[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Release Critical Security Bug in Bazel Dependency

Hi Olek,

Let me clarify the LTS release and rolling release.

The 4.x.x release series is the LTS, and they are all based on 4.0.0 and should be backwards compatible with 4.0.0. The rolling release version will be named as 5.0.0-pre.<date> and be cut from HEAD (so not backwards compatible with 4.0.0), and when we cut the Bazel 5 LTS, the rolling release will start from 6.0.0-pre.<date>.

We are still preparing our first rolling release, you can track it at https://github.com/bazelbuild/bazel/issues/13526


On Mon, May 31, 2021 at 11:03 PM Olek Wojnar <olek@debian.org> wrote:
Hi Jesse,

On Mon, May 31, 2021 at 9:37 AM Jesse Chan <jc@linux.com> wrote:
I saw the bug has been closed. Great work, Olek!

Thanks. :)
By the way, I have bumped the version to 4.1.0. Two additional patches
are needed: one to remove "bazel_skylib" dependency introduced by a
"darwin-arm64" workaround and one to use Debian-provided "rxjava". The
later one can be sent to upstream, and the first one is going to stay
until we got the "bazel_skylib" ready.

Cool! This is a good opportunity to discuss how we're going to handle Bazel rolling releases. Our packaging plan specifically calls for packaging LTS releases but does not address what we do in between. i.e. would we create something like a bazel-rolling package that tracks current development?

Also, Yun, as I recall the 4.0.x series is the LTS but the 4.x.x series are rolling releases. Is that still accurate and am I remembering it correctly? I believe we discussed that minor versions will not guarantee compatibility. I looked back at the blog announcement but it's not clear from that how minor versions will be handled.

Regarding bazel-skylib, I would start building against the Debian package. It is currently in experimental so you should be able to build fine against it there and we're not going to be able to do anything in unstable anyway until after release. :)

Please review the changes when you have time. I am still working on the
d/copyright stuff you mentioned, but I am not able to commit much time
near the end of quarter. Hopefully someone else can help me with that.

I'd love to! Unfortunately, I'm a bit strapped for time right now as well... :( It is DEFINITELY near the top of my Debian TODO list though.

FYI: As I haven't updated the "pristine-tar" and "upstream" branches of
our main repo yet (I'd like to leave them to Olek), the CI would always
fail with "uscan error: unzip binary not found". Plus, it seems that
Salsa no longer runs CI on personal repos.

Ok, adding that to my Debian TODO as well. I'll wait until Yun can clarify which specific versions are part of the LTS so we can make a plan from there.

Oh, really? That's new. I didn't see an Infrastructure email about that but I may have missed it. Then again, I think all my packages are team-maintained. But I'll definitely keep that in mind if I start a personal repo, thanks!


Reply to: