I will go ahead and create an RC4 - IMO this vulnerability patch warrants a new RC. Thanks Valentyn!
On Fri, Nov 10, 2023 at 9:11 PM Valentyn Tymofieiev via dev < dev@beam.apache.org> wrote: > As mentioned in another thread [1], there is a recently detected > vulnerability in pyarrow [2]. > > It appears to be a concern for Beam users that we can mitigate in the > upcoming release. > > We can reassess early next week in case there is a revised assessment for > severity for this vulnerability. In the meantime I went ahead and created > an issue to track remediation in Beam and marked it as a blocker for 2.52.0 > [3], and sent a PR to consider for master [4] and the release branch [5]. > > Thanks, > Valentyn > > [1] https://lists.apache.org/thread/cdo18g6g7q1804yp2q5pwf8t7s1td8lv > [2] https://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7n > [3] https://github.com/apache/beam/issues/29392 > [4] https://github.com/apache/beam/pull/29396 > [5] https://github.com/apache/beam/pull/29402 > > > On Fri, Nov 10, 2023 at 12:56 PM Chamikara Jayalath via dev < > dev@beam.apache.org> wrote: > >> +1 (binding). >> >> Tested multi-lang Java/Python jobs. >> >> Thanks, >> Cham >> >> On Fri, Nov 10, 2023, 12:28 PM Svetak Sundhar via dev < >> dev@beam.apache.org> wrote: >> >>> +1 Non Binding -- tested Python SDK batch. >>> >>> >>> Svetak Sundhar >>> >>> Data Engineer >>> s <nellywil...@google.com>vetaksund...@google.com >>> >>> >>> >>> On Fri, Nov 10, 2023 at 2:58 PM Danny McCormick via dev < >>> dev@beam.apache.org> wrote: >>> >>>> > Note: the release guide >>>> <https://github.com/apache/beam/blob/c713425e1ac2cdc3ec2ec264c9bf61f7356856bd/contributor-docs/release-guide.md?plain=1#L581> >>>> and blog post >>>> <https://beam.apache.org/blog/validate-beam-release/#:~:text=apache/beam_go_sdk%3A2.34.0_rc1> >>>> say >>>> the RC image has a tag "${RELEASE_VERSION}_rc{RC_NUM}", whereas the actual >>>> tags on Docker Hub are mostly "${RELEASE_VERSION}rc{RC_NUM}" without the >>>> "_" since 2.40.0. If this is the new standard we may want to update all >>>> places where this is stated? >>>> >>>> Yep, we should update! If you put up a PR I'm happy to approve :) >>>> otherwise I can loop it into my post release docs update. >>>> >>>> Thanks, >>>> Danny >>>> >>>> On Fri, Nov 10, 2023 at 2:00 PM Johanna Öjeling via dev < >>>> dev@beam.apache.org> wrote: >>>> >>>>> +1 (non-binding) >>>>> >>>>> Tested the Go SDK on Dataflow with own use cases. >>>>> >>>>> Note: the release guide >>>>> <https://github.com/apache/beam/blob/c713425e1ac2cdc3ec2ec264c9bf61f7356856bd/contributor-docs/release-guide.md?plain=1#L581> >>>>> and blog post >>>>> <https://beam.apache.org/blog/validate-beam-release/#:~:text=apache/beam_go_sdk%3A2.34.0_rc1> >>>>> say >>>>> the RC image has a tag "${RELEASE_VERSION}_rc{RC_NUM}", whereas the actual >>>>> tags on Docker Hub are mostly "${RELEASE_VERSION}rc{RC_NUM}" without the >>>>> "_" since 2.40.0. If this is the new standard we may want to update all >>>>> places where this is stated? >>>>> >>>>> Johanna >>>>> >>>>> On Fri, Nov 10, 2023 at 5:56 PM Robert Bradshaw via dev < >>>>> dev@beam.apache.org> wrote: >>>>> >>>>>> +1 (binding) >>>>>> >>>>>> Artifacts and signatures look good, validated one of the Python wheels >>>>>> in a fresh install. >>>>>> >>>>>> On Fri, Nov 10, 2023 at 7:23 AM Alexey Romanenko >>>>>> <aromanenko....