It would probably be a good idea to just make sure that any release
notes mention that for a Go user to upgrade their dependency they need
to run something like `go get -u github.com/apache/arrow/go/v6/@v6.0.2`
replacing v6/v6.0.2 with their desired version combination. This will
get them the patched version without upgrading their major version.
We should also probably link to the JIRA issue that precipitated the
releases so people can easily see the vulnerability that is being
patched.
--Matt
On Thu, Jul 28 2022 at 02:29:59 PM +0900, Sutou Kouhei
<k...@clear-code.com> wrote:
Hi,
I didn't upload release notes and documentation for 6.0.2,
7.0.1 and 8.0.1 because they are irregular releases for us:
* We don't recommend users expect Go users to use 6.0.2,
7.0.1 and 8.0.1.
Reasons:
* There are no differences with 6.0.1&6.0.2, 7.0.0&7.0.1,
8.0.0&8.0.1 except the Go part.
* We don't distribute binary packages for 6.0.2, 7.0.1 and
8.0.1.
* Generally, Go users don't use our source packages at
<https://dist.apache.org/repos/dist/release/arrow/> . They
use the source code in our GitHub repository with
github.com/apache/arrow/go/v6/arrow,
github.com/apache/arrow/go/v7/arrow or
github.com/apache/arrow/go/v8/arrow. Note that they don't
need to change the import line to use 6.0.2, 7.0.1 or
8.0.1 because v6/v7/v8 refers the latest go/6.Y.Z,
go/7.Y.Z and go/8.Y.Z automatically.
* ...
* We can't use our usual release note format for 6.0.2, 7.0.1
and 8.0.1 because we don't distribute binary packages. Our
usual release note format expects that we distribute
binary packages.
I don't opposite uploading release notes and documentation
with careful notes about these releases. If someone wants to
work on it, I can help him/her.
Thanks,
--
kou
In
<CAGNHocNVRjyxwYU_uPQp3e8CqDQbM-p875HJrSk0Nq7CWZ=g...@mail.gmail.com
<mailto:CAGNHocNVRjyxwYU_uPQp3e8CqDQbM-p875HJrSk0Nq7CWZ=g...@mail.gmail.com>>
"Re: [RESULT][VOTE] Release Apache Arrow 8.0.1 - RC0" on Tue, 26
Jul 2022 16:25:47 -0600,
Todd Farmer <t...@voltrondata.com.INVALID
<mailto:t...@voltrondata.com.INVALID>> wrote:
Hello,
Apologies for the late response to this thread. While not related
to the
vote, I do have a related question about administration of releases
such as
this. I notice:
1. There is no 8.0.1 release notes [1] - should this be added? It's
worth
noting that no release notes currently reference ARROW-16759. Given
this
issue was sufficiently critical to warrant an 8.0.1 release, I
suspect we
would want to ensure it appears in release notes somewhere.
2. There is no 8.0.1 documentation [2] - should this be generated? I
suspect not, given there is no change in functionality (or docs
contents).
I will note that lack of documentation could cause (Go) user
confusion, if
they find they are using a version 8.0.1 and are presented with
documentation for 8.0.0.
[1] <https://arrow.apache.org/release/>
[2] <https://arrow.apache.org/docs/index.html> (see version selector
drop-down)
Thanks,
Todd
On Mon, Jul 18, 2022 at 7:04 PM Sutou Kouhei <k...@clear-code.com
<mailto:k...@clear-code.com>> wrote:
Hi,
I've released 8.0.1:
* I've published
<https://dist.apache.org/repos/dist/release/arrow/arrow-8.0.1/>
* I've pushed the
<https://github.com/apache/arrow/releases/tag/go%2Fv8.0.1>
tag
* I've made the "8.0.1" version on JIRA "released":
<https://issues.apache.org/jira/projects/ARROW/versions/12352081>
* I've added 8.0.1 entry to Apache Committee Report by
<https://reporter.apache.org/addrelease.html?arrow>
Thanks,
--
kou
In <20220719.093100.685134697791841749....@clear-code.com
<mailto:20220719.093100.685134697791841749....@clear-code.com>>
"[RESULT][VOTE] Release Apache Arrow 8.0.1 - RC0" on Tue, 19 Jul
2022
09:31:00 +0900 (JST),
Sutou Kouhei <k...@clear-code.com <mailto:k...@clear-code.com>>
wrote:
> Hi,
>
> The vote carries with 4 +1 binding votes and 2 +1
> non-binding votes.
>
> I'll publish this as 8.0.1.
>
> Thanks,
> --
> kou
>
> In <20220715.061057.1116573445635493266....@clear-code.com
<mailto:20220715.061057.1116573445635493266....@clear-code.com>>
> "[VOTE] Release Apache Arrow 8.0.1 - RC0" on Fri, 15 Jul 2022
06:10:57
+0900 (JST),
> Sutou Kouhei <k...@clear-code.com <mailto:k...@clear-code.com>>
wrote:
>
>> Hi,
>>
>> I would like to propose the following release candidate
>> (RC0) of Apache Arrow version 8.0.1. This is a release
>> consisting of 1 resolved JIRA issues[1].
>>
>> This is one of releases[2] that focus on a Go related
>> security vulnerability[3]. We don't publish binary artifacts
>> of this release because we don't have Go related binaries.
>>
>> This release candidate is based on commit:
>> 9966c39583f1e203bac9200753e9db32478d43a6 [4]
>>
>> The source release rc0 is hosted at [5].
>> The changelog is located at [6].
>>
>> Please download, verify checksums and signatures, run the
>> unit tests, and vote on the release. See [7] for how to
>> validate a release candidate. But you need to verify only Go
>> related tests because this release candidate only includes a
>> change for Go. So we can use the following command line:
>>
>> TEST_DEFAULT=0 TEST_GO=1
dev/release/verify-release-candidate.sh
8.0.1 0
>>
>> The vote will be open for at least 72 hours.
>>
>> [ ] +1 Release this as Apache Arrow 8.0.1
>> [ ] +0
>> [ ] -1 Do not release this as Apache Arrow 8.0.1 because...
>>
>> [1]:
<https://issues.apache.org/jira/issues/?jql=project%20%3D%20ARROW%20AND%20status%20in%20%28Resolved%2C%20Closed%29%20AND%20fixVersion%20%3D%208.0.1>
>> [2]
<https://lists.apache.org/thread/qkkzpvmxc0coqhdkc1qoygwy6h4v5sgn>
>> [3]
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28948>
>> [4]:
<https://github.com/apache/arrow/tree/9966c39583f1e203bac9200753e9db32478d43a6>
>> [5]:
<https://dist.apache.org/repos/dist/dev/arrow/apache-arrow-8.0.1-rc0>
>> [6]:
<https://github.com/apache/arrow/blob/9966c39583f1e203bac9200753e9db32478d43a6/CHANGELOG.md>
>> [7]:
<https://cwiki.apache.org/confluence/display/ARROW/How+to+Verify+Release+Candidates>
