system-upgrade-controller When to expect a new release?

There are some public golang CVEs that requires addressing in the suc. Per the security policy, these are patched during the dev cycle. Is there a cadence to expect such patch releases?

Jul 02 '24 15:07 harsimranmaan

Hi team, can I get some eyes on the related PR. Thanks for your time

Aug 12 '24 18:08 harsimranmaan

There are a couple packaging issues I want to fix before we do another release. It is on my radar for sometime in the next week or two.

Aug 12 '24 18:08 brandond

Sure, thanks. Lemme know if I can help

Aug 12 '24 20:08 harsimranmaan

Please note that it is desired that the next release be tagged >= v0.15.0 as v0.14.0 was likely published in the past and deleted as evident from the entries in gosumdb. https://pkg.go.dev/github.com/rancher/system-upgrade-controller?tab=versions

Aug 28 '24 17:08 harsimranmaan

@brandond Any updates?

Sep 12 '24 13:09 buroa

Hi team, it would great if a new release could be published as suc gets flagged for multiple critical vulns. The patches have been merged already,

Sep 17 '24 18:09 harsimranmaan

@brandond Do you need any help to get this moving?

Sep 21 '24 02:09 kashalls

Sorry, there was a bunch of release CI stuff to fix - the changes from https://github.com/rancher/system-upgrade-controller/pull/311 did not actually work to move image publish CI over to GHA.

v0.14.0 should work.

Sep 26 '24 02:09 brandond

Thanks Brandon but could the release be bumped to v0.15.0? 0.14.0 was likely published in the past and recalled it seems as gosumdb already has entries for it with a different shasum. Please see https://pkg.go.dev/github.com/rancher/system-upgrade-controller?tab=versions

Sep 26 '24 15:09 harsimranmaan

I'm not able to find any references to that tag on GH or Docker Hub, so I have no idea where that would have come from. I can tag 0.15.0 next week when I am back in the office.

You can use v0.14.0-rc4 in the mean time, as that points at the same commit.

Sep 26 '24 17:09 brandond