When to expect a new release?

[harsimranmaan]

There are some public golang CVEs that requires addressing in the suc. Per the security policy, these are patched during the dev cycle. Is there a cadence to expect such patch releases?

[harsimranmaan]

Hi team, can I get some eyes on the related PR. Thanks for your time

[brandond]

There are a couple packaging issues I want to fix before we do another release. It is on my radar for sometime in the next week or two.

[harsimranmaan]

Sure, thanks. Lemme know if I can help

[harsimranmaan]

Please note that it is desired that the next release be tagged >= v0.15.0 as v0.14.0 was likely published in the past and deleted as evident from the entries in gosumdb. https://pkg.go.dev/github.com/rancher/system-upgrade-controller?tab=versions

[buroa]

@brandond Any updates?

[harsimranmaan]

Hi team, it would great if a new release could be published as suc gets flagged for multiple critical vulns. The patches have been merged already,

[kashalls]

@brandond Do you need any help to get this moving?

[brandond]

Sorry, there was a bunch of release CI stuff to fix - the changes from https://github.com/rancher/system-upgrade-controller/pull/311 did not actually work to move image publish CI over to GHA.

v0.14.0 should work.

[harsimranmaan]

Thanks Brandon but could the release be bumped to v0.15.0? 0.14.0 was likely published in the past and recalled it seems as gosumdb already has entries for it with a different shasum. Please see https://pkg.go.dev/github.com/rancher/system-upgrade-controller?tab=versions

[brandond]

I'm not able to find any references to that tag on GH or Docker Hub, so I have no idea where that would have come from. I can tag 0.15.0 next week when I am back in the office.

You can use v0.14.0-rc4 in the mean time, as that points at the same commit.