Re: [DISCUSS] Release Avro 1.11.2

[Ryan Skraba <ry...@skraba.com>]

Hey all, I'd like to bring this discussion back to life -- are we in a
state to do a 1.11.2 release?

I was on a pretty extended holiday in 2023, and it's pretty exciting
to see the movement in the project.  If I remember correctly, there
wasn't much left in JIRA unresolved for 1.11.2! [1]

There's still a python JIRA assigned to me that I'd like to finish up
now that I'm back before trying to release.  Anyone else have things
that should be cherry-picked or merged?

All my best, Ryan

[1] https://issues.apache.org/jira/issues/?jql=project%20%3D%20AVRO%20AND%20fixVersion%20%3D%201.11.2%20%20AND%20status%20!%3D%20Resolved


On Thu, Nov 10, 2022 at 7:37 PM Ryan Skraba <ry...@skraba.com> wrote:
>
> We probably don't need to do an initial vote on this  :D  Fixing CVEs
> is probably a compelling enought reason to do this!
>
> But if anybody thinks this is a bad idea, needs anything specific for
> 1.11.2 or wants to help review / resolve some of these PRs marked for
> 1.11.2, I'd love to hear about it.
>
> In any case, I'm definitely going to propose a release shadowing
> session (maybe recorded?) that I didn't deliver in 1.11.1 !
>
> All my best, Ryan
>
> On Fri, Nov 4, 2022 at 7:45 PM Martin Grigorov <mg...@apache.org> wrote:
> >
> > +1 for 1.11.2
> >
> > IMO Jackson could be upgraded to 2.13.x only for 1.12.0.
> > 2.12.7 is not affected by the CVEs
> >
> > On Fri, Nov 4, 2022, 20:07 Ryan Skraba <ry...@skraba.com> wrote:
> >
> > > It looks like there's been a couple of CVE fixes in dependencies that
> > > we might want to have!  See AVRO-3656, and perhaps AVRO-3658 (not yet
> > > merged, bumping to jackson 2.13, which might have breaking changes).
> > >
> > > We've been cherry-picking pretty nicely so the branch is in a pretty
> > > good state, with just a few Unresolved issues (mostly with existing
> > > PRs that need some committer attention!) that have been marked for
> > > 1.11.2
> > >
> > > What do you think?
> > >
> > > Ryan
> > >
> > > [1]
> > > https://issues.apache.org/jira/issues/?jql=project%20%3D%20AVRO%20AND%20fixVersion%20%3D%201.11.2%20%20AND%20status%20!%3D%20Resolved
> > >

Re: [DISCUSS] Release Avro 1.11.2

[Martin Grigorov <mg...@apache.org>]

I pinged the requesters of a new feature in the Rust SDK at
https://github.com/apache/avro/pull/2014 for review and test
But I am fine to release 1.11.2 even without this PR

On Thu, Mar 9, 2023 at 11:14 PM Ryan Skraba <ry...@skraba.com> wrote:

