Neal Patel (Gerrit)

unread,

Mar 30, 2026, 2:51:03 PMMar 30

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Neal Patel has uploaded the change for review

Commit message

relmeta: add ReleaseMilestone and SecurityPatch definitions

Updates golang/go#76157
Updates golang/go#77214
Updates golang/go#78458

Change-Id: I0a8c16822d05f06e51d2b11a98655cfad416e24c

Change diff

diff --git a/relmeta/relmeta.go b/relmeta/relmeta.go
new file mode 100644
index 0000000..dc6d61c
--- /dev/null
+++ b/relmeta/relmeta.go
@@ -0,0 +1,48 @@
+// Copyright 2026 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package relmeta aims to improve the
+// coordination and correctness of Go
+// Security Releases.
+//
+// Any API described by this package is
+// meant for internal use only; it is not
+// subject to the Go 1 compatibility promise
+// and may change at any time.
+package relmeta
+
+// ReleaseMilestone describes all of the
+// self-contained patches which are part
+// of a given Go Security Release.
+type ReleaseMilestone struct {
+	ID      int64            `yaml:"id"`
+	Patches []*SecurityPatch `yaml:"security_patches"`
+}
+
+// SecurityPatch is a self-contained body
+// of work that addresses a vulnerability.
+type SecurityPatch struct {
+	ID               int64           `yaml:"id"`
+	Track            GoSecurityTrack `yaml:"track"`
+	Toolchain        bool            `yaml:"is_toolchain"`
+	Package          string          `yaml:"package"`
+	Changelists      []string        `yaml:"changelists"`
+	ReleaseNote      string          `yaml:"release_note"`
+	TargetedReleases []string        `yaml:"target_releases,omitempty"`
+	GitHubIssueID    int64           `yaml:"github_issue_id"`
+	Credits          []string        `yaml:"credits"`
+	CVE              string          `yaml:"cve"`
+	CWE              string          `yaml:"cwe"`
+	// TODO(nealpatel): Associate the VulnDB
+	// Report struct once it is exported.
+	// VulnReport       vulndb.Report `yaml:"vuln_report"`
+}
+
+type GoSecurityTrack string
+
+const (
+	Public  GoSecurityTrack = "PUBLIC"
+	Private GoSecurityTrack = "PRIVATE"
+	Urgent  GoSecurityTrack = "URGENT"
+)

Change information

Files:

A relmeta/relmeta.go

Change size: S

Delta: 1 file changed, 48 insertions(+), 0 deletions(-)

Open in Gerrit

Related details

Attention set is empty

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Neal Patel (Gerrit)

unread,

Mar 30, 2026, 2:51:39 PMMar 30

to goph...@pubsubhelper.golang.org, Dmitri Shuralyov, Damien Neil, golang-co...@googlegroups.com

Attention needed from Damien Neil and Dmitri Shuralyov

Neal Patel voted Commit-Queue+1

Commit-Queue

+1

Open in Gerrit

Related details

Attention is currently required from:

Damien Neil
Dmitri Shuralyov

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Neal Patel (Gerrit)

unread,

Mar 30, 2026, 2:54:31 PMMar 30

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention needed from Damien Neil, Dmitri Shuralyov and Neal Patel

Neal Patel uploaded new patchset

Neal Patel uploaded patch set #2 to this change.

Open in Gerrit

Related details

Attention is currently required from:

Damien Neil
Dmitri Shuralyov
Neal Patel

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Neal Patel (Gerrit)

unread,

Mar 30, 2026, 2:54:39 PMMar 30

to goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Damien Neil, golang-co...@googlegroups.com

Attention needed from Damien Neil and Dmitri Shuralyov

Neal Patel voted Commit-Queue+1

Commit-Queue

+1

Open in Gerrit

Related details

Attention is currently required from:

Damien Neil
Dmitri Shuralyov

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Dmitri Shuralyov (Gerrit)

unread,

Mar 30, 2026, 4:11:19 PMMar 30

to Neal Patel, goph...@pubsubhelper.golang.org, Dmitri Shuralyov, Go LUCI, Damien Neil, golang-co...@googlegroups.com

Attention needed from Damien Neil and Neal Patel

Dmitri Shuralyov voted and added 4 comments

Votes added by Dmitri Shuralyov

Code-Review

+2

4 comments

Patchset-level comments

File-level comment, Patchset 2 (Latest):

Dmitri Shuralyov . resolved

Thanks.

