Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump golang version to 1.19.6 for both release-3.5 and release-3.4 and bump golang.org/x/net to v0.7.0 #15332

Closed
ahrtr opened this issue Feb 17, 2023 · 11 comments
Closed

Bump golang version to 1.19.6 for both release-3.5 and release-3.4 and bump golang.org/x/net to v0.7.0 #15332

ahrtr opened this issue Feb 17, 2023 · 11 comments
Assignees
@jmhbnz
Labels
area/security good first issue help wanted type/feature

Comments

@ahrtr
Copy link
Member

ahrtr commented Feb 17, 2023
edited
Loading

What would you like to be added?

For both release-3.5 and release-3.4

  1. Bump golang version to 1.19.6;
  2. Bump golang.org/x/net to v0.7.0 to address CVE GO-2023-1571 . See also security: bump golang.org/x/net to v0.7.0 to address CVE GO-2023-1571 #15331

Why is this needed?

  1. golang 1.17 is out of support; and all active K8s branches (1.23 ~ 1.26) have already bumped to 1.19
  2. Refer to https://pkg.go.dev/vuln/GO-2023-1571
@ahrtr ahrtr changed the title Bump golang version to 1.19.6 for both release-3.5 and release-3.4 and bump golang.org/x/net to v0.7.0 Bump golang version to 1.19.6 for both release-3.5 and release-3.4 and bump golang.org/x/net to v0.7.0 Feb 17, 2023
@ahrtr
Copy link
Member Author

ahrtr commented Feb 17, 2023

cc @mitake @ptabor @serathius @spzala

@fuweid
Copy link
Member

fuweid commented Feb 17, 2023

@ahrtr it will be included in 3.4.24 release?

@ahrtr
Copy link
Member Author

ahrtr commented Feb 17, 2023

@ahrtr it will be included in 3.4.24 release?

3.4.24 is already released, so it will only be included in 3.4.25.

@fuweid
Copy link
Member

fuweid commented Feb 17, 2023

Thanks! I missed the release notification.

@spzala
Copy link
Member

spzala commented Feb 17, 2023

cc @tjungblu

@jmhbnz
Copy link
Member

jmhbnz commented Feb 17, 2023

@ahrtr I'm keen to give this a go if you don't mind? I Just want to double check before raising pull request as I've done a couple of the good-first-issue contributions recently and I don't mind leaving this if it would be better to let someone else.

@ahrtr
Copy link
Member Author

ahrtr commented Feb 17, 2023

Thanks @jmhbnz . Just assigned to you.

We are still pending on other maintainers' comment. It's OK to have more discussion under your PR.

This was referenced Feb 17, 2023
Merged
Merged
@tjungblu
Copy link
Contributor

Thanks, that helps a lot. Do you guys foresee any challenges with going directly to 1.19?

@serathius
Copy link
Member

cc @liggitt

@liggitt
Copy link
Contributor

liggitt commented Mar 2, 2023

Thanks, that helps a lot. Do you guys foresee any challenges with going directly to 1.19?

Not really... there were only three changes Kubernetes encountered going from go1.17 → go1.19, and they don't seem relevant to etcd:

  • sha-1 support disabled by default (not an issue unless someone is using etcd with insecure certificates, and they can re-enable with a GODEBUG envvar)
  • LookPath returns an error when resolving binaries in the current directory (I don't see etcd using this)
  • GC tuning differences that improved latency but could increase peak memory use in kube-apiserver (we didn't see this in all components or clusters, only specific kubernetes configurations, and this was tunable to get the go1.17 balance back by setting a GOGC envvar)

@jmhbnz jmhbnz mentioned this issue Mar 3, 2023
Merged
@ahrtr
Copy link
Member Author

ahrtr commented Mar 6, 2023

Completed.

@ahrtr ahrtr closed this as completed Mar 6, 2023
@serathius serathius mentioned this issue Mar 30, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jmhbnz jmhbnz

Labels
area/security good first issue help wanted type/feature
Milestone
No milestone
Development

No branches or pull requests
7 participants
@liggitt @serathius @spzala @fuweid @ahrtr @jmhbnz @tjungblu