> Hey all, I'd like to bring this discussion back to life -- are we in a
> state to do a 1.11.2 release?
>
> I was on a pretty extended holiday in 2023, and it's pretty exciting
> to see the movement in the project.  If I remember correctly, there
> wasn't much left in JIRA unresolved for 1.11.2! [1]
>
> There's still a python JIRA assigned to me that I'd like to finish up
> now that I'm back before trying to release.  Anyone else have things
> that should be cherry-picked or merged?
>
> All my best, Ryan
>
> [1]
> https://issues.apache.org/jira/issues/?jql=project%20%3D%20AVRO%20AND%20fixVersion%20%3D%201.11.2%20%20AND%20status%20!%3D%20Resolved
>
>
> On Thu, Nov 10, 2022 at 7:37 PM Ryan Skraba <ry...@skraba.com> wrote:
> >
> > We probably don't need to do an initial vote on this  :D  Fixing CVEs
> > is probably a compelling enought reason to do this!
> >
> > But if anybody thinks this is a bad idea, needs anything specific for
> > 1.11.2 or wants to help review / resolve some of these PRs marked for
> > 1.11.2, I'd love to hear about it.
> >
> > In any case, I'm definitely going to propose a release shadowing
> > session (maybe recorded?) that I didn't deliver in 1.11.1 !
> >
> > All my best, Ryan
> >
> > On Fri, Nov 4, 2022 at 7:45 PM Martin Grigorov <mg...@apache.org>
> wrote:
> > >
> > > +1 for 1.11.2
> > >
> > > IMO Jackson could be upgraded to 2.13.x only for 1.12.0.
> > > 2.12.7 is not affected by the CVEs
> > >
> > > On Fri, Nov 4, 2022, 20:07 Ryan Skraba <ry...@skraba.com> wrote:
> > >
> > > > It looks like there's been a couple of CVE fixes in dependencies that
> > > > we might want to have!  See AVRO-3656, and perhaps AVRO-3658 (not yet
> > > > merged, bumping to jackson 2.13, which might have breaking changes).
> > > >
> > > > We've been cherry-picking pretty nicely so the branch is in a pretty
> > > > good state, with just a few Unresolved issues (mostly with existing
> > > > PRs that need some committer attention!) that have been marked for
> > > > 1.11.2
> > > >
> > > > What do you think?
> > > >
> > > > Ryan
> > > >
> > > > [1]
> > > >
> https://issues.apache.org/jira/issues/?jql=project%20%3D%20AVRO%20AND%20fixVersion%20%3D%201.11.2%20%20AND%20status%20!%3D%20Resolved
> > > >
>

Re: [DISCUSS] Release Avro 1.11.2

[Ryan Skraba <ry...@skraba.com>]

I think we're heading towards a plausible 1.11.2 RC1:  there's very
few unresolved issues left[1]!

I missed the deadline that I set for the end of last week, but I will
have the time to do the release candidate on Wednesday.  In the
meantime, please don't hesitate to review and update JIRA, merge and
cherry-pick PRs that are appropriate for a minor release.

All my best, Ryan

[1]: https://issues.apache.org/jira/browse/AVRO-3760?jql=project%20%3D%20AVRO%20AND%20fixVersion%20%3D%201.11.2%20%20AND%20status%20!%3D%20Resolved%20AND%20status%20!%3D%20Closed

