Closed adiroiban closed 2 months ago
When will there be a release remediating the security vulnerabilities that were published yesterday (CVE-2024-41671 & CVE-2024-41810)?
The release is already available - https://pypi.org/project/Twisted/24.7.0rc1/
@norrisjeremy https://mail.python.org/archives/list/twisted@python.org/message/G52SQQEND25JBVWILCAZVFNQS2E454JF/ - "If nothing comes up in one week, 24.7.0 will be released based on the latest release candidate".
That's disappointing that users have a to wait a week for an official release that isn't an RC build.
This is our current release process and is documented here
https://docs.twisted.org/en/latest/development/release-process.html#security-release
It can be alwasy improved.
I think that it's awesome that users can get the security fixes for free, after only one week, without the risk of any regressions.
And RC1 release is available right away for security sensitive deployments.
Unfortunately there are not many active reviewers and testers for Twisted code to be able to release without RC1.
The advantage of RC1, is that if somehow we mess up a release really bad, it will not affect all users.
@norrisjeremy as mentioned above. If you have time, I encourage you to test the RC1 and if there are any issues report them on the dedicated PR at https://github.com/twisted/twisted/pull/12272
I could have sworn we had an accelerated RC timeline for security releases already, but I guess those are assumed to be "bug fix" (i.e. patch / micro) releases.
@norrisjeremy If you've tested rc1, please consider making a comment on #12272 to indicate that it worked for you, since if we receive no feedback on the RC it's tough to accelerate the timeline since we don't know if anyone has tested it.
Looks like Synapse didn't run into issues using it: element-hq/synapse#17502.
thanks for the report @clokep !
I could have sworn we had an accelerated RC timeline for security releases already, but I guess those are assumed to be "bug fix" (i.e. patch / micro) releases.
@glyph I don't think that we have an accelerated release process for patch / micro releases.
The information for micro releases is here https://docs.twisted.org/en/latest/development/release-process.html#bug-fix-releases
Please also pubilsh what commits need to be cherry-picked to 24.3.0. Packaging systems generally do not advance minor releases on stable branches. Ideally there would be 24.3.1 (24.3.0.1, whatever), with just the security fix, so that N packaging systems (Debian, pkgsrc, etc.) could all use it.
I don't plan to do a 24.3.1 release.
From our release documentation
We don’t do maintenance / patch releases, including for security issues, due to lack of resources.
But, this is an open source project and the documentation for doing a release is public.
If someone has time to cherry-pick, test the result and do a separate security release, we can have it.
Packaging systems generally do not advance minor releases on stable branches
I really want to reinforce this point,. We do not support installing Twisted via any system except installing our official releases from PyPI. If your distribution wishes to support an alternate piece of software derived from Twisted, you are of course free to do so, but you will need to figure out how to alter the code. We do not have CI for cherry-picking random patches off of branches and so we don't know if simply cherry-picking these changes will even apply cleanly, let alone properly address the security issue, on other versions of the software.
If you'd like to supply some resources to the project in the form of a maintainer who can configure our CI and backport fixes, we could have a discussion about that, but I don't think we see a lot of value in supporting alternate compatibility policies that are not aligned with our own.
I could have sworn we had an accelerated RC timeline for security releases already, but I guess those are assumed to be "bug fix" (i.e. patch / micro) releases.
@glyph I don't think that we have an accelerated release process for patch / micro releases.
The information for micro releases is here https://docs.twisted.org/en/latest/development/release-process.html#bug-fix-releases
Ah, I was looking at the older version of the docs https://docs.twisted.org/en/twisted-22.4.0/core/development/policy/release-process.html#bug-fix-releases
I've tested upgrading locally for the Yocto Project (on latest LTS v5.0):
Did not get any packaging or build/compile warnings. Upgrade went well 👍
Edit: my build host is using Ubuntu 24.04
Installed 24.7.0rc1 as a dependency of daphne, upgrade went well.
I appear to have regressed some functionality in Twisted in https://github.com/twisted/twisted/pull/12109, since the last release. I will create a fix ASAP.
24.7.0rc2 is available ... I plan to wait until 8th of August and then I will trigger the final release.
Please test 24.7.0rc2 and report any errors.
If there are any errors after that, we can alwasy release a new 24.8.0
24.7.0rc2 is available ... I plan to wait until 8th of August and then I will trigger the final release.
It's the 10th - any news on a release? pkgsrc has a policy of only packaging releases, and most other packaging systems are like that too.
We do release cancidates as we want people to help with testing before the final release.
The 24.7.0 is not released unless at least one person checks the release candidate.
24.7.0 was released. Thanks Glyph for the review.
It's now available on pypi https://pypi.org/project/Twisted/24.7.0/
just the release task