Personally, I don't have a problem with doing `git tag` just for Go. I don't think this needs a full patch release process since we aren't producing new artifacts that need signing, we're only adding a tag that points to a SHA in git. But I am not an expert in this area of policy and will defer to others who know better.
Neal On Fri, Jun 10, 2022 at 11:07 AM Matt Topol <zotthewiz...@gmail.com> wrote: > I've merged the PR to master and want to propose cherry-picking it to > create patch releases. Technically, for Go, all we need to do is create the > appropriate tags named like "go/v6.0.2", and so on. Since this > vulnerability only affects Go we don't necessarily need to release patches > for the other language libraries other than for consistency. > > So I guess I'd like others to chime in on opinions as to whether we should > just cherry-pick and create the tags just for patch releases for Go or do > full patch releases of everything for consistency. > > --Matt > > On Thu, Jun 9, 2022 at 5:21 PM Dominic Barnes <dobar...@twilio.com.invalid > > > wrote: > > > Howdy! > > > > I'm a first-time contributor, and I just opened a PR to update a dev/test > > dependency (github.com/stretchr/testify) to address a security > > vulnerability being reported downstream: > > > > https://github.com/apache/arrow/pull/13322 (more context included here) > > > > The PR was originally opened against the release-v7.0.0 branch, but I was > > then pointed towards using master instead, with the intention of > > backporting the commit/change for v6.0.2, v7.0.1 and v8.0.1 releases. > > > > While not merged yet, it sounded like I should get the ball rolling now. > > Let me know how I can help get this across the finish line. > > > > -- > > Dominic Barnes > > > > he/him/his > > Staff Software Engineer > > [image: Twilio] <https://www.twilio.com/?utm_source=email_signature> > > EMAIL dobar...@twilio.com > > TWITTER @mako281 <https://twitter.com/mako281> > > GITHUB dominicbarnes <https://github.com/dominicbarnes> > > >