File relmeta/relmeta.go

Line 25, Patchset 2 (Latest):type SecurityPatch struct {

Dmitri Shuralyov . resolved

I'll note that it's somewhat unclear how exactly values would be represented in some of the fields because they're not documented: for example, `Changelists []string` might be a slice of URLs, or CL numbers encoded as strings, or Gerrit-style `project~number` IDs.

If it is known, adding a bit of field documentation to resolve such ambiguities can be helpful. It might not be known yet, in which case it's fine. Compare with struct field docs for https://pkg.go.dev/golang.org/x/build/internal/task#PromotedAPI or [releaseAnnouncement](https://cs.opensource.google/go/x/build/+/master:internal/task/announce.go;l=39-65;drc=b23b4805217d5381f5537edb6fa118c0b0330945).

Just pointing this out as room for future improvement; it's fine to leave this out of scope until it's a better time to document these specifics.

Line 32, Patchset 2 (Latest): TargetedReleases []string `yaml:"target_releases,omitempty"`

Dmitri Shuralyov . unresolved

Is it intentional that the yaml name is "target_releases", while the Go struct field has an extra "ed" after "target"?

Line 32, Patchset 2 (Latest): TargetedReleases []string `yaml:"target_releases,omitempty"`

Dmitri Shuralyov . resolved

A note about "omitempty": usually this has effect only when encoding, not when decoding. If these structs aren't intended to cover the encoding cases, it can be left out.

Open in Gerrit

Related details

Attention is currently required from:

Damien Neil
Neal Patel

Submit Requirements:

Code-Review
No-Unresolved-Comments

Review-Enforcement

TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Dmitri Shuralyov (Gerrit)

unread,

Mar 30, 2026, 4:11:29 PMMar 30

to Neal Patel, goph...@pubsubhelper.golang.org, Dmitri Shuralyov, Go LUCI, Damien Neil, golang-co...@googlegroups.com

Attention needed from Damien Neil and Neal Patel

Dmitri Shuralyov voted Code-Review+1

Code-Review

+1

Open in Gerrit

Related details

Attention is currently required from:

Damien Neil
Neal Patel

Submit Requirements:

Code-Review
No-Unresolved-Comments

Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Neal Patel (Gerrit)

unread,

Mar 31, 2026, 2:59:52 PMMar 31

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention needed from Damien Neil and Neal Patel

Neal Patel uploaded new patchset

Neal Patel uploaded patch set #3 to this change.

Following approvals got outdated and were removed:

TryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI

Open in Gerrit

Related details

Attention is currently required from:

Damien Neil
Neal Patel

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement

TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Neal Patel (Gerrit)

unread,

Mar 31, 2026, 2:59:52 PMMar 31

to goph...@pubsubhelper.golang.org, Dmitri Shuralyov, Dmitri Shuralyov, Go LUCI, Damien Neil, golang-co...@googlegroups.com

Attention needed from Damien Neil

Neal Patel added 3 comments

File relmeta/relmeta.go

Line 25, Patchset 2:type SecurityPatch struct {

Dmitri Shuralyov . resolved

I'll note that it's somewhat unclear how exactly values would be represented in some of the fields because they're not documented: for example, `Changelists []string` might be a slice of URLs, or CL numbers encoded as strings, or Gerrit-style `project~number` IDs.
If it is known, adding a bit of field documentation to resolve such ambiguities can be helpful. It might not be known yet, in which case it's fine. Compare with struct field docs for https://pkg.go.dev/golang.org/x/build/internal/task#PromotedAPI or [releaseAnnouncement](https://cs.opensource.google/go/x/build/+/master:internal/task/announce.go;l=39-65;drc=b23b4805217d5381f5537edb6fa118c0b0330945).
Just pointing this out as room for future improvement; it's fine to leave this out of scope until it's a better time to document these specifics.

Neal Patel

The ambiguity is intentional here. We have an idea, but not a contract yet.

Line 32, Patchset 2: TargetedReleases []string `yaml:"target_releases,omitempty"`

Dmitri Shuralyov . resolved

A note about "omitempty": usually this has effect only when encoding, not when decoding. If these structs aren't intended to cover the encoding cases, it can be left out.

Neal Patel

Yup! This captures the intention for encode case.

Line 32, Patchset 2: TargetedReleases []string `yaml:"target_releases,omitempty"`

Dmitri Shuralyov . resolved

Is it intentional that the yaml name is "target_releases", while the Go struct field has an extra "ed" after "target"?

