I'm fine both ways, with or without release. I am a strong believer of low-ceremony and automated releases. Maybe we could automate at least the core part of the release (shipping binaries), and then we don't need to think so much about when (not) to release, because it would be cheap to redo if needed?
Best, Piotr On Thu, 10 Oct 2024 at 13:33, Ajantha Bhat <ajanthab...@gmail.com> wrote: > If it is already analyzed and not really applicable for Iceberg, > we can wait for 1.7.0. > > Thanks. > - Ajantha > > On Thu, Oct 10, 2024 at 3:41 PM Jean-Baptiste Onofré <j...@nanthrax.net> > wrote: > >> Hi >> >> I did the security fix in Avro and I can say that Iceberg is not >> really impacted and vulnerable. >> I'm not against a 1.6.2 release, but as we discussed about Iceberg >> 1.7.0 by the end of October (see Russell's message a few days ago), >> maybe we can wait 1.7.0 ? >> >> Regards >> JB >> >> On Wed, Oct 9, 2024 at 8:46 PM Ajantha Bhat <ajanthab...@gmail.com> >> wrote: >> > >> > Hi everyone, >> > Since 1.7.0 is still a few weeks away, >> > how about releasing version 1.6.2 with just the Avro version update? >> > The current Avro version in 1.6.1 (1.11.3) has a recently reported CVE: >> CVE-2024-47561. [2] >> > >> > I'm happy to coordinate and be the release manager for this. >> > >> > [1] >> https://github.com/apache/iceberg/blob/8e9d59d299be42b0bca9461457cd1e95dbaad086/gradle/libs.versions.toml#L28 >> > [2] https://lists.apache.org/thread/c2v7mhqnmq0jmbwxqq3r5jbj1xg43h5x >> > >> > - Ajantha >> >