On Tue, Jun 13, 2023 at 6:46 PM Ryan Skraba <ry...@skraba.com> wrote:
>
> Hello!
>
> I've done a pretty thorough report of what needed to be cherry-picked,
> and set it up at https://github.com/apache/avro/pull/2284 -- I almost
> hit the PR message size limit!
>
> This PR shouldn't be merge-squashed, but I wanted to have the
> documentation there and give people a chance to take a look before I
> commit them to the branch-1.11.
>
> There are still some open PRs that are targeted for 1.11.2, and I'd
> love to get to them and get them into the release.  Eyes on those are
> welcome as well, of course!  My timeline is to get those merged and
> have a RC1 for the end of the week.  Thanks everyone for your
> extraordinary patience!
>
> All my best, Ryan
>
>
>
>
> On Thu, May 25, 2023 at 9:25 PM Ryan Skraba <ry...@skraba.com> wrote:
> >
> > Hey everyone -- May has been a pretty busy month for me, I just wanted
> > to get back here and assure people that I'm still working on
> > cherry-picking from master to branch-1.11 in order to prepare a 1.11.2
> > release candidate.
> >
> > If you have any suggestions to make this an easier event in the
> > future, I think we would all love to hear them!
> >
> > All my best, Ryan
> >
> > On Fri, Apr 21, 2023 at 6:21 PM Ryan Skraba <ry...@skraba.com> wrote:
> > >
> > > Hey!  Thanks so much for the vote -- yeah, this is long overdue!
> > >
> > > My assumption was that the branch would be ready to be released at any
> > > moment, but it looks like ... it's really not :/
> > >
> > > There's a couple of things happening here:
> > >
> > > 1) the release process is showing it's age and is really disconnected
> > > from the GitHub CI (not at all the same tools being used to build
> > > nightly as release).  My dearest wish is the next major version drops
> > > the ubertool docker!
> > >
> > > 2) the 1.11.x branch is not run under CI ... ever!
> > >
> > > 3) but mainly Kudos to the committers (not only Martin, but he does
> > > get a special call out! :heart:) who have been rigorously
> > > cherry-picking commits from master into the branch!   This helps keep
> > > it in a good, known state.
> > >
> > > My intention was to have a Release Candidate before the end of the
> > > month, but I ran out of time and I'll be travelling for the next 7
> > > days!  I should be present on the mailing list but not able to
> > > continue my work on getting the branch into shape.  I'm willing to
> > > pick this up when I get back!
> > >
> > > In the meantime, anyone is welcome to work on the branch and proposing
> > > cherry-picks or PRs.
> > >
> > > All my best and see you in a week, Ryan
> > >
> > > On Wed, Apr 12, 2023 at 1:58 AM Eric Johnson <er...@apache.org> wrote:
> > > >
> > > > Hi Avro folks,
> > > >
> > > > A project I'm working on uses Avro and noticed this thread with the intent
> > > > to resolve the known CVE issues with jackson-* deps. From what I can
