Hi Manu It's exactly what I said in the 1.9.0 thread and I agree with Fokko.
I don't think it would make sense to release 1.8.2 with the message about the CVE (I agree if it's to fix other things, but it doesn't seem to be the case). We can "confuse" the users with 1.8.2 release related to CVE but not actually impacted. So, I'm more in favor of skipping 1.8.2 and focus on 1.9.0. Regards JB On Tue, Apr 22, 2025 at 5:41 AM Manu Zhang <owenzhang1...@gmail.com> wrote: > > Hi all, > > I thought we had a consensus on releasing 1.8.2 and volunteered to be the > release manager following these discussions[1][2]. > However, when working with Fokko to make a release, he expressed concerns > over the release. Let me quote his words here. > >> I did some checks, and it looks like the vulnerabilities are not exposed to >> the user through Iceberg. I think releasing a 1.8.2 gives of a wrong signal >> that 1.8.x is affected > > > Therefore, I'd like to hear your thoughts on this. > > > 1.https://lists.apache.org/thread/rwhsgpojdshbvbnrjtb93q70rno47s6c > 2. https://github.com/apache/iceberg/issues/12749 > > Thanks, > Manu
