

Hm I am not sure if just building on 8+ will work as it links dynamically against a newer libstdc++ than is available in centos 7, so it would probably not work. Maybe we can build under devtoolset?

[assignUser]

nvm we are already using devtool set so grpc would need to be built with it I guess...

[ianmcook]

As discussed at #41395 (comment), we would like to maintain support for CentOS 7 for a while longer if possible.

If this upgrade from 1.65.0 to 1.65.1 does not patch any CVEs or fix any known problems (and if it is not needed to enable us to upgrade other dependencies that patch CVEs or fix known problems) then we could stay at 1.65.0 for the time being?

I recognize that as these deferred version bumps start to accumulate, eventually we will have to just go ahead and drop CentOS 7 support. I trust your judgement on when it's time to throw in the towel and just do it.

[laurentgo]

As discussed at #41395 (comment), we would like to maintain support for CentOS 7 for a while longer if possible.

If this upgrade from 1.65.0 to 1.65.1 does not patch any CVEs or fix any known problems (and if it is not needed to enable us to upgrade other dependencies that patch CVEs or fix known problems) then we could stay at 1.65.0 for the time being?

I recognize that as these deferred version bumps start to accumulate, eventually we will have to just go ahead and drop CentOS 7 support. I trust your judgement on when it's time to throw in the towel and just do it.

I don't see mention of a CVE but I see a possible fix to address compatibility issue with Netty 4.1.111. Technically since it only impacts the java code base, it does not directly impact Centos7 compatibility. But because we are building C++ and Java code at the same time, I recognize that changing base OS used to build Arrow Java would impact CentOS compatibility for Arrow C++.

Another question I have is how it will impact the way we link with libstdc++? grpc-java moved from static linking to dynamic because static linking is not supporting in RHEL/Centos8 or higher, does it mean the same for gandiva as well (which would for example require users to have c++ runtime installed on their machine)?

[dependabot]

Superseded by #43657.