Hey! Thanks so much for the vote -- yeah, this is long overdue! My assumption was that the branch would be ready to be released at any moment, but it looks like ... it's really not :/
There's a couple of things happening here: 1) the release process is showing it's age and is really disconnected from the GitHub CI (not at all the same tools being used to build nightly as release). My dearest wish is the next major version drops the ubertool docker! 2) the 1.11.x branch is not run under CI ... ever! 3) but mainly Kudos to the committers (not only Martin, but he does get a special call out! :heart:) who have been rigorously cherry-picking commits from master into the branch! This helps keep it in a good, known state. My intention was to have a Release Candidate before the end of the month, but I ran out of time and I'll be travelling for the next 7 days! I should be present on the mailing list but not able to continue my work on getting the branch into shape. I'm willing to pick this up when I get back! In the meantime, anyone is welcome to work on the branch and proposing cherry-picks or PRs. All my best and see you in a week, Ryan On Wed, Apr 12, 2023 at 1:58 AM Eric Johnson <[email protected]> wrote: > > Hi Avro folks, > > A project I'm working on uses Avro and noticed this thread with the intent > to resolve the known CVE issues with jackson-* deps. From what I can > determine, an Avro release would need to wait for Jackson 2.15 > <https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.15>. Is that > also your assessment? > > I'm keen to see a 1.11.2 "CVE clean" release also, so big +1 from a random > user. > > Kind regards, Eric > > On Mon, Mar 13, 2023 at 10:55 AM Ryan Skraba <[email protected]> wrote: > > > :D Doing another minor release is also related to the thread of > > whether or not there could be an LTS version, or supporting more than > > one version of Avro! > > > > Throughout the last year, we've been pretty good about cherry-picking > > bugfixes into the 1.11 branch when they are relevant and useful, so > > doing the 1.11.2 release should pretty much be a non-event! The > > exception seems to be some JIRA and PRs that were "grandfathered" into > > the next minor release because of lack of attention (which is another > > issue entirely that we really should be addressing...) > > > > I'd like to do the 1.11.2 in order to address the automated security > > warnings for security scanning tools (see > > https://mvnrepository.com/artifact/org.apache.avro/avro/1.11.1). I > > don't believe either of the CVE are exploitable via Avro, but it's > > always a good practice to not drag them into the dependency graph if > > we can! > > > > Please do not stop contributing to 1.12.0, of course! That should be > > the destination for the great new features that belong to a major > > release! > > > > All my best, Ryan > > > > On Sat, Mar 11, 2023 at 8:52 AM Oscar Westra van Holthe - Kind > > <[email protected]> wrote: > > > > > > On th 9 mrt. 2023 22:14, Ryan Skraba <[email protected]> wrote: > > > > > > > Hey all, I'd like to bring this discussion back to life -- are we in a > > > > state to do a 1.11.2 release? > > > > > > > > > > [...] If I remember correctly, there > > > > wasn't much left in JIRA unresolved for 1.11.2! [1] > > > > > > > > [...] > > > > [1] > > > > > > https://issues.apache.org/jira/issues/?jql=project%20%3D%20AVRO%20AND%20fixVersion%20%3D%201.11.2%20%20AND%20status%20!%3D%20Resolved > > > > > > > > > Maybe a few things, but I prefer to wrap this up and start on 1.12.0 with > > > Java >8 (see that discussion), a schema syntax for IDL, and maybe even > > IDL > > > support for Python/Rust/... > > > > > > > > > Kind regards, > > > Oscar > > > > > > -- > > > Oscar Westra van Holthe - Kind <[email protected]> > >
