All of the below-mentioned issues have been resolved in branch-1.5.0 in preparation for a possible 1.5.0-rc2. Assuming we move forward with rc2, we should build with go 1.21.8 to ensure the latest fixes in the go standard library are included as well.
Craig > On Mar 5, 2024, at 3:12 PM, Craig Condit <ccon...@apache.org> wrote: > > -1 (binding). > > All, > > We have a few issues in rc1 that I believe we should address before shipping > 1.5.0: > > CVEs: > > - CVE-2024-24783 (requires rebuild with go 1.21.8) > - CVE-2023-45290 (requires rebuild with go 1.21.8) > - CVE-2023-45289 (requires rebuild with go 1.21.8) > - CVE-2024-24786 (requires updates to google.golang.org/protobuf > <http://google.golang.org/protobuf> and possibly github.com/golang/protobuf > <http://github.com/golang/protobuf>) > > Broken functionality: > > - Reproducible builds (unknown why this has failed, but we will need to > remove the content from the README.md that claims reproducible status) > > Critical bugs (both memory leaks): > > - https://issues.apache.org/jira/browse/YUNIKORN-2465 - Remove Task objects > from the shim upon pod completion (fix merged to master and to branch-1.5) > - https://issues.apache.org/jira/browse/YUNIKORN-2467 - Remove AllocationAsk > from the core when a pod is completed (PR available; needs review to > determine if this is a 1.5 blocker). > > I think we should address each of these and cut an rc2. Thought? > > Craig Condit > >> On Mar 2, 2024, at 10:38 AM, TingYao <ting...@apache.org> wrote: >> >> Hello everyone, >> >> I would like to call a vote for releasing Apache YuniKorn 1.5.0 RC1. >> >> The release artefacts have been uploaded here: >> https://dist.apache.org/repos/dist/dev/yunikorn/1.5.0-RC1 >> >> My public key is located in the KEYS file: >> https://downloads.apache.org//yunikorn/KEYS >> >> JIRA issues that have been resolved in this release: >> https://issues.apache.org/jira/issues/?filter=12352958 >> >> Git tags for each component are as follows: >> yunikorn-scheduler-interface: v1.5.0-1 >> yunikorn-core: v1.5.0-2 >> yunikorn-k8shim: v1.5.0-2 >> yunikorn-web: v1.5.0-1 >> yunikorn-release: v1.5.0-2 >> >> Once the release is voted on and approved, all repos will be tagged >> 1.5.0 for consistency. >> >> Please review and vote. The vote will be open for at least 72 hours >> and closes on Wednesday 5 March 2024, 17:00:00 UTC >> >> [ ] +1 Approve >> [ ] +0 No opinion >> [ ] -1 Disapprove (and the reason why) >> >> Thank you, >> Tingyao > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@yunikorn.apache.org For additional commands, e-mail: dev-h...@yunikorn.apache.org