Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

postgresql: plugin pg_embedding is no longer maintained #351306

Merged
merged 1 commit into from
Oct 31, 2024
Merged

postgresql: plugin pg_embedding is no longer maintained #351306

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions pkgs/servers/sql/postgresql/ext/pg_embedding.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,5 +25,6 @@ stdenv.mkDerivation rec {
maintainers = with maintainers; [ ivan ];
platforms = postgresql.meta.platforms;
license = licenses.asl20;
knownVulnerabilities = [ "As of Sept 29, 2023, the authors have abandoned the project and strongly encourage using pgvector, which is faster, has more functionality, and is actively maintained: check out the author's instructions to migrate at https://neon.tech/docs/extensions/pg_embedding#migrate-from-pg_embedding-to-pgvector" ];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Ma27 WDYT, is this the proper way to deal with that case?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Eh, that's one of the cases where the RFC127 problems infrastructure would be super-useful.
I do recall discussions where this approach was rejected since knownVulernabilities is supposed to be used for - well - vulnerabilities.

What prevents us from removing the package entirely though? If it's dead and there's a documented migration path. If people need more time for updating, they can still pull in the extension from an older nixpkgs and override it to build against a newer postgresql.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Eh, that's one of the cases where the RFC127 problems infrastructure would be super-useful.

Agreed.

What prevents us from removing the package entirely though? If it's dead and there's a documented migration path. If people need more time for updating, they can still pull in the extension from an older nixpkgs and override it to build against a newer postgresql.

Right. What about this in .../ext/default.nix instead, then?

pg_embedding = throw "As of Sept 29, 2023, the authors have abandoned the project and strongly encourage using pgvector, which is faster, has more functionality, and is actively maintained: check out the author's instructions to migrate at https://neon.tech/docs/extensions/pg_embedding#migrate-from-pg_embedding-to-pgvector";

Or would you just remove it without that?

In any case, we'd have to wait until 24.11 is branched off.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or would you just remove it without that?

I think those throws are fine. It's just a general trend that these should only exist when config.allowAliases is true to make it easier to evaluate whole attribute-sets (I think).

In any case, we'd have to wait until 24.11 is branched off.

Uhh yeah, right. I really should add those dates to my calendar 🤡

OTOH the rule was originally introduced to avoid disruptive changes while trying to stabilize master. cc @RossComputerGuy @wegank as RMs, what's your stance on removing leaf-packages that are dead in this phase? The release wiki doesn't go into much detail of what we mean with breaking changes and there's even a Pre-release cleanup section in https://nixos.github.io/release-wiki/Feature-Freeze-Announcement.html.

So, my suggestion is:

  • if we get an ACK from the RMs, we kill the package now.
  • if we get a NACK, we'll kill it right after branch-off. Even though knownVulnerabilities is supposed to be used for actual vulnerabilities only, I'm inclined to mark it as insecure (or broken) regardless.

WDYT @wolfgangwalther @longregen ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think kill after branch off is best. We at least get people to be aware of the alternative listed in the known vulnerabilities list in 24.11. The following release would remove it with a throw in the aliases to recommend the alternative package.

};
}