>>> > publish unreleased materials outside the development
>>> > community.
>>>
>>> We can't mark 8.0.1 as official unless we "release" 8.0.1.
>>>
>>> (I understand that Go doesn't need released materials. Go
>>
for 6.0.2, 7.0.1 and
8.0.1 because we don't have binary artifacts relate to Go
* We'll start votes for releasing 6.0.2, 7.0.1 and 8.0.1
Thanks,
--
kou
In
"Re: [Go][Release][Discussion] Patch release for Go libraries to address
CVE-2022-28948" on Mon, 13 Jun 2022 19:24
Just following up on this, the PR has been merged for v9, but I still need
the patch backported to v6, v7 and v8.
If there's anything I can do to help get that over the finish line, let me
know. Thanks again!
On Thu, Jun 9, 2022 at 2:06 PM Dominic Barnes wrote:
> Howdy!
>
> I'm a first-time con
he ASF's release
> policy isn't suitable for recent languages such as Go and
> Julia. Micah started a discussion it in another place. The
> ASF's release policy may be updated in future.)
>
>
> But we don't need to release binary artifacts because we
> don
d to release binary artifacts because we
don't have any binary artifacts for Go. We can just release
a source archive for patch releases of this.
Again, I'm also not an expert. I hope that others comment on
this too.
Thanks,
--
kou
In
"Re: [Go][Release][Discussion] Patch release
Personally, I don't have a problem with doing `git tag` just for Go. I
don't think this needs a full patch release process since we aren't
producing new artifacts that need signing, we're only adding a tag that
points to a SHA in git. But I am not an expert in this area of policy and
will defer to
I've merged the PR to master and want to propose cherry-picking it to
create patch releases. Technically, for Go, all we need to do is create the
appropriate tags named like "go/v6.0.2", and so on. Since this
vulnerability only affects Go we don't necessarily need to release patches
for the other l
Howdy!
I'm a first-time contributor, and I just opened a PR to update a dev/test
dependency (github.com/stretchr/testify) to address a security
vulnerability being reported downstream:
https://github.com/apache/arrow/pull/13322 (more context included here)
The PR was originally opened against th