removing deprecated packages

Question

removing deprecated packages

Closed this issue 2 months ago · 9 comments

just at thought: when we remove a package (as we did yesterday with #1025), do we then manually go in an uninstall the package from the environment(s) on ovartaci? @bokajgd @frillecode @KennethEnevoldsen @erikperfalk

Answer 1 · 2024-10-03T11:07:29.000Z

Is there a strong need to?

Answer 2 · 2024-10-03T11:18:29.000Z

i guess there is no safety issue if we don't use code from the package? i was just afraid there might be an issue, even if we don't use the package, just because the source code is still saved somewhere on ovartaci?

Answer 3 · 2024-10-03T11:34:06.000Z

Hmm I don't think it is a problem since the code is not called (it is just a txt file then). A solution would be to rebuild the environment every time we change requirements.

Answer 4 · 2024-10-07T09:40:14.000Z

the internet says that there are ways that a package might be subject to vulnerabilities, even if it never imported (though they seem to be unlikely to happen). i guess the most conservative thing to do would be to clean up all of our environments on ovartaci, and rebuild environments every time requirements are changed?

Answer 5 · 2024-10-08T06:47:14.000Z

Right, I could see cases where that could happen. E.g. when another part of the system tries to call it. Then the code would have to (when it was installed) inject/overwrite some sort of dependency.

Of course, when we install it it has passed security clearance (so there would have been something that was missed).

I see two solutions:

check previous dependencies (seems annoying)
recreate the environment once in a while - Normally that happens naturally, but not sure it does in hour context

Answer 6 · 2024-10-08T09:45:04.000Z

yeah, seems like a lot of work to check previous dependencies. but maybe a good idea to clear out old envs (i suspect some of them are old enough that they were made under different security clearance procedures) and rebuild our main one.
hmm, not sure how often that happens either. guess that is also something that would be easily fixed by kubeflow.

Answer 7 · 2024-10-08T13:45:43.000Z

delete old environments - but kubeflow should allow us the fix the other one

Answer 8 · 2024-10-23T13:08:36.000Z

This issue is stale because it has been open 1+ days with no activity. Feel free to either 1) Remove the stale label, 2) Comment or 3) Add the 'evergreen' label to make it immune. . If nothing happens, this will be closed in 7 days.

Answer 9 · 2024-10-24T11:09:38.000Z

@sarakolding will close this issue - feel free to re-open