[
https://issues.apache.org/jira/browse/BEAM-14456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17534592#comment-17534592
]
Robert Burke commented on BEAM-14456:
-------------------------------------
This was intentional, and Yichi was notified before hand.
In this case, a Dataflow customer noted their container security scans were
producing a number of CVEs that they wished cleaned up. This revealed a
discrepency in how the boot loaders were being built WRT the stated Go SDK
policy to try to stay on the trailing Go version WRT features. The gap in this
case being WRT CVE and security updates.
Go pushes security updates to the go tool for the current and previous
versions, and Go 1.16 just left that policy with the release of Go 1.18. Since
the change is minimal, and it's unlikely to cause behavioral changes to the
release, I felt it prudent to cherrypick to close the gap for now.
Going forward, we'll likely be building the containers with the latest Go
release to avoid this in the future, even if we continue to restrict the SDK
itself to only use the features of the trailing version.
> Use Go 1.18.2 to build 2.39 Container Bootloaders
> --------------------------------------------------
>
> Key: BEAM-14456
> URL: https://issues.apache.org/jira/browse/BEAM-14456
> Project: Beam
> Issue Type: Bug
> Components: sdk-go, sdk-java-core, sdk-py-core
> Affects Versions: 2.39.0
> Reporter: Robert Burke
> Assignee: Robert Burke
> Priority: P2
> Fix For: 2.39.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> It's been noted that by using older Go releases to compile Go containers we
> run the risk of the bootloaders using vulnerable versions.
> This issue is to close the gap for 2.39, while a separate one is to document
> the policy of keeping the release artifacts built with the latest Go version.
> While it's unlikely to be an attack vector, it's prudent that we keep these
> gaps as closed as we're able.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
