You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: SECURITY.md
+17-6
Original file line number
Diff line number
Diff line change
@@ -325,6 +325,21 @@ If you aren't using gRPC on Android devices, you are most likely using `grpc-net
325
325
326
326
If you are developing for Android and have a dependency on `grpc-netty`, you should remove it as `grpc-netty` is unsupported on Android. Use `grpc-okhttp` instead.
327
327
328
+
If you are using `musl` libc (e.g., with Alpine Linux), then
329
+
`netty-tcnative-boringssl-static` won't work. There are several alternatives:
330
+
- Use [netty-tcnative-alpine] (https://github.com/pires/netty-tcnative-alpine)
331
+
- Use a distribution with `glibc`
332
+
333
+
If you are running inside of an embedded Tomcat runtime (e.g., Spring Boot),
334
+
then some versions of `netty-tcnative-boringssl-static` will have conflicts and
335
+
won't work. You must use gRPC 1.4.0 or later.
336
+
337
+
Most dependency versioning problems can be solved by using
338
+
`io.grpc:grpc-netty-shaded` instead of `io.grpc:grpc-netty`, although this also
339
+
limits your usage of the Netty-specific APIs. `io.grpc:grpc-netty-shaded`
340
+
includes the proper version of Netty and `netty-tcnative-boringssl-static` in a
341
+
way that won't conflict with other Netty usages.
342
+
328
343
Find the dependency tree (e.g., `mvn dependency:tree`), and look for versions of:
329
344
-`io.grpc:grpc-netty`
330
345
-`io.netty:netty-handler` (really, make sure all of io.netty except for
@@ -337,12 +352,6 @@ If you have both `netty-handler` and `netty-tcnative-boringssl-static` dependenc
337
352
338
353
If you have other `netty` dependencies, such as `netty-all`, that are pulled in from other libraries, then ultimately you should make sure only one `netty` dependency is used to avoid classpath conflict. The easiest way is to exclude transitive Netty dependencies from all the immediate dependencies, e.g., in Maven use `<exclusions>`, and then add an explict Netty dependency in your project along with the corresponding `tcnative` versions. See the versions table below.
339
354
340
-
If you are using `musl` libc (e.g., with Alpine Linux), then `netty-tcnative-boringssl-static` won't work. There are several alternatives:
341
-
- Use [netty-tcnative-alpine] (https://github.com/pires/netty-tcnative-alpine)
342
-
- Use a distribution with `glibc`
343
-
344
-
If you are running inside of an embedded Tomcat runtime (e.g., Spring Boot), then some versions of `netty-tcnative-boringssl-static` will have conflicts and won't work. You must use gRPC 1.4.0 or later.
345
-
346
355
Below are known to work version combinations:
347
356
348
357
grpc-netty version | netty-handler version | netty-tcnative-boringssl-static version
@@ -356,6 +365,8 @@ grpc-netty version | netty-handler version | netty-tcnative-boringssl-static ver
356
365
1.7.x-1.8.x | 4.1.16.Final | 2.0.6.Final
357
366
1.9.x- | 4.1.17.Final | 2.0.7.Final
358
367
368
+
_(grpc-netty-shaded avoids issues with keeping these versions in sync.)_
369
+
359
370
### OkHttp
360
371
If you are using gRPC on Android devices, you are most likely using `grpc-okhttp` transport.
0 commit comments