[
https://issues.apache.org/jira/browse/BEAM-14456?focusedWorklogId=768723&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-768723
]
ASF GitHub Bot logged work on BEAM-14456:
-----------------------------------------
Author: ASF GitHub Bot
Created on: 10/May/22 21:15
Start Date: 10/May/22 21:15
Worklog Time Spent: 10m
Work Description: lostluck opened a new pull request, #17606:
URL: https://github.com/apache/beam/pull/17606
Update Go version to 1.18.2 to avoid building boot loaders with already
patched vulnerabilities. While most issues are unlikely to be taken advantage
of though the boot loader code, it's better to close the gap.
This PR doesn't change the versions used by the github actions, as we don't
use artifacts generated via those actions directly. If artifacts are used
otherwise, they would be generated by the commands affected by the scripts in
this PR.
------------------------
Thank you for your contribution! Follow this checklist to help us
incorporate your contribution quickly and easily:
- [ ] [**Choose
reviewer(s)**](https://beam.apache.org/contribute/#make-your-change) and
mention them in a comment (`R: @username`).
- [ ] Format the pull request title like `[BEAM-XXX] Fixes bug in
ApproximateQuantiles`, where you replace `BEAM-XXX` with the appropriate JIRA
issue, if applicable. This will automatically link the pull request to the
issue.
- [ ] Update `CHANGES.md` with noteworthy changes.
- [ ] If this contribution is large, please file an Apache [Individual
Contributor License Agreement](https://www.apache.org/licenses/icla.pdf).
See the [Contributor Guide](https://beam.apache.org/contribute) for more
tips on [how to make review process
smoother](https://beam.apache.org/contribute/#make-reviewers-job-easier).
To check the build health, please visit
[https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md](https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md)
GitHub Actions Tests Status (on master branch)
------------------------------------------------------------------------------------------------
[](https://github.com/apache/beam/actions?query=workflow%3A%22Build+python+source+distribution+and+wheels%22+branch%3Amaster+event%3Aschedule)
[](https://github.com/apache/beam/actions?query=workflow%3A%22Python+Tests%22+branch%3Amaster+event%3Aschedule)
[](https://github.com/apache/beam/actions?query=workflow%3A%22Java+Tests%22+branch%3Amaster+event%3Aschedule)
See [CI.md](https://github.com/apache/beam/blob/master/CI.md) for more
information about GitHub Actions CI.
Issue Time Tracking
-------------------
Worklog Id: (was: 768723)
Remaining Estimate: 0h
Time Spent: 10m
> Use Go 1.18.2 to build 2.39 Container Bootloaders
> --------------------------------------------------
>
> Key: BEAM-14456
> URL: https://issues.apache.org/jira/browse/BEAM-14456
> Project: Beam
> Issue Type: Bug
> Components: sdk-go, sdk-java-core, sdk-py-core
> Affects Versions: 2.39.0
> Reporter: Robert Burke
> Assignee: Robert Burke
> Priority: P2
> Time Spent: 10m
> Remaining Estimate: 0h
>
> It's been noted that by using older Go releases to compile Go containers we
> run the risk of the bootloaders using vulnerable versions.
> This issue is to close the gap for 2.39, while a separate one is to document
> the policy of keeping the release artifacts built with the latest Go version.
> While it's unlikely to be an attack vector, it's prudent that we keep these
> gaps as closed as we're able.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
