Hey JB, I think there is no harm in doing a patch release.
There was another request to backport an issue, I've created a PR: https://github.com/apache/iceberg/pull/8969#issuecomment-1837286383 Kind regards, Fokko Op wo 22 nov 2023 om 18:50 schreef Jean-Baptiste Onofré <j...@nanthrax.net>: > Hi guys > > Quick update about that: > 1. I took a deeper look today about the Avro CVE issue. I don't think > we are impacted on Iceberg (the CVE is about deserialization of > corrupted data potentially causing out of memory). The fix > (https://github.com/apache/avro/commit/a12a7e44d) introduces > SystemLimitException that uses system properties to define boundaries > and avoid the OOM (even if the deserialization won't still work :)). > So, nothing really changes from an Iceberg perspective. > 2. As discussed during the community meeting today, as (1) doesn't > really have an impact on Iceberg, there's no urgency to release 1.4.3. > We agreed to wait new fixes for 1.4.3 release. > > I'm still volunteering to cut the 1.4.3 patch release when ready (I > did all the build checks on my machine :)), and I'm doing a pass on GH > issues. > > Thanks ! > Regards > JB > > On Tue, Nov 21, 2023 at 8:49 PM Jean-Baptiste Onofré <j...@nanthrax.net> > wrote: > > > > Hi > > > > We chatted about the 1.4.3 release with Ed. > > > > We have few PRs we want to include and as it’s Thanksgiving this week, I > will submit the release to vote on Tuesday next week. > > > > Regards > > JB > > > > Le lun. 20 nov. 2023 à 17:24, Jean-Baptiste Onofré <j...@nanthrax.net> a > écrit : > >> > >> Thanks Fokko ! > >> > >> I'm on the local build check and issue pass. I plan to start the > >> release tomorrow. > >> > >> Regards > >> JB > >> > >> On Mon, Nov 20, 2023 at 8:56 AM Driesprong, Fokko <fo...@driesprong.frl> > wrote: > >> > > >> > I took the liberty and created a 1.4.3 milestone to track any issues > that we want to backport. > >> > > >> > Kind regards, > >> > Fokko Driesprong > >> > > >> > Op ma 20 nov 2023 om 08:50 schreef Driesprong, Fokko > <fo...@driesprong.frl>: > >> >> > >> >> Hey JB, > >> >> > >> >> Late to the party here, but 1.4.3 sounds like a great idea. Let me > know if you need any help with any release steps. > >> >> > >> >> Kind regards, > >> >> Fokko Driesprong > >> >> > >> >> Op ma 20 nov 2023 om 08:16 schreef Jean-Baptiste Onofré < > j...@nanthrax.net>: > >> >>> > >> >>> Hi > >> >>> > >> >>> As there's no objection, I will move forward and prepare the > release to vote. > >> >>> > >> >>> I will keep you posted asap. > >> >>> > >> >>> Thanks, > >> >>> Regards > >> >>> JB > >> >>> > >> >>> On Wed, Nov 15, 2023 at 6:11 AM Jean-Baptiste Onofré < > j...@nanthrax.net> wrote: > >> >>> > > >> >>> > Hi guys, > >> >>> > > >> >>> > Avro 1.11.3 has been released, fixing CVE-2023-39410. > >> >>> > We already updated to Avro 1.11.3 on main. > >> >>> > > >> >>> > About CVE, we also already use guava 32.1.3, fixing CVE-2023-2976. > >> >>> > > >> >>> > As the Avro CVE is classified high (see > >> >>> > https://nvd.nist.gov/vuln/detail/CVE-2023-39410), I propose to > bump to > >> >>> > Avro 1.11.3 on our 1.4.x branch and release Iceberg 1.4.3 > including > >> >>> > this. > >> >>> > > >> >>> > Thoughts ? > >> >>> > > >> >>> > If there are no objections, I'm volunteer to drive this release. > >> >>> > > >> >>> > Thanks, > >> >>> > Regards > >> >>> > JB >
