All of the below-mentioned issues have been resolved in branch-1.5.0 in 
preparation for a possible 1.5.0-rc2. Assuming we move forward with rc2, we 
should build with go 1.21.8 to ensure the latest fixes in the go standard 
library are included as well.

Craig


> On Mar 5, 2024, at 3:12 PM, Craig Condit <ccon...@apache.org> wrote:
> 
> -1 (binding).
> 
> All,
> 
> We have a few issues in rc1 that I believe we should address before shipping 
> 1.5.0:
> 
> CVEs:
> 
> - CVE-2024-24783 (requires rebuild with go 1.21.8)
> - CVE-2023-45290 (requires rebuild with go 1.21.8)
> - CVE-2023-45289 (requires rebuild with go 1.21.8)
> - CVE-2024-24786 (requires updates to google.golang.org/protobuf 
> <http://google.golang.org/protobuf> and possibly github.com/golang/protobuf 
> <http://github.com/golang/protobuf>)
> 
> Broken functionality:
> 
> - Reproducible builds (unknown why this has failed, but we will need to 
> remove the content from the README.md that claims reproducible status)
> 
> Critical bugs (both memory leaks):
> 
> - https://issues.apache.org/jira/browse/YUNIKORN-2465 - Remove Task objects 
> from the shim upon pod completion (fix merged to master and to branch-1.5)
> - https://issues.apache.org/jira/browse/YUNIKORN-2467 - Remove AllocationAsk 
> from the core when a pod is completed (PR available; needs review to 
> determine if this is a 1.5 blocker).
> 
> I think we should address each of these and cut an rc2. Thought?
> 
> Craig Condit
> 
>> On Mar 2, 2024, at 10:38 AM, TingYao <ting...@apache.org> wrote:
>> 
>> Hello everyone,
>> 
>> I would like to call a vote for releasing Apache YuniKorn 1.5.0 RC1.
>> 
>> The release artefacts have been uploaded here:
>> https://dist.apache.org/repos/dist/dev/yunikorn/1.5.0-RC1
>> 
>> My public key is located in the KEYS file:
>> https://downloads.apache.org//yunikorn/KEYS
>> 
>> JIRA issues that have been resolved in this release:
>> https://issues.apache.org/jira/issues/?filter=12352958
>> 
>> Git tags for each component are as follows:
>> yunikorn-scheduler-interface: v1.5.0-1
>> yunikorn-core: v1.5.0-2
>> yunikorn-k8shim: v1.5.0-2
>> yunikorn-web: v1.5.0-1
>> yunikorn-release: v1.5.0-2
>> 
>> Once the release is voted on and approved, all repos will be tagged
>> 1.5.0 for consistency.
>> 
>> Please review and vote. The vote will be open for at least 72 hours
>> and closes on Wednesday 5 March 2024, 17:00:00 UTC
>> 
>> [ ] +1 Approve
>> [ ] +0 No opinion
>> [ ] -1 Disapprove (and the reason why)
>> 
>> Thank you,
>> Tingyao
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@yunikorn.apache.org
For additional commands, e-mail: dev-h...@yunikorn.apache.org

Reply via email to