New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump allowed Golang version for v1.11 and v1.12 #26713
Conversation
I think there was a previous discussion at some point about this, a bump from Go 1.17 -> Go 1.20 is a massive change in terms of potential regressions - I think this deserves wider discussion. I'll raise a thread with the maintainers; maybe you could talk about this in a community meeting as well? |
For some extra context, I made this change off the back of a discussion with @aanm @michi-covalent and @joestringer regarding the CVEs in older versions of Golang. The consensus was that we wanted to bump the version of Golang on maintained branches to a supported version. I chose 1.20 because 1.19 is about to fall out of support, so 1.20 gives a longer runway for future releases. |
/test-backport-1.11 |
Allow v1.11 and v1.12 to use a supported Golang version, which will remove several CVEs currently being reported by scanners. Bumping based on the policy in https://docs.cilium.io/en/latest/contributing/development/dev_setup/#minor-version Signed-off-by: Feroz Salam <feroz.salam@isovalent.com>
38737fa
to
d305279
Compare
There's an issue with Cilium v1.11 + Go 1.20 due to a breaking change. From Go 1.20 release notes:
which leads to:
This should be addressed by cilium/ebpf@0393df6. So, it'll require a cilium/ebpf to be bumped to >= 0.9.2. |
Hi @akhilles – the change in this PR allows versions up to but not including Golang 1.20 ( '<1.20' as opposed to '<=1.20'). The v1.11 branch uses Golang v1.19 now as a result: ad34c5a Did you see this error when testing the v1.11 branch, or were you testing v1.11 with Golang v1.20? I will check if v1.12 and v1.13 might be affected by this – we will be bumping them to Golang v1.20 soon, so it's possible they will need the cilium/ebpf bump. |
Ah, missed that :). Since Go 1.19 is EOL now, should Go 1.20 be allowed for v1.11 to fix any future vulnerabilities?
We saw this error on v1.11 + Go 1.20. I don't think v1.12 and v1.13 are affected because they're already using |
Cilium v1.11 is also EOL now. |
Allow v1.11 and v1.12 to use a supported Golang version, which will remove several CVEs
currently being reported by scanners.
Bumping based on the recently added documentation in: https://docs.cilium.io/en/latest/contributing/development/dev_setup/#minor-version
Signed-off-by: Feroz Salam feroz.salam@isovalent.com