Neal Patel

It's not; thanks for catching!

Open in Gerrit

Related details

Attention is currently required from:

Damien Neil

Submit Requirements:

Code-Review
No-Unresolved-Comments

Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Damien Neil (Gerrit)

unread,

Mar 31, 2026, 6:02:02 PMMar 31

to Neal Patel, goph...@pubsubhelper.golang.org, Dmitri Shuralyov, Dmitri Shuralyov, Go LUCI, golang-co...@googlegroups.com

Attention needed from Neal Patel

Damien Neil voted Code-Review+2

Code-Review

+2

Open in Gerrit

Related details

Attention is currently required from:

Neal Patel

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Neal Patel (Gerrit)

unread,

Apr 1, 2026, 10:52:24 AMApr 1

to goph...@pubsubhelper.golang.org, Damien Neil, Dmitri Shuralyov, Dmitri Shuralyov, Go LUCI, golang-co...@googlegroups.com

Neal Patel voted Commit-Queue+1

Commit-Queue

+1

Open in Gerrit

Related details

Attention set is empty

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Neal Patel (Gerrit)

unread,

Apr 28, 2026, 2:01:25 PM (15 hours ago) Apr 28

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention needed from Damien Neil, Dmitri Shuralyov, Dmitri Shuralyov and Neal Patel

Neal Patel uploaded new patchset

Neal Patel uploaded patch set #4 to this change.

Following approvals got outdated and were removed:

Code-Review: +1 by Dmitri Shuralyov, +2 by Dmitri Shuralyov, +2 by Damien Neil
TryBots-Pass: LUCI-TryBot-Result+1 by golang...@luci-project-accounts.iam.gserviceaccount.com

Open in Gerrit

Related details

Attention is currently required from:

Damien Neil
Dmitri Shuralyov
Dmitri Shuralyov
Neal Patel

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement

TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Neal Patel (Gerrit)

unread,

Apr 28, 2026, 2:02:21 PM (15 hours ago) Apr 28

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention needed from Damien Neil, Dmitri Shuralyov, Dmitri Shuralyov and Neal Patel

Neal Patel uploaded new patchset

Neal Patel uploaded patch set #5 to this change.

Open in Gerrit

Related details

Attention is currently required from:

Damien Neil
Dmitri Shuralyov
Dmitri Shuralyov
Neal Patel

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Neal Patel (Gerrit)

unread,

Apr 28, 2026, 2:02:39 PM (15 hours ago) Apr 28

to goph...@pubsubhelper.golang.org, golang...@luci-project-accounts.iam.gserviceaccount.com, Damien Neil, Dmitri Shuralyov, Dmitri Shuralyov, golang-co...@googlegroups.com

Attention needed from Damien Neil, Dmitri Shuralyov and Dmitri Shuralyov

Neal Patel voted Commit-Queue+1

Commit-Queue

+1

Open in Gerrit

Related details

Attention is currently required from:

Damien Neil
Dmitri Shuralyov
Dmitri Shuralyov

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Dmitri Shuralyov (Gerrit)

unread,

Apr 28, 2026, 2:03:35 PM (15 hours ago) Apr 28

to Neal Patel, goph...@pubsubhelper.golang.org, golang...@luci-project-accounts.iam.gserviceaccount.com, Damien Neil, Dmitri Shuralyov, Dmitri Shuralyov, golang-co...@googlegroups.com

Attention needed from Damien Neil, Dmitri Shuralyov and Neal Patel

Dmitri Shuralyov added 1 comment

File go.mod

Line 3, Patchset 4:go 1.26.2

Dmitri Shuralyov . unresolved

Is raising the x/build module minimum requirement from 1.25.0 to 1.26.2 intentional?

Open in Gerrit

Related details

Attention is currently required from:

Damien Neil
Dmitri Shuralyov
Neal Patel

Submit Requirements:

Code-Review

No-Unresolved-Comments

Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

open

diffy

Neal Patel (Gerrit)

unread,

Apr 28, 2026, 2:05:12 PM (15 hours ago) Apr 28

to goph...@pubsubhelper.golang.org, golang...@luci-project-accounts.iam.gserviceaccount.com, Damien Neil, Dmitri Shuralyov, Dmitri Shuralyov, golang-co...@googlegroups.com

Attention needed from Damien Neil and Dmitri Shuralyov

Neal Patel added 1 comment

File go.mod

Line 3, Patchset 4:go 1.26.2

Dmitri Shuralyov . resolved

Is raising the x/build module minimum requirement from 1.25.0 to 1.26.2 intentional?

