[
https://issues.apache.org/jira/browse/BEAM-14456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17534585#comment-17534585
]
Ahmet Altay commented on BEAM-14456:
------------------------------------
Added this to the release blockers list (set the fix version) based on the
description. If this was not the intention, please unset the fix version field.
> Use Go 1.18.2 to build 2.39 Container Bootloaders
> --------------------------------------------------
>
> Key: BEAM-14456
> URL: https://issues.apache.org/jira/browse/BEAM-14456
> Project: Beam
> Issue Type: Bug
> Components: sdk-go, sdk-java-core, sdk-py-core
> Affects Versions: 2.39.0
> Reporter: Robert Burke
> Assignee: Robert Burke
> Priority: P2
> Fix For: 2.39.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> It's been noted that by using older Go releases to compile Go containers we
> run the risk of the bootloaders using vulnerable versions.
> This issue is to close the gap for 2.39, while a separate one is to document
> the policy of keeping the release artifacts built with the latest Go version.
> While it's unlikely to be an attack vector, it's prudent that we keep these
> gaps as closed as we're able.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
