As mentioned in another thread [1], there is a recently detected vulnerability in pyarrow [2].
It appears to be a concern for Beam users that we can mitigate in the upcoming release. We can reassess early next week in case there is a revised assessment for severity for this vulnerability. In the meantime I went ahead and created an issue to track remediation in Beam and marked it as a blocker for 2.52.0 [3], and sent a PR to consider for master [4] and the release branch [5]. Thanks, Valentyn [1] https://lists.apache.org/thread/cdo18g6g7q1804yp2q5pwf8t7s1td8lv [2] https://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7n [3] https://github.com/apache/beam/issues/29392 [4] https://github.com/apache/beam/pull/29396 [5] https://github.com/apache/beam/pull/29402 On Fri, Nov 10, 2023 at 12:56 PM Chamikara Jayalath via dev < dev@beam.apache.org> wrote: > +1 (binding). > > Tested multi-lang Java/Python jobs. > > Thanks, > Cham > > On Fri, Nov 10, 2023, 12:28 PM Svetak Sundhar via dev <dev@beam.apache.org> > wrote: > >> +1 Non Binding -- tested Python SDK batch. >> >> >> Svetak Sundhar >> >> Data Engineer >> s <nellywil...@google.com>vetaksund...@google.com >> >> >> >> On Fri, Nov 10, 2023 at 2:58 PM Danny McCormick via dev < >> dev@beam.apache.org> wrote: >> >>> > Note: the release guide >>> <https://github.com/apache/beam/blob/c713425e1ac2cdc3ec2ec264c9bf61f7356856bd/contributor-docs/release-guide.md?plain=1#L581> >>> and blog post >>> <https://beam.apache.org/blog/validate-beam-release/#:~:text=apache/beam_go_sdk%3A2.34.0_rc1> >>> say >>> the RC image has a tag "${RELEASE_VERSION}_rc{RC_NUM}", whereas the actual >>> tags on Docker Hub are mostly "${RELEASE_VERSION}rc{RC_NUM}" without the >>> "_" since 2.40.0. If this is the new standard we may want to update all >>> places where this is stated? >>> >>> Yep, we should update! If you put up a PR I'm happy to approve :) >>> otherwise I can loop it into my post release docs update. >>> >>> Thanks, >>> Danny >>> >>> On Fri, Nov 10, 2023 at 2:00 PM Johanna Öjeling via dev < >>> dev@beam.apache.org> wrote: >>> >>>> +1 (non-binding) >>>> >>>> Tested the Go SDK on Dataflow with own use cases. >>>> >>>> Note: the release guide >>>> <https://github.com/apache/beam/blob/c713425e1ac2cdc3ec2ec264c9bf61f7356856bd/contributor-docs/release-guide.md?plain=1#L581> >>>> and blog post >>>> <https://beam.apache.org/blog/validate-beam-release/#:~:text=apache/beam_go_sdk%3A2.34.0_rc1> >>>> say >>>> the RC image has a tag "${RELEASE_VERSION}_rc{RC_NUM}", whereas the actual >>>> tags on Docker Hub are mostly "${RELEASE_VERSION}rc{RC_NUM}" without the >>>> "_" since 2.40.0. If this is the new standard we may want to update all >>>> places where this is stated? >>>> >>>> Johanna >>>> >>>> On Fri, Nov 10, 2023 at 5:56 PM Robert Bradshaw via dev < >>>> dev@beam.apache.org> wrote: >>>> >>>>> +1 (binding) >>>>> >>>>> Artifacts and signatures look good, validated one of the Python wheels >>>>> in a fresh install. >>>>> >>>>> On Fri, Nov 10, 2023 at 7:23 AM Alexey Romanenko >>>>> <aromanenko....