Yes I think we need to spin a new RC: -1 for RC1 Go 1.21.8 delivers a total of 5 CVE fixes, with another CVE in the protobuf code. We should fix the two memory leaks discovered. Both are simple and non-invasive fixes.
We should remove the reproducible build details from the README until we figure out what is happening. Wilfred On Wed, 6 Mar 2024 at 10:15, Craig Condit <ccon...@apache.org> wrote: > > All of the below-mentioned issues have been resolved in branch-1.5.0 in > preparation for a possible 1.5.0-rc2. Assuming we move forward with rc2, we > should build with go 1.21.8 to ensure the latest fixes in the go standard > library are included as well. > > Craig > > > > On Mar 5, 2024, at 3:12 PM, Craig Condit <ccon...@apache.org> wrote: > > > > -1 (binding). > > > > All, > > > > We have a few issues in rc1 that I believe we should address before > > shipping 1.5.0: > > > > CVEs: > > > > - CVE-2024-24783 (requires rebuild with go 1.21.8) > > - CVE-2023-45290 (requires rebuild with go 1.21.8) > > - CVE-2023-45289 (requires rebuild with go 1.21.8) > > - CVE-2024-24786 (requires updates to google.golang.org/protobuf > > <http://google.golang.org/protobuf> and possibly github.com/golang/protobuf > > <http://github.com/golang/protobuf>) > > > > Broken functionality: > > > > - Reproducible builds (unknown why this has failed, but we will need to > > remove the content from the README.md that claims reproducible status) > > > > Critical bugs (both memory leaks): > > > > - https://issues.apache.org/jira/browse/YUNIKORN-2465 - Remove Task objects > > from the shim upon pod completion (fix merged to master and to branch-1.5) > > - https://issues.apache.org/jira/browse/YUNIKORN-2467 - Remove > > AllocationAsk from the core when a pod is completed (PR available; needs > > review to determine if this is a 1.5 blocker). > > > > I think we should address each of these and cut an rc2. Thought? > > > > Craig Condit > > > >> On Mar 2, 2024, at 10:38 AM, TingYao <ting...@apache.org> wrote: > >> > >> Hello everyone, > >> > >> I would like to call a vote for releasing Apache YuniKorn 1.5.0 RC1. > >> > >> The release artefacts have been uploaded here: > >> https://dist.apache.org/repos/dist/dev/yunikorn/1.5.0-RC1 > >> > >> My public key is located in the KEYS file: > >> https://downloads.apache.org//yunikorn/KEYS > >> > >> JIRA issues that have been resolved in this release: > >> https://issues.apache.org/jira/issues/?filter=12352958 > >> > >> Git tags for each component are as follows: > >> yunikorn-scheduler-interface: v1.5.0-1 > >> yunikorn-core: v1.5.0-2 > >> yunikorn-k8shim: v1.5.0-2 > >> yunikorn-web: v1.5.0-1 > >> yunikorn-release: v1.5.0-2 > >> > >> Once the release is voted on and approved, all repos will be tagged > >> 1.5.0 for consistency. > >> > >> Please review and vote. The vote will be open for at least 72 hours > >> and closes on Wednesday 5 March 2024, 17:00:00 UTC > >> > >> [ ] +1 Approve > >> [ ] +0 No opinion > >> [ ] -1 Disapprove (and the reason why) > >> > >> Thank you, > >> Tingyao > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@yunikorn.apache.org > For additional commands, e-mail: dev-h...@yunikorn.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@yunikorn.apache.org For additional commands, e-mail: dev-h...@yunikorn.apache.org
