Hello sig-release and sig-architecture folks,
A recurring topic over the past few years has been the difficulty of consistently picking up new minor versions of go on release branches, resulting in Kubernetes patch releases using out-of-support go versions missing fixes to published CVEs. This has come up while talking through wg-lts possibilities, the annual support KEP, security scanning efforts, and downstream support of Kubernetes minor versions.
Even though updating go minor versions on release branches is not unprecedented (Kubernetes 1.16.5 moved to go1.13, and this month's 1.23 and 1.24 patch releases move to go1.19), our ability to do that has been heavily reliant on the changes in particular go versions, so we haven't been able to make a process to apply those updates automatically and safely.
Surfacing these difficulties to the go team prompted a discussion, proposal, talk at GopherCon, and a design for improving go's backward compatibility in ways that would allow projects like Kubernetes to update to current go versions while retaining runtime behavior compatible with previous versions for a period of time.
With that proposal likely to be accepted, and an open request to document Kubernetes' approach to updating go on release branches
, I went ahead and opened an initial draft for KEP-3744: Stay on supported go versions to propose a set of requirements and a process for updating minor versions of go on Kubernetes release branches. Please take a look if you're interested!
Thanks,
Jordan