+1 for having a bugfix release for the 1.10 branch to fix the security issue.
Thanks for driving the discussion Matthias! Minor: CVE-2020-17519 is introduced by 1.11.0 [1] so we don't need to fix it in 1.10.3, but CVE-2020-17518 [2] is needed. Best Regards, Yu [1] https://s.apache.org/CVE-2020-17519 [2] https://s.apache.org/CVE-2020-17518 On Wed, 13 Jan 2021 at 16:57, Till Rohrmann <trohrm...@apache.org> wrote: > Thanks for starting this discussion Matthias. I agree with all of you that > a final 1.10.3 release could be really helpful for our users. Given that CI > passes, it shouldn't be too much overhead either. > > Cheers, > Till > > On Wed, Jan 13, 2021 at 9:45 AM Xingbo Huang <hxbks...@gmail.com> wrote: > > > Thanks for starting this discussion, Matthias. > > > > +1 for releasing 1.10.3 as it contains a number of important fixes. > > > > Best, > > Xingbo > > > > Xintong Song <tonysong...@gmail.com> 于2021年1月13日周三 下午3:46写道: > > > > > Thanks for bringing this up, Matthias. > > > > > > Per the "Update Policy for old releases" [1], normally we do not > release > > > 1.10.x after 1.12.0 is released. However, the policy also says that we > > are > > > "open to discussing bugfix releases for even older versions". > > > > > > In this case, I'm +1 for releasing 1.10.3, for the dozens of > > non-released > > > fixes and the security flaws. > > > > > > As a reminder, I'd like to bring up FLINK-20906 [2] to be backported if > > we > > > are releasing 1.10.3, which updates the copyright year in NOTICE files > to > > > 2021. > > > > > > Thank you~ > > > > > > Xintong Song > > > > > > > > > [1] https://flink.apache.org/downloads.html > > > [2] https://issues.apache.org/jira/browse/FLINK-20906 > > > > > > On Tue, Jan 12, 2021 at 7:15 PM Matthias Pohl <matth...@ververica.com> > > > wrote: > > > > > > > Hi, > > > > I'd like to initiate a discussion on releasing Flink 1.10.3. There > > were a > > > > few requests in favor of this already in [1] and [2]. > > > > > > > > I checked the release-1.10 branch: 55 commits are not released, yet. > > > > Some non-released fixes that might be relevant are: > > > > - FLINK-20218 [3] - fix "module 'urllib' has no attribute 'parse'" > due > > to > > > > ProtoBuf version update > > > > - FLINK-20013 [4] - BoundedBlockingSubpartition may leak network > buffer > > > > - FLINK-19252 [5] - temporary folder is not created when missing > > > > - FLINK-19557 [6] - LeaderRetrievalListener notification upon > ZooKeeper > > > > reconnection > > > > - FLINK-19523 [7] - hide sensitive information in logs > > > > > > > > In addition to that, we would like to include a backport for > > > CVE-2020-17518 > > > > and CVE-2020-17519 to cover the request in [2]. > > > > > > > > The travis-ci build chain for release-1.10 seems to be stable [8]. > > > > Any thoughts on that? Unfortunately, I cannot volunteer as a release > > > > manager due to the lack of permissions. But I wanted to start the > > > > discussion, anyway. > > > > > > > > Best, > > > > Matthias > > > > > > > > [1] > > > > > > > > > > > > > > http://apache-flink-mailing-list-archive.1008284.n3.nabble.com/ANNOUNCE-Weekly-Community-Update-2020-44-45-td46486.html#a47610 > > > > [2] https://issues.apache.org/jira/browse/FLINK-20875 > > > > [3] https://issues.apache.org/jira/browse/FLINK-20218 > > > > [4] https://issues.apache.org/jira/browse/FLINK-20013 > > > > [5] https://issues.apache.org/jira/browse/FLINK-19252 > > > > [6] https://issues.apache.org/jira/browse/FLINK-19557 > > > > [7] https://issues.apache.org/jira/browse/FLINK-19523 > > > > [8] https://travis-ci.com/github/apache/flink/builds/212749910 > > > > > > > > > >