> > > > determine, an Avro release would need to wait for Jackson 2.15
> > > > <https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.15>. Is that
> > > > also your assessment?
> > > >
> > > > I'm keen to see a 1.11.2 "CVE clean" release also, so big +1 from a random
> > > > user.
> > > >
> > > > Kind regards, Eric
> > > >
> > > > On Mon, Mar 13, 2023 at 10:55 AM Ryan Skraba <ry...@skraba.com> wrote:
> > > >
> > > > > :D  Doing another minor release is also related to the thread of
> > > > > whether or not there could be an LTS version, or supporting more than
> > > > > one version of Avro!
> > > > >
> > > > > Throughout the last year, we've been pretty good about cherry-picking
> > > > > bugfixes into the 1.11 branch when they are relevant and useful, so
> > > > > doing the 1.11.2 release should pretty much be a non-event!  The
> > > > > exception seems to be some JIRA and PRs that were "grandfathered" into
> > > > > the next minor release because of lack of attention (which is another
> > > > > issue entirely that we really should be addressing...)
> > > > >
> > > > > I'd like to do the 1.11.2 in order to address the automated security
> > > > > warnings for security scanning tools (see
> > > > > https://mvnrepository.com/artifact/org.apache.avro/avro/1.11.1).  I
> > > > > don't believe either of the CVE are exploitable via Avro, but it's
> > > > > always a good practice to not drag them into the dependency graph if
> > > > > we can!
> > > > >
> > > > > Please do not stop contributing to 1.12.0, of course!  That should be
> > > > > the destination for the great new features that belong to a major
> > > > > release!
> > > > >
> > > > > All my best, Ryan
> > > > >
> > > > > On Sat, Mar 11, 2023 at 8:52 AM Oscar Westra van Holthe - Kind
> > > > > <os...@westravanholthe.nl> wrote:
> > > > > >
> > > > > > On th 9 mrt. 2023 22:14, Ryan Skraba <ry...@skraba.com> wrote:
> > > > > >
> > > > > > > Hey all, I'd like to bring this discussion back to life -- are we in a
> > > > > > > state to do a 1.11.2 release?
> > > > > >
> > > > > >
> > > > > > > [...] If I remember correctly, there
> > > > > > > wasn't much left in JIRA unresolved for 1.11.2! [1]
> > > > > > >
> > > > > > > [...]
> > > > > > > [1]
> > > > > > >
> > > > > https://issues.apache.org/jira/issues/?jql=project%20%3D%20AVRO%20AND%20fixVersion%20%3D%201.11.2%20%20AND%20status%20!%3D%20Resolved
> > > > > >
> > > > > >
> > > > > > Maybe a few things, but I prefer to wrap this up and start on 1.12.0 with
> > > > > > Java >8 (see that discussion), a schema syntax for IDL, and maybe even
> > > > > IDL
> > > > > > support for Python/Rust/...
> > > > > >
> > > > > >
> > > > > > Kind regards,
> > > > > > Oscar
> > > > > >
> > > > > > --
> > > > > > Oscar Westra van Holthe - Kind <os...@westravanholthe.nl>
> > > > >

Re: [DISCUSS] Release Avro 1.11.2

[Ryan Skraba <ry...@skraba.com>]

Hello!