Neal Patel

It was not intentional. Reverted.

Open in Gerrit

Related details

Attention is currently required from:

Damien Neil
Dmitri Shuralyov

Submit Requirements:

Code-Review

No-Unresolved-Comments

Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Neal Patel (Gerrit)

unread,

Apr 28, 2026, 2:05:15 PM (15 hours ago) Apr 28

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention needed from Damien Neil and Dmitri Shuralyov

Neal Patel uploaded new patchset

Neal Patel uploaded patch set #6 to this change.

Following approvals got outdated and were removed:

TryBots-Pass: LUCI-TryBot-Result-1 by golang...@luci-project-accounts.iam.gserviceaccount.com

Open in Gerrit

Related details

Attention is currently required from:

Damien Neil
Dmitri Shuralyov

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Neal Patel (Gerrit)

unread,

Apr 28, 2026, 2:05:19 PM (15 hours ago) Apr 28

to goph...@pubsubhelper.golang.org, golang...@luci-project-accounts.iam.gserviceaccount.com, Damien Neil, Dmitri Shuralyov, Dmitri Shuralyov, golang-co...@googlegroups.com

Attention needed from Damien Neil and Dmitri Shuralyov

Neal Patel voted Commit-Queue+1

Commit-Queue

+1

Open in Gerrit

Related details

Attention is currently required from:

Damien Neil
Dmitri Shuralyov

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Neal Patel (Gerrit)

unread,

Apr 28, 2026, 2:05:34 PM (15 hours ago) Apr 28

to goph...@pubsubhelper.golang.org, golang...@luci-project-accounts.iam.gserviceaccount.com, Damien Neil, Dmitri Shuralyov, Dmitri Shuralyov, golang-co...@googlegroups.com

Attention needed from Damien Neil and Dmitri Shuralyov

Neal Patel voted Commit-Queue+1

Commit-Queue

+1

Open in Gerrit

Related details

Attention is currently required from:

Damien Neil
Dmitri Shuralyov

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Neal Patel (Gerrit)

unread,

Apr 28, 2026, 2:06:43 PM (15 hours ago) Apr 28

to goph...@pubsubhelper.golang.org, golang...@luci-project-accounts.iam.gserviceaccount.com, Damien Neil, Dmitri Shuralyov, Dmitri Shuralyov, golang-co...@googlegroups.com

Attention needed from Damien Neil and Dmitri Shuralyov

Neal Patel added 1 comment

File go.mod

Line 3, Patchset 4:go 1.26.2

Dmitri Shuralyov . unresolved

Is raising the x/build module minimum requirement from 1.25.0 to 1.26.2 intentional?

Neal Patel

It was not intentional. Reverted.

Neal Patel

`go mod tidy` bumps.

Open in Gerrit

Related details

Attention is currently required from:

Damien Neil
Dmitri Shuralyov

Submit Requirements:

Code-Review

No-Unresolved-Comments

Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

open

diffy

Dmitri Shuralyov (Gerrit)

unread,

Apr 28, 2026, 2:11:20 PM (15 hours ago) Apr 28

to Neal Patel, goph...@pubsubhelper.golang.org, golang...@luci-project-accounts.iam.gserviceaccount.com, Damien Neil, Dmitri Shuralyov, Dmitri Shuralyov, golang-co...@googlegroups.com

Attention needed from Damien Neil and Neal Patel

Dmitri Shuralyov added 1 comment

File go.mod

Line 3, Patchset 4:go 1.26.2

Dmitri Shuralyov . unresolved

Is raising the x/build module minimum requirement from 1.25.0 to 1.26.2 intentional?

Neal Patel

It was not intentional. Reverted.

Neal Patel

`go mod tidy` bumps.

Dmitri Shuralyov

It's because a requirement on the golang.org/x/vulndb module is added, and that module requires 1.26.2:

https://cs.opensource.google/go/x/vulndb/+/master:go.mod;l=3;drc=5571712294b453fa4be80698d7da328e142b1187

Given this is adding a fairly small struct, I don't think it warrants increasing the minimum go language requirement. Perhaps x/vulndb module requirement can be lowered, or if that's really not viable, then maybe maintaining a copy of that struct is less expensive.

