Re: [Go][Release][Discussion] Patch release for Go libraries to address CVE-2022-28948

2022-07-14 Thread Sutou Kouhei
>>> > publish unreleased materials outside the development >>> > community. >>> >>> We can't mark 8.0.1 as official unless we "release" 8.0.1. >>> >>> (I understand that Go doesn't need released materials. Go >>

Re: [Go][Release][Discussion] Patch release for Go libraries to address CVE-2022-28948

2022-07-07 Thread Sutou Kouhei
for 6.0.2, 7.0.1 and 8.0.1 because we don't have binary artifacts relate to Go * We'll start votes for releasing 6.0.2, 7.0.1 and 8.0.1 Thanks, -- kou In "Re: [Go][Release][Discussion] Patch release for Go libraries to address CVE-2022-28948" on Mon, 13 Jun 2022 19:24

Re: Patch release for Go libraries to address CVE-2022-28948

2022-06-22 Thread Dominic Barnes
Just following up on this, the PR has been merged for v9, but I still need the patch backported to v6, v7 and v8. If there's anything I can do to help get that over the finish line, let me know. Thanks again! On Thu, Jun 9, 2022 at 2:06 PM Dominic Barnes wrote: > Howdy! > > I'm a first-time con

Re: [Go][Release][Discussion] Patch release for Go libraries to address CVE-2022-28948

2022-06-13 Thread Matt Topol
he ASF's release > policy isn't suitable for recent languages such as Go and > Julia. Micah started a discussion it in another place. The > ASF's release policy may be updated in future.) > > > But we don't need to release binary artifacts because we > don

Re: [Go][Release][Discussion] Patch release for Go libraries to address CVE-2022-28948

2022-06-12 Thread Sutou Kouhei
d to release binary artifacts because we don't have any binary artifacts for Go. We can just release a source archive for patch releases of this. Again, I'm also not an expert. I hope that others comment on this too. Thanks, -- kou In "Re: [Go][Release][Discussion] Patch release

Re: [Go][Release][Discussion] Patch release for Go libraries to address CVE-2022-28948

2022-06-10 Thread Neal Richardson
Personally, I don't have a problem with doing `git tag` just for Go. I don't think this needs a full patch release process since we aren't producing new artifacts that need signing, we're only adding a tag that points to a SHA in git. But I am not an expert in this area of policy and will defer to

[Go][Release][Discussion] Patch release for Go libraries to address CVE-2022-28948

2022-06-10 Thread Matt Topol
I've merged the PR to master and want to propose cherry-picking it to create patch releases. Technically, for Go, all we need to do is create the appropriate tags named like "go/v6.0.2", and so on. Since this vulnerability only affects Go we don't necessarily need to release patches for the other l

Patch release for Go libraries to address CVE-2022-28948

2022-06-09 Thread Dominic Barnes
Howdy! I'm a first-time contributor, and I just opened a PR to update a dev/test dependency (github.com/stretchr/testify) to address a security vulnerability being reported downstream: https://github.com/apache/arrow/pull/13322 (more context included here) The PR was originally opened against th