I've done a pretty thorough report of what needed to be cherry-picked,
and set it up at https://github.com/apache/avro/pull/2284 -- I almost
hit the PR message size limit!

This PR shouldn't be merge-squashed, but I wanted to have the
documentation there and give people a chance to take a look before I
commit them to the branch-1.11.

There are still some open PRs that are targeted for 1.11.2, and I'd
love to get to them and get them into the release.  Eyes on those are
welcome as well, of course!  My timeline is to get those merged and
have a RC1 for the end of the week.  Thanks everyone for your
extraordinary patience!

All my best, Ryan




On Thu, May 25, 2023 at 9:25 PM Ryan Skraba <ry...@skraba.com> wrote:
>
> Hey everyone -- May has been a pretty busy month for me, I just wanted
> to get back here and assure people that I'm still working on
> cherry-picking from master to branch-1.11 in order to prepare a 1.11.2
> release candidate.
>
> If you have any suggestions to make this an easier event in the
> future, I think we would all love to hear them!
>
> All my best, Ryan
>
> On Fri, Apr 21, 2023 at 6:21 PM Ryan Skraba <ry...@skraba.com> wrote:
> >
> > Hey!  Thanks so much for the vote -- yeah, this is long overdue!
> >
> > My assumption was that the branch would be ready to be released at any
> > moment, but it looks like ... it's really not :/
> >
> > There's a couple of things happening here:
> >
> > 1) the release process is showing it's age and is really disconnected
> > from the GitHub CI (not at all the same tools being used to build
> > nightly as release).  My dearest wish is the next major version drops
> > the ubertool docker!
> >
> > 2) the 1.11.x branch is not run under CI ... ever!
> >
> > 3) but mainly Kudos to the committers (not only Martin, but he does
> > get a special call out! :heart:) who have been rigorously
> > cherry-picking commits from master into the branch!   This helps keep
> > it in a good, known state.
> >
> > My intention was to have a Release Candidate before the end of the
> > month, but I ran out of time and I'll be travelling for the next 7
> > days!  I should be present on the mailing list but not able to
> > continue my work on getting the branch into shape.  I'm willing to
> > pick this up when I get back!
> >
> > In the meantime, anyone is welcome to work on the branch and proposing
> > cherry-picks or PRs.
> >
> > All my best and see you in a week, Ryan
> >
> > On Wed, Apr 12, 2023 at 1:58 AM Eric Johnson <er...@apache.org> wrote:
> > >
> > > Hi Avro folks,
> > >
> > > A project I'm working on uses Avro and noticed this thread with the intent
> > > to resolve the known CVE issues with jackson-* deps. From what I can
> > > determine, an Avro release would need to wait for Jackson 2.15
> > > <https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.15>. Is that
> > > also your assessment?
> > >
> > > I'm keen to see a 1.11.2 "CVE clean" release also, so big +1 from a random
> > > user.
> > >
> > > Kind regards, Eric
> > >
> > > On Mon, Mar 13, 2023 at 10:55 AM Ryan Skraba <ry...@skraba.com> wrote:
> > >
> > > > :D  Doing another minor release is also related to the thread of
> > > > whether or not there could be an LTS version, or supporting more than
> > > > one version of Avro!
> > > >
> > > > Throughout the last year, we've been pretty good about cherry-picking
> > > > bugfixes into the 1.11 branch when they are relevant and useful, so
> > > > doing the 1.11.2 release should pretty much be a non-event!  The
> > > > exception seems to be some JIRA and PRs that were "grandfathered" into
> > > > the next minor release because of lack of attention (which is another
> > > > issue entirely that we really should be addressing...)
> > > >
> > > > I'd like to do the 1.11.2 in order to address the automated security
> > > > warnings for security scanning tools (see
> > > > https://mvnrepository.com/artifact/org.apache.avro/avro/1.11.1).  I
> > > > don't believe either of the CVE are exploitable via Avro, but it's
> > > > always a good practice to not drag them into the dependency graph if
> > > > we can!
> > > >
> > > > Please do not stop contributing to 1.12.0, of course!  That should be
> > > > the destination for the great new features that belong to a major
> > > > release!
> > > >
> > > > All my best, Ryan
> > > >
> > > > On Sat, Mar 11, 2023 at 8:52 AM Oscar Westra van Holthe - Kind
> > > > <os...@westravanholthe.nl> wrote:
> > > > >
> > > > > On th 9 mrt. 2023 22:14, Ryan Skraba <ry...@skraba.com> wrote:
> > > > >
> > > > > > Hey all, I'd like to bring this discussion back to life -- are we in a
> > > > > > state to do a 1.11.2 release?
> > > > >
> > > > >
> > > > > > [...] If I remember correctly, there
> > > > > > wasn't much left in JIRA unresolved for 1.11.2! [1]
> > > > > >
> > > > > > [...]
> > > > > > [1]
> > > > > >
> > > > https://issues.apache.org/jira/issues/?jql=project%20%3D%20AVRO%20AND%20fixVersion%20%3D%201.11.2%20%20AND%20status%20!%3D%20Resolved
> > > > >
> > > > >
> > > > > Maybe a few things, but I prefer to wrap this up and start on 1.12.0 with
> > > > > Java >8 (see that discussion), a schema syntax for IDL, and maybe even
> > > > IDL
> > > > > support for Python/Rust/...
> > > > >
> > > > >
> > > > > Kind regards,
> > > > > Oscar
> > > > >
> > > > > --
> > > > > Oscar Westra van Holthe - Kind <os...@westravanholthe.nl>
> > > >