@gmail.com> wrote: >>>>> > >>>>> > +1 (binding) >>>>> > >>>>> > Java SDK with Spark runner >>>>> > >>>>> > — >>>>> > Alexey >>>>> > >>>>> > On 9 Nov 2023, at 16:44, Ritesh Ghorse via dev <dev@beam.apache.org> >>>>> wrote: >>>>> > >>>>> > +1 (non-binding) >>>>> > >>>>> > Validated Python SDK quickstart batch and streaming. >>>>> > >>>>> > Thanks! >>>>> > >>>>> > On Thu, Nov 9, 2023 at 9:25 AM Jan Lukavský <je...@seznam.cz> wrote: >>>>> >> >>>>> >> +1 (binding) >>>>> >> >>>>> >> Validated Java SDK with Flink runner on own use cases. >>>>> >> >>>>> >> Jan >>>>> >> >>>>> >> On 11/9/23 03:31, Danny McCormick via dev wrote: >>>>> >> >>>>> >> Hi everyone, >>>>> >> Please review and vote on the release candidate #3 for the version >>>>> 2.52.0, as follows: >>>>> >> [ ] +1, Approve the release >>>>> >> [ ] -1, Do not approve the release (please provide specific >>>>> comments) >>>>> >> >>>>> >> >>>>> >> Reviewers are encouraged to test their own use cases with the >>>>> release candidate, and vote +1 if no issues are found. Only PMC member >>>>> votes will count towards the final vote, but votes from all community >>>>> members is encouraged and helpful for finding regressions; you can either >>>>> test your own use cases or use cases from the validation sheet [10]. >>>>> >> >>>>> >> The complete staging area is available for your review, which >>>>> includes: >>>>> >> >>>>> >> GitHub Release notes [1] >>>>> >> the official Apache source release to be deployed to >>>>> dist.apache.org [2], which is signed with the key with fingerprint >>>>> D20316F712213422 [3] >>>>> >> all artifacts to be deployed to the Maven Central Repository [4] >>>>> >> source code tag "v2.52.0-RC3" [5] >>>>> >> website pull request listing the release [6], the blog post [6], >>>>> and publishing the API reference manual [7] >>>>> >> Python artifacts are deployed along with the source release to the >>>>> dist.apache.org [2] and PyPI[8]. >>>>> >> Go artifacts and documentation are available at pkg.go.dev [9] >>>>> >> Validation sheet with a tab for 2.52.0 release to help with >>>>> validation [10] >>>>> >> Docker images published to Docker Hub [11] >>>>> >> PR to run tests against release branch [12] >>>>> >> >>>>> >> >>>>> >> The vote will be open for at least 72 hours. It is adopted by >>>>> majority approval, with at least 3 PMC affirmative votes. >>>>> >> >>>>> >> For guidelines on how to try the release in your projects, check >>>>> out our blog post at >>>>> https://beam.apache.org/blog/validate-beam-release/. >>>>> >> >>>>> >> Thanks, >>>>> >> Danny >>>>> >> >>>>> >> [1] https://github.com/apache/beam/milestone/16 >>>>> >> [2] https://dist.apache.org/repos/dist/dev/beam/2.52.0/ >>>>> >> [3] https://dist.apache.org/repos/dist/release/beam/KEYS >>>>> >> [4] >>>>> https://repository.apache.org/content/repositories/orgapachebeam-1361/ >>>>> >> [5] https://github.com/apache/beam/tree/v2.52.0-RC3 >>>>> >> [6] https://github.com/apache/beam/pull/29331 >>>>> >> [7] https://github.com/apache/beam-site/pull/653 >>>>> >> [8] https://pypi.org/project/apache-beam/2.52.0rc2/ >>>>> >> [9] >>>>> https://pkg.go.dev/github.com/apache/beam/sdks/v2@v2.52.0-RC3/go/pkg/beam >>>>> >> [10] >>>>> https://docs.google.com/spreadsheets/d/1qk-N5vjXvbcEk68GjbkSZTR8AGqyNUM-oLFo_ZXBpJw/edit#gid=1387982510 >>>>> >> [11] https://hub.docker.com/search?q=apache%2Fbeam&type=image >>>>> >> [12] https://github.com/apache/beam/pull/29319 >>>>> > >>>>> > >>>>> >>>>
