Hi all, Seems there's no objections. Then I'm managing this release.
Since the build is stable, and CVE-2020-17518 is already ported to the 1.10 branch, it looks like we can prepare the release candidate anytime. I'd like to leave a bit more time for people to report issues that they want to include in this release. If there's anything else you think should be included in this release, please reach out to me by next tuesday (Jan 19). Thank you~ Xintong Song On Thu, Jan 14, 2021 at 7:07 PM Matthias Pohl <matth...@ververica.com> wrote: > You right, Yu. Thanks for pointing that out. > And thanks for volunteering, Xintong. > > On Thu, Jan 14, 2021 at 3:31 AM Xintong Song <tonysong...@gmail.com> > wrote: > >> Maybe I can help drive this release, if there's no one else volunteering. >> I've been managing the 1.11.3 and 1.12.1 releases. The bugfix release >> process is still warm in my mind. :) >> >> Thank you~ >> >> Xintong Song >> >> >> >> On Wed, Jan 13, 2021 at 8:09 PM Yu Li <car...@gmail.com> wrote: >> >>> +1 for having a bugfix release for the 1.10 branch to fix the security >>> issue. >>> >>> Thanks for driving the discussion Matthias! >>> >>> Minor: CVE-2020-17519 is introduced by 1.11.0 [1] so we don't need to fix >>> it in 1.10.3, but CVE-2020-17518 [2] is needed. >>> >>> Best Regards, >>> Yu >>> >>> [1] https://s.apache.org/CVE-2020-17519 >>> [2] https://s.apache.org/CVE-2020-17518 >>> >>> >>> On Wed, 13 Jan 2021 at 16:57, Till Rohrmann <trohrm...@apache.org> >>> wrote: >>> >>> > Thanks for starting this discussion Matthias. I agree with all of you >>> that >>> > a final 1.10.3 release could be really helpful for our users. Given >>> that CI >>> > passes, it shouldn't be too much overhead either. >>> > >>> > Cheers, >>> > Till >>> > >>> > On Wed, Jan 13, 2021 at 9:45 AM Xingbo Huang <hxbks...@gmail.com> >>> wrote: >>> > >>> > > Thanks for starting this discussion, Matthias. >>> > > >>> > > +1 for releasing 1.10.3 as it contains a number of important fixes. >>> > > >>> > > Best, >>> > > Xingbo >>> > > >>> > > Xintong Song <tonysong...@gmail.com> 于2021年1月13日周三 下午3:46写道: >>> > > >>> > > > Thanks for bringing this up, Matthias. >>> > > > >>> > > > Per the "Update Policy for old releases" [1], normally we do not >>> > release >>> > > > 1.10.x after 1.12.0 is released. However, the policy also says >>> that we >>> > > are >>> > > > "open to discussing bugfix releases for even older versions". >>> > > > >>> > > > In this case, I'm +1 for releasing 1.10.3, for the dozens of >>> > > non-released >>> > > > fixes and the security flaws. >>> > > > >>> > > > As a reminder, I'd like to bring up FLINK-20906 [2] to be >>> backported if >>> > > we >>> > > > are releasing 1.10.3, which updates the copyright year in NOTICE >>> files >>> > to >>> > > > 2021. >>> > > > >>> > > > Thank you~ >>> > > > >>> > > > Xintong Song >>> > > > >>> > > > >>> > > > [1] https://flink.apache.org/downloads.html >>> > > > [2] https://issues.apache.org/jira/browse/FLINK-20906 >>> > > > >>> > > > On Tue, Jan 12, 2021 at 7:15 PM Matthias Pohl < >>> matth...@ververica.com> >>> > > > wrote: >>> > > > >>> > > > > Hi, >>> > > > > I'd like to initiate a discussion on releasing Flink 1.10.3. >>> There >>> > > were a >>> > > > > few requests in favor of this already in [1] and [2]. >>> > > > > >>> > > > > I checked the release-1.10 branch: 55 commits are not released, >>> yet. >>> > > > > Some non-released fixes that might be relevant are: >>> > > > > - FLINK-20218 [3] - fix "module 'urllib' has no attribute >>> 'parse'" >>> > due >>> > > to >>> > > > > ProtoBuf version update >>> > > > > - FLINK-20013 [4] - BoundedBlockingSubpartition may leak network >>> > buffer >>> > > > > - FLINK-19252 [5] - temporary folder is not created when missing >>> > > > > - FLINK-19557 [6] - LeaderRetrievalListener notification upon >>> > ZooKeeper >>> > > > > reconnection >>> > > > > - FLINK-19523 [7] - hide sensitive information in logs >>> > > > > >>> > > > > In addition to that, we would like to include a backport for >>> > > > CVE-2020-17518 >>> > > > > and CVE-2020-17519 to cover the request in [2]. >>> > > > > >>> > > > > The travis-ci build chain for release-1.10 seems to be stable >>> [8]. >>> > > > > Any thoughts on that? Unfortunately, I cannot volunteer as a >>> release >>> > > > > manager due to the lack of permissions. But I wanted to start the >>> > > > > discussion, anyway. >>> > > > > >>> > > > > Best, >>> > > > > Matthias >>> > > > > >>> > > > > [1] >>> > > > > >>> > > > > >>> > > > >>> > > >>> > >>> http://apache-flink-mailing-list-archive.1008284.n3.nabble.com/ANNOUNCE-Weekly-Community-Update-2020-44-45-td46486.html#a47610 >>> > > > > [2] https://issues.apache.org/jira/browse/FLINK-20875 >>> > > > > [3] https://issues.apache.org/jira/browse/FLINK-20218 >>> > > > > [4] https://issues.apache.org/jira/browse/FLINK-20013 >>> > > > > [5] https://issues.apache.org/jira/browse/FLINK-19252 >>> > > > > [6] https://issues.apache.org/jira/browse/FLINK-19557 >>> > > > > [7] https://issues.apache.org/jira/browse/FLINK-19523 >>> > > > > [8] https://travis-ci.com/github/apache/flink/builds/212749910 >>> > > > > >>> > > > >>> > > >>> > >> >>
