ORC-FORMAT-20 - Upgrade protoc and protobuf version

[mgabelle]

What changes were proposed in this pull request?

PR to address issues related in #20
Changes consist of upgrading to the most recent version of protobuf and protoc.

Why are the changes needed?

Changes needed cause there are possible conflicts with recent protobuf versions from other libraries.
Also the current protobuf version is way out behind the current one and has some vulnerabilities.

How was this patch tested?

No tests, just a build, I don't really know how to correctly test this one.

[wgtmac]

Is there any risk? This seems to be a huge version bump. @dongjoon-hyun

[dongjoon-hyun]

May I ask why you propose this old version instead of the latest, @mgabelle ?

• https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java/4.29.3

[dongjoon-hyun]

Is there any risk? This seems to be a huge version bump. @dongjoon-hyun

Yes, there is a breaking change, @wgtmac . For example, v26 introduced a breaking change to Java API last year. And, this is more higher version than that.

• https://protobuf.dev/news/2023-12-05/#breaking-compatibility-with-old-generated-code

v26.x will break compatibility with generated code from older major versions. Users should regenerate old generated code to be from the same version.
For example, GeneratedMessageV3, which was originally introduced for backwards compatibility with generated code from v2.x.x against v3.x.x runtime, will be renamed to GeneratedMessage. Runtimes will be updated to support Editions, which will not be compatible with old generated code.

[ekpdt]

The solution is to upgrade both protoc and the protobuf runtime to 3.25.6, which is compatible with v26.x without being (as) breaking

diff --git a/pom.xml b/pom.xml
index a0118ac..2b18169 100644
--- a/pom.xml
+++ b/pom.xml
@@ -61,7 +61,7 @@
         <maven.compiler.release>17</maven.compiler.release>
         <maven.compiler.useIncrementalCompilation>false</maven.compiler.useIncrementalCompilation>
         <maven.version>3.9.6</maven.version>
-        <protoc.version>3.17.3</protoc.version>
+        <protoc.version>3.25.6</protoc.version>
         <test.tmp.dir>${project.build.directory}/testing-tmp</test.tmp.dir>
     </properties>
 
@@ -69,7 +69,7 @@
         <dependency>
             <groupId>com.google.protobuf</groupId>
             <artifactId>protobuf-java</artifactId>
-            <version>3.25.1</version>
+            <version>3.25.6</version>
         </dependency>
     </dependencies>

[dongjoon-hyun]

Since there exists an open PR for 3.25.5, I merged that to address CVE-2024-7254 .

• ORC-1874: Upgrade protobuf-java to 3.25.5 #19