The Go release policy is that we support both 1.26 and 1.25 equally, and even though x/build is an internal repo, it's imported by by x/website, so I prefer not to raise its minimum requirement unless we really have no better choice, and it seems it should be easily avoidable here.

Open in Gerrit

Related details

Attention is currently required from:

Damien Neil
Neal Patel

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

open

diffy

Neal Patel (Gerrit)

unread,

Apr 28, 2026, 2:13:22 PM (15 hours ago) Apr 28

to goph...@pubsubhelper.golang.org, golang...@luci-project-accounts.iam.gserviceaccount.com, Damien Neil, Dmitri Shuralyov, Dmitri Shuralyov, golang-co...@googlegroups.com

Attention needed from Damien Neil and Dmitri Shuralyov

Neal Patel added 1 comment

File go.mod

Line 3, Patchset 4:go 1.26.2

Dmitri Shuralyov . unresolved

Is raising the x/build module minimum requirement from 1.25.0 to 1.26.2 intentional?

Neal Patel

It was not intentional. Reverted.

Neal Patel

`go mod tidy` bumps.

Dmitri Shuralyov

It's because a requirement on the golang.org/x/vulndb module is added, and that module requires 1.26.2:
https://cs.opensource.google/go/x/vulndb/+/master:go.mod;l=3;drc=5571712294b453fa4be80698d7da328e142b1187
Given this is adding a fairly small struct, I don't think it warrants increasing the minimum go language requirement. Perhaps x/vulndb module requirement can be lowered, or if that's really not viable, then maybe maintaining a copy of that struct is less expensive.
The Go release policy is that we support both 1.26 and 1.25 equally, and even though x/build is an internal repo, it's imported by by x/website, so I prefer not to raise its minimum requirement unless we really have no better choice, and it seems it should be easily avoidable here.

Neal Patel

Agree.
Reasonable to bump x/vulndb down.

Open in Gerrit

Related details

Attention is currently required from:

Damien Neil
Dmitri Shuralyov

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

open

diffy

Neal Patel (Gerrit)

unread,

Apr 28, 2026, 2:14:19 PM (15 hours ago) Apr 28

to goph...@pubsubhelper.golang.org, golang...@luci-project-accounts.iam.gserviceaccount.com, Damien Neil, Dmitri Shuralyov, Dmitri Shuralyov, golang-co...@googlegroups.com

Attention needed from Damien Neil and Dmitri Shuralyov

Neal Patel added 1 comment

File go.mod

Line 3, Patchset 4:go 1.26.2

Dmitri Shuralyov . unresolved

Is raising the x/build module minimum requirement from 1.25.0 to 1.26.2 intentional?

Neal Patel

It was not intentional. Reverted.

Neal Patel

`go mod tidy` bumps.

Dmitri Shuralyov

It's because a requirement on the golang.org/x/vulndb module is added, and that module requires 1.26.2:
https://cs.opensource.google/go/x/vulndb/+/master:go.mod;l=3;drc=5571712294b453fa4be80698d7da328e142b1187
Given this is adding a fairly small struct, I don't think it warrants increasing the minimum go language requirement. Perhaps x/vulndb module requirement can be lowered, or if that's really not viable, then maybe maintaining a copy of that struct is less expensive.
The Go release policy is that we support both 1.26 and 1.25 equally, and even though x/build is an internal repo, it's imported by by x/website, so I prefer not to raise its minimum requirement unless we really have no better choice, and it seems it should be easily avoidable here.

Neal Patel

Agree.
Reasonable to bump x/vulndb down.

Neal Patel

Actually, x/vulndb cannot be bumped down due to how it functions.

unsatisfied_requirement

open

diffy

Dmitri Shuralyov (Gerrit)

unread,

Apr 28, 2026, 5:39:07 PM (12 hours ago) Apr 28

to Neal Patel, goph...@pubsubhelper.golang.org, golang...@luci-project-accounts.iam.gserviceaccount.com, Damien Neil, Dmitri Shuralyov, Dmitri Shuralyov, golang-co...@googlegroups.com

Attention needed from Damien Neil and Neal Patel

Dmitri Shuralyov added 2 comments

File go.mod

Line 3, Patchset 4:go 1.26.2

Dmitri Shuralyov . unresolved

Is raising the x/build module minimum requirement from 1.25.0 to 1.26.2 intentional?

Neal Patel

It was not intentional. Reverted.

