Re: [security] Go 1.6.3 and Go 1.7rc2 pre-announcement

[Brad Fitzpatrick]

[-announce, +dev]

I know we normally separate security point releases from other point releases, but we already have https://github.com/golang/go/issues/16354 (macOS Sierra time package fix) waiting for a Go 1.6 release.

Any chance we could combine them, instead of doing a Go 1.6.3 security + Go 1.6.4 for macOS Sierra?

On Fri, Jul 15, 2016 at 4:51 PM, Chris Broadfoot <cb...@golang.org> wrote:

Hello gophers,

We plan to issue Go 1.6.3 and Go 1.7rc2 on Monday July 18 at approximately 2am UTC.
These are minor release to fix a security issue.

Following our policy at https://golang.org/security, this is the pre-announcement of those releases.

Because we are so late in the release cycle for Go 1.7, we will not issue a minor release of Go 1.5.
Additionally, we plan to issue Go 1.7rc3 later next week, which will include any changes between 1.7rc1 and tip.

Cheers,
Chris on behalf of the Go team

--
You received this message because you are subscribed to the Google Groups "golang-announce" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-announ...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Ian Lance Taylor]

On Sat, Jul 16, 2016 at 5:08 PM, Brad Fitzpatrick <brad...@golang.org> wrote:
> [-announce, +dev]
>
> I know we normally separate security point releases from other point
> releases, but we already have https://github.com/golang/go/issues/16354
> (macOS Sierra time package fix) waiting for a Go 1.6 release.
>
> Any chance we could combine them, instead of doing a Go 1.6.3 security + Go
> 1.6.4 for macOS Sierra?

That sounds like a good idea to me if it's OK with our security policy.

Ian

[Andrew Gerrand]

While it's been our practice to make security releases containing only the security-related fix, our policy doesn't explicitly state that.

I'm in favor of including the Sierra fix in 1.6.3.

You received this message because you are subscribed to the Google Groups "golang-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-dev+...@googlegroups.com.

[Chris Broadfoot]

I think that's fine, too. It's certainly less work for us (only perform one release) and our users (only upgrade once)

Our security policy doesn't specify many things, like which major versions/branches we'll release. We talk about the two most recent major versions, but I don't think that's written down anywhere.

[Brad Fitzpatrick]

Actually, https://golang.org/security says:

"Fixes are prepared for the current stable release and the head/master revision."

But normally we do more than that (last two stable releases). So doing only Go 1.7rcN and Go 1.6.3 is in line with our documentation.

[Chris Broadfoot]

Thanks. I missed that. Good to know.

[Jakob Borg]

Hi,

> On Fri, Jul 15, 2016 at 4:51 PM, Chris Broadfoot <cb...@golang.org> wrote:
>>
>> Hello gophers,
>>
>> We plan to issue Go 1.6.3 and Go 1.7rc2 on Monday July 18 at approximately
>> 2am UTC.
>> These are minor release to fix a security issue.

That's about 12 hours ago and the releases aren't out, nor tagged in
the repo from what I can see. Are we still in the "approximately"
window or was there a snag?

//jb

[Peter Waller]

The release was moved to 4pm.

(In this thread:)

On 16 July 2016 at 00:55, Chris Broadfoot <cb...@golang.org> wrote:

My apologies -- we will target the release for 4pm UTC, not 2am UTC.

[Jakob Borg]

Oh. Whoops, sorry. :)

[Chris Broadfoot]

No worries. It was my bad - I misread the embargo date.

Binaries are being uploaded right now. Announcement to golang-{nuts,dev,announce} to follow.