Hey folks I am postponing the release for first RC by one day to 11th July so that we can merge in minor dependency upgrades - https://issues.apache.org/jira/browse/KAFKA-15159
-- Divij Vaidya On Mon, Jul 3, 2023 at 2:38 PM Divij Vaidya <divijvaidy...@gmail.com> wrote: > Satish - Thank you for catching that. It is now fixed. > > David - Please refer to the security@kafka mailing thread with "Reg CVE > 2023-34455" where it was proposed to have an early release for 3.5.1. The > rationale of releasing 3.5.1 early is to have a version of Kafka released > which does not have any known CVE, specifically > https://issues.apache.org/jira/browse/KAFKA-15096. Separately, I am going > to start a PR today to update the CVE list with more information on this > CVE and the potential workaround. > > -- > Divij Vaidya > > > > On Mon, Jul 3, 2023 at 2:00 PM David Jacot <dja...@confluent.io.invalid> > wrote: > >> Hi Divij, >> >> Thanks for the release plan. >> >> I wonder if we should wait a little more as 3.5.0 was released on June >> 15th. Releasing 3.5.1 a month after seems not enough in order to have time >> to catch bugs in 3.5.0. I think that we usually release the first minor >> release ~3 months after the major one. Is there a reason to release it in >> July? >> >> As a side note, we don't have a formal code freeze for minor releases. >> >> Best, >> David >> >> On Mon, Jul 3, 2023 at 1:51 PM Divij Vaidya <divijvaidy...@gmail.com> >> wrote: >> >> > Hi folks >> > >> > Here's the release plan for >> > https://cwiki.apache.org/confluence/display/KAFKA/Release+plan+3.5.1 >> > >> > 3.5.1 will be a bug fix release which also addresses some of the CVEs >> such >> > as CVE-2023-34455 [1] in snappy-java. If all goes smoothly, I am >> estimating >> > a release date in the 3rd or 4th week of July. I will continue to post >> > important updates on the mailing list and you can also follow the >> progress >> > on the release plan wiki above. >> > >> > *Call for action* 📢 >> > >> > If you think that a commit from the trunk should be backported to 3.5.1, >> > please let me know. Note that we usually backport only the critical bug >> > fixes which don't have a production work around and security fixes. Note >> > that code freeze is on 9th July and no new commits will be added to the >> 3.5 >> > .1 release after that. >> > >> > *Important dates *📅 >> > >> > 9th July - Code freeze for 3.5.1 >> > 10th July - First release candidate is published for voting >> > 18th July - Expected completion of release >> > >> > -- >> > Divij Vaidya >> > Release Manager for Apache Kafka 3.5.1 >> > >> > [1] https://nvd.nist.gov/vuln/detail/CVE-2023-34455 >> > >> >