Neal Patel

`go mod tidy` bumps.

Dmitri Shuralyov

It's because a requirement on the golang.org/x/vulndb module is added, and that module requires 1.26.2:
https://cs.opensource.google/go/x/vulndb/+/master:go.mod;l=3;drc=5571712294b453fa4be80698d7da328e142b1187
Given this is adding a fairly small struct, I don't think it warrants increasing the minimum go language requirement. Perhaps x/vulndb module requirement can be lowered, or if that's really not viable, then maybe maintaining a copy of that struct is less expensive.
The Go release policy is that we support both 1.26 and 1.25 equally, and even though x/build is an internal repo, it's imported by by x/website, so I prefer not to raise its minimum requirement unless we really have no better choice, and it seems it should be easily avoidable here.

Neal Patel

Agree.
Reasonable to bump x/vulndb down.

Neal Patel

Actually, x/vulndb cannot be bumped down due to how it functions.

Dmitri Shuralyov

Filed issue #79001 for it.

Line 7, Patchset 6 (Latest): cloud.google.com/go/cloudbuild v1.15.0

Dmitri Shuralyov . resolved

These updates are reasonable but a slight preference to break them out into a separate CL, since it's pretty unrelated. Sent you CL 771740.

Open in Gerrit

Related details

Attention is currently required from:

Damien Neil
Neal Patel

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement

TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Neal Patel (Gerrit)

unread,

Apr 28, 2026, 5:48:29 PM (11 hours ago) Apr 28

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention needed from Damien Neil and Neal Patel

Neal Patel uploaded new patchset

Neal Patel uploaded patch set #7 to this change.

Following approvals got outdated and were removed:

TryBots-Pass: LUCI-TryBot-Result+1 by golang...@luci-project-accounts.iam.gserviceaccount.com

Open in Gerrit

Related details

Attention is currently required from:

Damien Neil
Neal Patel

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement

TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

open

diffy

Neal Patel (Gerrit)

unread,

Apr 28, 2026, 5:48:43 PM (11 hours ago) Apr 28

to goph...@pubsubhelper.golang.org, golang...@luci-project-accounts.iam.gserviceaccount.com, Damien Neil, Dmitri Shuralyov, Dmitri Shuralyov, golang-co...@googlegroups.com

Attention needed from Damien Neil and Dmitri Shuralyov

Neal Patel voted and added 1 comment

Votes added by Neal Patel

Commit-Queue

+1

1 comment

File go.mod

Line 3, Patchset 4:go 1.26.2

Dmitri Shuralyov . resolved

Is raising the x/build module minimum requirement from 1.25.0 to 1.26.2 intentional?

Neal Patel

It was not intentional. Reverted.

Neal Patel

`go mod tidy` bumps.

Dmitri Shuralyov

It's because a requirement on the golang.org/x/vulndb module is added, and that module requires 1.26.2:
https://cs.opensource.google/go/x/vulndb/+/master:go.mod;l=3;drc=5571712294b453fa4be80698d7da328e142b1187
Given this is adding a fairly small struct, I don't think it warrants increasing the minimum go language requirement. Perhaps x/vulndb module requirement can be lowered, or if that's really not viable, then maybe maintaining a copy of that struct is less expensive.
The Go release policy is that we support both 1.26 and 1.25 equally, and even though x/build is an internal repo, it's imported by by x/website, so I prefer not to raise its minimum requirement unless we really have no better choice, and it seems it should be easily avoidable here.

Neal Patel

Agree.
Reasonable to bump x/vulndb down.

Neal Patel

Actually, x/vulndb cannot be bumped down due to how it functions.

Dmitri Shuralyov

Filed issue #79001 for it.

Neal Patel

Thanks!!

Open in Gerrit

Related details

Attention is currently required from:

Damien Neil
Dmitri Shuralyov

Submit Requirements:

Code-Review

No-Unresolved-Comments

Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Neal Patel (Gerrit)

unread,

Apr 28, 2026, 5:58:04 PM (11 hours ago) Apr 28

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention needed from Dmitri Shuralyov and Neal Patel

Neal Patel uploaded new patchset

Neal Patel uploaded patch set #8 to this change.