Re: [DISCUSS] Release Avro 1.11.2

[Ryan Skraba <ry...@skraba.com>]

Hey everyone -- May has been a pretty busy month for me, I just wanted
to get back here and assure people that I'm still working on
cherry-picking from master to branch-1.11 in order to prepare a 1.11.2
release candidate.

If you have any suggestions to make this an easier event in the
future, I think we would all love to hear them!

All my best, Ryan

On Fri, Apr 21, 2023 at 6:21 PM Ryan Skraba <ry...@skraba.com> wrote:
>
> Hey!  Thanks so much for the vote -- yeah, this is long overdue!
>
> My assumption was that the branch would be ready to be released at any
> moment, but it looks like ... it's really not :/
>
> There's a couple of things happening here:
>
> 1) the release process is showing it's age and is really disconnected
> from the GitHub CI (not at all the same tools being used to build
> nightly as release).  My dearest wish is the next major version drops
> the ubertool docker!
>
> 2) the 1.11.x branch is not run under CI ... ever!
>
> 3) but mainly Kudos to the committers (not only Martin, but he does
> get a special call out! :heart:) who have been rigorously
> cherry-picking commits from master into the branch!   This helps keep
> it in a good, known state.
>
> My intention was to have a Release Candidate before the end of the
> month, but I ran out of time and I'll be travelling for the next 7
> days!  I should be present on the mailing list but not able to
> continue my work on getting the branch into shape.  I'm willing to
> pick this up when I get back!
>
> In the meantime, anyone is welcome to work on the branch and proposing
> cherry-picks or PRs.
>
> All my best and see you in a week, Ryan
>
> On Wed, Apr 12, 2023 at 1:58 AM Eric Johnson <er...@apache.org> wrote:
> >
> > Hi Avro folks,
> >
> > A project I'm working on uses Avro and noticed this thread with the intent
> > to resolve the known CVE issues with jackson-* deps. From what I can
> > determine, an Avro release would need to wait for Jackson 2.15
> > <https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.15>. Is that
> > also your assessment?
> >
> > I'm keen to see a 1.11.2 "CVE clean" release also, so big +1 from a random
> > user.
> >
> > Kind regards, Eric
> >
> > On Mon, Mar 13, 2023 at 10:55 AM Ryan Skraba <ry...@skraba.com> wrote:
> >
> > > :D  Doing another minor release is also related to the thread of
> > > whether or not there could be an LTS version, or supporting more than
> > > one version of Avro!
> > >
> > > Throughout the last year, we've been pretty good about cherry-picking
> > > bugfixes into the 1.11 branch when they are relevant and useful, so
> > > doing the 1.11.2 release should pretty much be a non-event!  The
> > > exception seems to be some JIRA and PRs that were "grandfathered" into
> > > the next minor release because of lack of attention (which is another
> > > issue entirely that we really should be addressing...)
> > >
> > > I'd like to do the 1.11.2 in order to address the automated security
> > > warnings for security scanning tools (see
> > > https://mvnrepository.com/artifact/org.apache.avro/avro/1.11.1).  I
> > > don't believe either of the CVE are exploitable via Avro, but it's
> > > always a good practice to not drag them into the dependency graph if
> > > we can!
> > >
> > > Please do not stop contributing to 1.12.0, of course!  That should be
> > > the destination for the great new features that belong to a major
> > > release!
> > >
> > > All my best, Ryan
> > >
> > > On Sat, Mar 11, 2023 at 8:52 AM Oscar Westra van Holthe - Kind
> > > <os...@westravanholthe.nl> wrote:
> > > >
> > > > On th 9 mrt. 2023 22:14, Ryan Skraba <ry...@skraba.com> wrote:
> > > >
> > > > > Hey all, I'd like to bring this discussion back to life -- are we in a
> > > > > state to do a 1.11.2 release?
> > > >
> > > >
> > > > > [...] If I remember correctly, there
> > > > > wasn't much left in JIRA unresolved for 1.11.2! [1]
> > > > >
> > > > > [...]
> > > > > [1]
> > > > >
> > > https://issues.apache.org/jira/issues/?jql=project%20%3D%20AVRO%20AND%20fixVersion%20%3D%201.11.2%20%20AND%20status%20!%3D%20Resolved
> > > >
> > > >
> > > > Maybe a few things, but I prefer to wrap this up and start on 1.12.0 with
> > > > Java >8 (see that discussion), a schema syntax for IDL, and maybe even
> > > IDL
> > > > support for Python/Rust/...
> > > >
> > > >
> > > > Kind regards,
> > > > Oscar
> > > >
> > > > --
> > > > Oscar Westra van Holthe - Kind <os...@westravanholthe.nl>
> > >

Re: [DISCUSS] Release Avro 1.11.2

[Ryan Skraba <ry...@skraba.com>]

Hey!  Thanks so much for the vote -- yeah, this is long overdue!

My assumption was that the branch would be ready to be released at any
moment, but it looks like ... it's really not :/

There's a couple of things happening here:

1) the release process is showing it's age and is really disconnected
from the GitHub CI (not at all the same tools being used to build
nightly as release).  My dearest wish is the next major version drops
the ubertool docker!

2) the 1.11.x branch is not run under CI ... ever!

3) but mainly Kudos to the committers (not only Martin, but he does
get a special call out! :heart:) who have been rigorously
cherry-picking commits from master into the branch!   This helps keep
it in a good, known state.

My intention was to have a Release Candidate before the end of the
month, but I ran out of time and I'll be travelling for the next 7
days!  I should be present on the mailing list but not able to
continue my work on getting the branch into shape.  I'm willing to
pick this up when I get back!

In the meantime, anyone is welcome to work on the branch and proposing
cherry-picks or PRs.

