Plan to release etcd v3.5.15 about etcd HOT 13 OPEN

We may want to hold the release after 7/2, as according to SIG-release's email

There is a Go update being released on 07/02

I do see some outstanding changes in the Go Release Dashboard. But I don't know how to check when the version will be released, and I'm not sure if it will come with another vulnerability fix.

from etcd.

After a sweep of fixes merged in the main branch after 3.5.14, I found these two potential backports:

• #18186
• #18108

Do we want to backport any of these?

I would appreciate another pair of eyes to do another pass.

I also volunteer to be a shadow for this release :)

from etcd.

@spzala or @wenjiaswe did either of you want to lead this release? If not I am happy to volunteer as release lead.

Do we want to backport any of these?

Will do some review soon, we also need to take a close look at recent bug reports and see if anything needs to be included: https://github.com/etcd-io/etcd/issues?q=is%3Aissue+label%3Atype%2Fbug+created%3A%3E%3D2024-04-30

from etcd.

@jmhbnz Yes, I am happy to do the release. It's a short week in US, maybe I can do it next week?

from etcd.

@jmhbnz Yes, I am happy to do the release. It's a short week in US, maybe I can do it next week?

SGTM - So release team will be:

/assign @wenjiaswe, @ivanvc, @jmhbnz

from etcd.

@ivanvc @jmhbnz I will discuss with you two on chat. If anyone else interested in shadowing, please ping me in slack: wenjiaswe

from etcd.

Would you guys be available Monday, July 8th, at 11 a.m. PT? I'll be out next week starting Tuesday, so I won't be available if you want to schedule it for later that day, which is fine by me, we could see if someone else wants to shadow :)

from etcd.

@jmhbnz, after updating Go to address vulnerabilities (#18269), I think we now can release 3.4.34, right?

from etcd.

@jmhbnz, after updating Go to address vulnerabilities (#18269), I think we now can release 3.4.34, right?

What is the CVE score? NIST don't list it yet https://nvd.nist.gov/vuln/detail/CVE-2024-24791. Our patch release criteria is 7.5 https://github.com/etcd-io/etcd/blob/main/Documentation/contributor-guide/release.md#patch-release-criteria but I'm not opposed to start organising 3.4.34 anyway once this release is done.

from etcd.

What is the CVE score? NIST don't list it yet https://nvd.nist.gov/vuln/detail/CVE-2024-24791. Our patch release criteria is 7.5

That's a good point. I think there's no rush, and ultimately, there are no other outstanding changes for 3.4 other than the Go update.

from etcd.

Will do some review soon, we also need to take a close look at recent bug reports and see if anything needs to be included: https://github.com/etcd-io/etcd/issues?q=is%3Aissue+label%3Atype%2Fbug+created%3A%3E%3D2024-04-30

I reviewed these and couldn't find anything that caught my eye.
Do we want to backport any of #18247 (comment)?

from etcd.

I reviewed these and couldn't find anything that caught my eye. Do we want to backport any of #18247 (comment)?

Have raised backport proposals for both:

• #18288
• #18289

from etcd.

Are we still expecting the 3.5.15 release this week? Thanks.

from etcd.