Open in Gerrit

Related details

Attention is currently required from:

Dmitri Shuralyov
Neal Patel

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Neal Patel (Gerrit)

unread,

Apr 28, 2026, 5:58:14 PM (11 hours ago) Apr 28

to goph...@pubsubhelper.golang.org, golang...@luci-project-accounts.iam.gserviceaccount.com, Damien Neil, Dmitri Shuralyov, Dmitri Shuralyov, golang-co...@googlegroups.com

Attention needed from Dmitri Shuralyov

Neal Patel voted Commit-Queue+1

Commit-Queue

+1

Open in Gerrit

Related details

Attention is currently required from:

Dmitri Shuralyov

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Dmitri Shuralyov (Gerrit)

unread,

Apr 28, 2026, 6:15:35 PM (11 hours ago) Apr 28

to Neal Patel, goph...@pubsubhelper.golang.org, Dmitri Shuralyov, golang...@luci-project-accounts.iam.gserviceaccount.com, Damien Neil, Dmitri Shuralyov, golang-co...@googlegroups.com

Attention needed from Neal Patel

Dmitri Shuralyov voted and added 3 comments

Votes added by Dmitri Shuralyov

Code-Review

+2

3 comments

Patchset-level comments

File-level comment, Patchset 8 (Latest):

Dmitri Shuralyov . resolved

Thanks. Two questions about fields that stood out to me, but I expect you're more familiar with what they're intended to be.

File relmeta/relmeta.go

Line 21, Patchset 8 (Latest): ID int64 `yaml:"id"`

Dmitri Shuralyov . unresolved

Is `ID` right here? I expect it might've intended to be BuganizerID / `buganizer_id` based on [here](https://cs.opensource.google/go/x/build/+/master:internal/task/security_release_coalesce.go;l=155;drc=177d1e91b1c5109b44165e98c7d8a032e07bb6ed) and [here](https://cs.opensource.google/go/x/build/+/master:internal/task/security_release_coalesce_test.go;l=138;drc=177d1e91b1c5109b44165e98c7d8a032e07bb6ed).

Line 32, Patchset 2: TargetedReleases []string `yaml:"target_releases,omitempty"`

Dmitri Shuralyov . unresolved

Is it intentional that the yaml name is "target_releases", while the Go struct field has an extra "ed" after "target"?

Neal Patel

It's not; thanks for catching!

Dmitri Shuralyov

This was resolved by adding "ed" to the field name, but is it possible you intended to drop "ed" from the yaml name instead? Asking because both in CL 771721 and in the security-metadata yaml I still see "target_releases" being used, and as a name it seems to make sense (e.g., "the target releases for such and such security fix are go1.4.1 and go1.3.1").

Open in Gerrit

Related details

Attention is currently required from:

Neal Patel

Submit Requirements:

Code-Review
No-Unresolved-Comments

Review-Enforcement

TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Dmitri Shuralyov (Gerrit)

unread,

Apr 28, 2026, 6:17:42 PM (11 hours ago) Apr 28

to Neal Patel, goph...@pubsubhelper.golang.org, Dmitri Shuralyov, golang...@luci-project-accounts.iam.gserviceaccount.com, Damien Neil, golang-co...@googlegroups.com

Attention needed from Neal Patel

Dmitri Shuralyov voted Code-Review+1

Code-Review

+1

Open in Gerrit

Related details

Attention is currently required from:

Neal Patel

Submit Requirements:

Code-Review
No-Unresolved-Comments

Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Neal Patel (Gerrit)

unread,

Apr 28, 2026, 8:43:47 PM (9 hours ago) Apr 28

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention needed from Neal Patel

Neal Patel uploaded new patchset

Neal Patel uploaded patch set #9 to this change.

Following approvals got outdated and were removed:

TryBots-Pass: LUCI-TryBot-Result+1 by golang...@luci-project-accounts.iam.gserviceaccount.com

Open in Gerrit

Related details

Attention is currently required from:

Neal Patel

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement

TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Neal Patel (Gerrit)

unread,

Apr 28, 2026, 8:44:00 PM (9 hours ago) Apr 28

to goph...@pubsubhelper.golang.org, Dmitri Shuralyov, Dmitri Shuralyov, golang...@luci-project-accounts.iam.gserviceaccount.com, Damien Neil, golang-co...@googlegroups.com

Attention needed from Dmitri Shuralyov

Neal Patel added 2 comments

File relmeta/relmeta.go

Line 21, Patchset 8: ID int64 `yaml:"id"`

Dmitri Shuralyov . unresolved

Is `ID` right here? I expect it might've intended to be BuganizerID / `buganizer_id` based on [here](https://cs.opensource.google/go/x/build/+/master:internal/task/security_release_coalesce.go;l=155;drc=177d1e91b1c5109b44165e98c7d8a032e07bb6ed) and [here](https://cs.opensource.google/go/x/build/+/master:internal/task/security_release_coalesce_test.go;l=138;drc=177d1e91b1c5109b44165e98c7d8a032e07bb6ed).