All my best and see you in a week, Ryan

On Wed, Apr 12, 2023 at 1:58 AM Eric Johnson <er...@apache.org> wrote:
>
> Hi Avro folks,
>
> A project I'm working on uses Avro and noticed this thread with the intent
> to resolve the known CVE issues with jackson-* deps. From what I can
> determine, an Avro release would need to wait for Jackson 2.15
> <https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.15>. Is that
> also your assessment?
>
> I'm keen to see a 1.11.2 "CVE clean" release also, so big +1 from a random
> user.
>
> Kind regards, Eric
>
> On Mon, Mar 13, 2023 at 10:55 AM Ryan Skraba <ry...@skraba.com> wrote:
>
> > :D  Doing another minor release is also related to the thread of
> > whether or not there could be an LTS version, or supporting more than
> > one version of Avro!
> >
> > Throughout the last year, we've been pretty good about cherry-picking
> > bugfixes into the 1.11 branch when they are relevant and useful, so
> > doing the 1.11.2 release should pretty much be a non-event!  The
> > exception seems to be some JIRA and PRs that were "grandfathered" into
> > the next minor release because of lack of attention (which is another
> > issue entirely that we really should be addressing...)
> >
> > I'd like to do the 1.11.2 in order to address the automated security
> > warnings for security scanning tools (see
> > https://mvnrepository.com/artifact/org.apache.avro/avro/1.11.1).  I
> > don't believe either of the CVE are exploitable via Avro, but it's
> > always a good practice to not drag them into the dependency graph if
> > we can!
> >
> > Please do not stop contributing to 1.12.0, of course!  That should be
> > the destination for the great new features that belong to a major
> > release!
> >
> > All my best, Ryan
> >
> > On Sat, Mar 11, 2023 at 8:52 AM Oscar Westra van Holthe - Kind
> > <os...@westravanholthe.nl> wrote:
> > >
> > > On th 9 mrt. 2023 22:14, Ryan Skraba <ry...@skraba.com> wrote:
> > >
> > > > Hey all, I'd like to bring this discussion back to life -- are we in a
> > > > state to do a 1.11.2 release?
> > >
> > >
> > > > [...] If I remember correctly, there
> > > > wasn't much left in JIRA unresolved for 1.11.2! [1]
> > > >
> > > > [...]
> > > > [1]
> > > >
> > https://issues.apache.org/jira/issues/?jql=project%20%3D%20AVRO%20AND%20fixVersion%20%3D%201.11.2%20%20AND%20status%20!%3D%20Resolved
> > >
> > >
> > > Maybe a few things, but I prefer to wrap this up and start on 1.12.0 with
> > > Java >8 (see that discussion), a schema syntax for IDL, and maybe even
> > IDL
> > > support for Python/Rust/...
> > >
> > >
> > > Kind regards,
> > > Oscar
> > >
> > > --
> > > Oscar Westra van Holthe - Kind <os...@westravanholthe.nl>
> >

Re: [DISCUSS] Release Avro 1.11.2

[Eric Johnson <er...@apache.org>]

Hi Avro folks,

A project I'm working on uses Avro and noticed this thread with the intent
to resolve the known CVE issues with jackson-* deps. From what I can
determine, an Avro release would need to wait for Jackson 2.15
<https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.15>. Is that
also your assessment?

I'm keen to see a 1.11.2 "CVE clean" release also, so big +1 from a random
user.

Kind regards, Eric

On Mon, Mar 13, 2023 at 10:55 AM Ryan Skraba <ry...@skraba.com> wrote:

> :D  Doing another minor release is also related to the thread of
> whether or not there could be an LTS version, or supporting more than
> one version of Avro!
>
> Throughout the last year, we've been pretty good about cherry-picking
> bugfixes into the 1.11 branch when they are relevant and useful, so
> doing the 1.11.2 release should pretty much be a non-event!  The
> exception seems to be some JIRA and PRs that were "grandfathered" into
> the next minor release because of lack of attention (which is another
> issue entirely that we really should be addressing...)
>
> I'd like to do the 1.11.2 in order to address the automated security
> warnings for security scanning tools (see
> https://mvnrepository.com/artifact/org.apache.avro/avro/1.11.1).  I
> don't believe either of the CVE are exploitable via Avro, but it's
> always a good practice to not drag them into the dependency graph if
> we can!
>
> Please do not stop contributing to 1.12.0, of course!  That should be
> the destination for the great new features that belong to a major
> release!
>
> All my best, Ryan
>
> On Sat, Mar 11, 2023 at 8:52 AM Oscar Westra van Holthe - Kind
> <os...@westravanholthe.nl> wrote:
> >
> > On th 9 mrt. 2023 22:14, Ryan Skraba <ry...@skraba.com> wrote:
> >
> > > Hey all, I'd like to bring this discussion back to life -- are we in a
> > > state to do a 1.11.2 release?
> >
> >
> > > [...] If I remember correctly, there
> > > wasn't much left in JIRA unresolved for 1.11.2! [1]
> > >
> > > [...]
> > > [1]
> > >
> https://issues.apache.org/jira/issues/?jql=project%20%3D%20AVRO%20AND%20fixVersion%20%3D%201.11.2%20%20AND%20status%20!%3D%20Resolved
> >
> >
> > Maybe a few things, but I prefer to wrap this up and start on 1.12.0 with
> > Java >8 (see that discussion), a schema syntax for IDL, and maybe even
> IDL
> > support for Python/Rust/...
> >
> >
> > Kind regards,
> > Oscar
> >
> > --
> > Oscar Westra van Holthe - Kind <os...@westravanholthe.nl>
>