@gmail.com> wrote: >>>>>> > >>>>>> > +1 (binding) >>>>>> > >>>>>> > Java SDK with Spark runner >>>>>> > >>>>>> > — >>>>>> > Alexey >>>>>> > >>>>>> > On 9 Nov 2023, at 16:44, Ritesh Ghorse via dev <dev@beam.apache.org> >>>>>> wrote: >>>>>> > >>>>>> > +1 (non-binding) >>>>>> > >>>>>> > Validated Python SDK quickstart batch and streaming. >>>>>> > >>>>>> > Thanks! >>>>>> > >>>>>> > On Thu, Nov 9, 2023 at 9:25 AM Jan Lukavský <je...@seznam.cz> >>>>>> wrote: >>>>>> >> >>>>>> >> +1 (binding) >>>>>> >> >>>>>> >> Validated Java SDK with Flink runner on own use cases. >>>>>> >> >>>>>> >> Jan >>>>>> >> >>>>>> >> On 11/9/23 03:31, Danny McCormick via dev wrote: >>>>>> >> >>>>>> >> Hi everyone, >>>>>> >> Please review and vote on the release candidate #3 for the version >>>>>> 2.52.0, as follows: >>>>>> >> [ ] +1, Approve the release >>>>>> >> [ ] -1, Do not approve the release (please provide specific >>>>>> comments) >>>>>> >> >>>>>> >> >>>>>> >> Reviewers are encouraged to test their own use cases with the >>>>>> release candidate, and vote +1 if no issues are found. Only PMC member >>>>>> votes will count towards the final vote, but votes from all community >>>>>> members is encouraged and helpful for finding regressions; you can either >>>>>> test your own use cases or use cases from the validation sheet [10]. >>>>>> >> >>>>>> >> The complete staging area is available for your review, which >>>>>> includes: >>>>>> >> >>>>>> >> GitHub Release notes [1] >>>>>> >> the official Apache source release to be deployed to >>>>>> dist.apache.org [2], which is signed with the key with fingerprint >>>>>> D20316F712213422 [3] >>>>>> >> all artifacts to be deployed to the Maven Central Repository [4] >>>>>> >> source code tag "v2.52.0-RC3" [5] >>>>>> >> website pull request listing the release [6], the blog post [6], >>>>>> and publishing the API reference manual [7] >>>>>> >> Python artifacts are deployed along with the source release to the >>>>>> dist.apache.org [2] and PyPI[8]. >>>>>> >> Go artifacts and documentation are available at pkg.go.dev [9] >>>>>> >> Validation sheet with a tab for 2.52.0 release to help with >>>>>> validation [10] >>>>>> >> Docker images published to Docker Hub [11] >>>>>> >> PR to run tests against release branch [12] >>>>>> >> >>>>>> >> >>>>>> >> The vote will be open for at least 72 hours. It is adopted by >>>>>> majority approval, with at least 3 PMC affirmative votes. >>>>>> >> >>>>>> >> For guidelines on how to try the release in your projects, check >>>>>> out our blog post at >>>>>> https://beam.apache.org/blog/validate-beam-release/. >>>>>> >> >>>>>> >> Thanks, >>>>>> >> Danny >>>>>> >> >>>>>> >> [1] https://github.com/apache/beam/milestone/16 >>>>>> >> [2] https://dist.apache.org/repos/dist/dev/beam/2.52.0/ >>>>>> >> [3] https://dist.apache.org/repos/dist/release/beam/KEYS >>>>>> >> [4] >>>>>> https://repository.apache.org/content/repositories/orgapachebeam-1361/ >>>>>> >> [5] https://github.com/apache/beam/tree/v2.52.0-RC3 >>>>>> >> [6] https://github.com/apache/beam/pull/29331 >>>>>> >> [7] https://github.com/apache/beam-site/pull/653 >>>>>> >> [8] https://pypi.org/project/apache-beam/2.52.0rc2/ >>>>>> >> [9] >>>>>> https://pkg.go.dev/github.com/apache/beam/sdks/v2@v2.52.0-RC3/go/pkg/beam >>>>>> >> [10] >>>>>> https://docs.google.com/spreadsheets/d/1qk-N5vjXvbcEk68GjbkSZTR8AGqyNUM-oLFo_ZXBpJw/edit#gid=1387982510 >>>>>> >> [11] https://hub.docker.com/search?q=apache%2Fbeam&type=image >>>>>> >> [12] https://github.com/apache/beam/pull/29319 >>>>>> > >>>>>> > >>>>>> >>>>>