Neal Patel

Both ReleaseMilestone.ID and SecurityPatch.ID are intended to be opaque. I'm not sure if that's the right choice?

VulnReport.ID is a string of "GO-YYYY-NNNN" format.

Line 32, Patchset 2: TargetedReleases []string `yaml:"target_releases,omitempty"`

Dmitri Shuralyov . resolved

Is it intentional that the yaml name is "target_releases", while the Go struct field has an extra "ed" after "target"?

Neal Patel

It's not; thanks for catching!

Dmitri Shuralyov

This was resolved by adding "ed" to the field name, but is it possible you intended to drop "ed" from the yaml name instead? Asking because both in CL 771721 and in the security-metadata yaml I still see "target_releases" being used, and as a name it seems to make sense (e.g., "the target releases for such and such security fix are go1.4.1 and go1.3.1").

Neal Patel

Yes, too many copies. I want `target_releases`.

Open in Gerrit

Related details

Attention is currently required from:

Dmitri Shuralyov

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Neal Patel (Gerrit)

unread,

Apr 28, 2026, 8:44:05 PM (9 hours ago) Apr 28

to goph...@pubsubhelper.golang.org, Dmitri Shuralyov, Dmitri Shuralyov, golang...@luci-project-accounts.iam.gserviceaccount.com, Damien Neil, golang-co...@googlegroups.com

Attention needed from Dmitri Shuralyov

Neal Patel voted Commit-Queue+1

Commit-Queue

+1

Open in Gerrit

Related details

Attention is currently required from:

Dmitri Shuralyov

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Reply all

Reply to author

Forward

[build] relmeta: add ReleaseMilestone and SecurityPatch definitions

Neal Patel (Gerrit)

Neal Patel has uploaded the change for review

Commit message

Change diff

Change information

Related details

Neal Patel (Gerrit)

Neal Patel voted Commit-Queue+1

Related details

Neal Patel (Gerrit)

Neal Patel uploaded new patchset

Related details

Neal Patel (Gerrit)

Neal Patel voted Commit-Queue+1

Related details

Dmitri Shuralyov (Gerrit)

Dmitri Shuralyov voted and added 4 comments

Votes added by Dmitri Shuralyov

4 comments

Related details

Dmitri Shuralyov (Gerrit)

Dmitri Shuralyov voted Code-Review+1

Related details

Neal Patel (Gerrit)

Neal Patel uploaded new patchset

Related details

Neal Patel (Gerrit)

Neal Patel added 3 comments

Related details

Damien Neil (Gerrit)

Damien Neil voted Code-Review+2

Related details

Neal Patel (Gerrit)

Neal Patel voted Commit-Queue+1

Related details

Neal Patel (Gerrit)

Neal Patel uploaded new patchset

Related details

Neal Patel (Gerrit)

Neal Patel uploaded new patchset

Related details

Neal Patel (Gerrit)

Neal Patel voted Commit-Queue+1

Related details

Dmitri Shuralyov (Gerrit)

Dmitri Shuralyov added 1 comment

Related details

Neal Patel (Gerrit)

Neal Patel added 1 comment

Related details

Neal Patel (Gerrit)

Neal Patel uploaded new patchset

Related details

Neal Patel (Gerrit)

Neal Patel voted Commit-Queue+1

Related details

Neal Patel (Gerrit)

Neal Patel voted Commit-Queue+1

Related details

Neal Patel (Gerrit)

Neal Patel added 1 comment

Related details

Dmitri Shuralyov (Gerrit)

Dmitri Shuralyov added 1 comment

Related details

Neal Patel (Gerrit)

Neal Patel added 1 comment

Related details

Neal Patel (Gerrit)

Neal Patel added 1 comment

Dmitri Shuralyov (Gerrit)

Dmitri Shuralyov added 2 comments

Related details

Neal Patel (Gerrit)

Neal Patel uploaded new patchset

Related details

Neal Patel (Gerrit)

Neal Patel voted and added 1 comment

Votes added by Neal Patel