Re: [DISCUSS] Release Avro 1.11.2

[Ryan Skraba <ry...@skraba.com>]

:D  Doing another minor release is also related to the thread of
whether or not there could be an LTS version, or supporting more than
one version of Avro!

Throughout the last year, we've been pretty good about cherry-picking
bugfixes into the 1.11 branch when they are relevant and useful, so
doing the 1.11.2 release should pretty much be a non-event!  The
exception seems to be some JIRA and PRs that were "grandfathered" into
the next minor release because of lack of attention (which is another
issue entirely that we really should be addressing...)

I'd like to do the 1.11.2 in order to address the automated security
warnings for security scanning tools (see
https://mvnrepository.com/artifact/org.apache.avro/avro/1.11.1).  I
don't believe either of the CVE are exploitable via Avro, but it's
always a good practice to not drag them into the dependency graph if
we can!

Please do not stop contributing to 1.12.0, of course!  That should be
the destination for the great new features that belong to a major
release!

All my best, Ryan

On Sat, Mar 11, 2023 at 8:52 AM Oscar Westra van Holthe - Kind
<os...@westravanholthe.nl> wrote:
>
> On th 9 mrt. 2023 22:14, Ryan Skraba <ry...@skraba.com> wrote:
>
> > Hey all, I'd like to bring this discussion back to life -- are we in a
> > state to do a 1.11.2 release?
>
>
> > [...] If I remember correctly, there
> > wasn't much left in JIRA unresolved for 1.11.2! [1]
> >
> > [...]
> > [1]
> > https://issues.apache.org/jira/issues/?jql=project%20%3D%20AVRO%20AND%20fixVersion%20%3D%201.11.2%20%20AND%20status%20!%3D%20Resolved
>
>
> Maybe a few things, but I prefer to wrap this up and start on 1.12.0 with
> Java >8 (see that discussion), a schema syntax for IDL, and maybe even IDL
> support for Python/Rust/...
>
>
> Kind regards,
> Oscar
>
> --
> Oscar Westra van Holthe - Kind <os...@westravanholthe.nl>

Re: [DISCUSS] Release Avro 1.11.2

[Oscar Westra van Holthe - Kind <os...@westravanholthe.nl>]

On th 9 mrt. 2023 22:14, Ryan Skraba <ry...@skraba.com> wrote:

> Hey all, I'd like to bring this discussion back to life -- are we in a
> state to do a 1.11.2 release?


> [...] If I remember correctly, there
> wasn't much left in JIRA unresolved for 1.11.2! [1]
>
> [...]
> [1]
> https://issues.apache.org/jira/issues/?jql=project%20%3D%20AVRO%20AND%20fixVersion%20%3D%201.11.2%20%20AND%20status%20!%3D%20Resolved


Maybe a few things, but I prefer to wrap this up and start on 1.12.0 with
Java >8 (see that discussion), a schema syntax for IDL, and maybe even IDL
support for Python/Rust/...


Kind regards,
Oscar

--
Oscar Westra van Holthe - Kind <os...@westravanholthe.nl>