Plan to release etcd v3.5.15

[ivanvc]

What would you like to be added?

The etcd patch release criteria has been met for our release-3.5 stable release branch so we should release v3.5.15.

The list of commits included since the previous release is: v3.5.14...release-3.5:

• [3.5] Backport removal of asset transparency workflow #18104
• [3.5] scripts/release: shallow clone repository #18105
• [3.5] Bump Go version to 1.21.11: CVE 2024-24790 fix #18129
• [3.5] print error log when validation on conf change failed #18138
• [3.5] Fix govulncheck CI check #18170
• [3.5] bugfix: register of walWriteSec #18174
• [3.5] Fix dependency inconsistency detection and add make verify-dep #18207
• [3.5] Support multiple values for allowed client and peer TLS identities #18160
• [3.5] Install shellcheck if it is not present #18229
• [3.5] backport deflake TestV3AuthWithLeaseRevokeWithRootJWT #18253
• [3.5] github/govuln: don't swallow govulncheck errors #18254
• [3.5] Bump Go version to 1.21.12: GO-2024-2963 fix #18271
• [3.5] Suppress noisy basic auth token deletion log #18265

Work in progress CHANGELOG is: https://github.com/etcd-io/etcd/blob/main/CHANGELOG/CHANGELOG-3.5.md#v3515-tbd

List of pull requests we still need to backport from main to release-3.5 before the patch release is issued:

• Remove gsutil acl command for bucket permissions from release.sh #18250
• Suppress noisy basic auth token deletion log #18245
• fix ts with no trailing zeros #18108
• fix(server): enforce listen-metrics-urls client TLS info when its scheme is https/unixs #18186

Why is this needed?

Regular patch releases are vital to ensure our users have bug-free and secure software.

[ivanvc]

After a sweep of fixes merged in the main branch after 3.5.14, I found these two potential backports:

• fix(server): enforce listen-metrics-urls client TLS info when its scheme is https/unixs #18186
• fix ts with no trailing zeros #18108

Do we want to backport any of these?

I would appreciate another pair of eyes to do another pass.

I also volunteer to be a shadow for this release :)

[jmhbnz]

@spzala or @wenjiaswe did either of you want to lead this release? If not I am happy to volunteer as release lead.

Do we want to backport any of these?

Will do some review soon, we also need to take a close look at recent bug reports and see if anything needs to be included: https://github.com/etcd-io/etcd/issues?q=is%3Aissue+label%3Atype%2Fbug+created%3A%3E%3D2024-04-30

[ivanvc]

We may want to hold the release after 7/2, as according to SIG-release's email

There is a Go update being released on 07/02

I do see some outstanding changes in the Go Release Dashboard. But I don't know how to check when the version will be released, and I'm not sure if it will come with another vulnerability fix.

[wenjiaswe]

@jmhbnz Yes, I am happy to do the release. It's a short week in US, maybe I can do it next week?

[jmhbnz]

@jmhbnz Yes, I am happy to do the release. It's a short week in US, maybe I can do it next week?

SGTM - So release team will be:

Github handle	Role
@jmhbnz	Release advisor
@wenjiaswe	Release lead
@ivanvc	Release shadow

/assign @wenjiaswe, @ivanvc, @jmhbnz

[ivanvc]

Would you guys be available Monday, July 8th, at 11 a.m. PT? I'll be out next week starting Tuesday, so I won't be available if you want to schedule it for later that day, which is fine by me, we could see if someone else wants to shadow :)

[wenjiaswe]

@ivanvc @jmhbnz I will discuss with you two on chat. If anyone else interested in shadowing, please ping me in slack: wenjiaswe

[ivanvc]

@jmhbnz, after updating Go to address vulnerabilities (#18269), I think we now can release 3.4.34, right?

[jmhbnz]

@jmhbnz, after updating Go to address vulnerabilities (#18269), I think we now can release 3.4.34, right?

What is the CVE score? NIST don't list it yet https://nvd.nist.gov/vuln/detail/CVE-2024-24791. Our patch release criteria is 7.5 https://github.com/etcd-io/etcd/blob/main/Documentation/contributor-guide/release.md#patch-release-criteria but I'm not opposed to start organising 3.4.34 anyway once this release is done.

[ivanvc]

What is the CVE score? NIST don't list it yet https://nvd.nist.gov/vuln/detail/CVE-2024-24791. Our patch release criteria is 7.5

That's a good point. I think there's no rush, and ultimately, there are no other outstanding changes for 3.4 other than the Go update.

[ivanvc]

Will do some review soon, we also need to take a close look at recent bug reports and see if anything needs to be included: https://github.com/etcd-io/etcd/issues?q=is%3Aissue+label%3Atype%2Fbug+created%3A%3E%3D2024-04-30

I reviewed these and couldn't find anything that caught my eye.
Do we want to backport any of #18247 (comment)?

[jmhbnz]

I reviewed these and couldn't find anything that caught my eye. Do we want to backport any of #18247 (comment)?

Have raised backport proposals for both:

• [3.5] Fix ts with no trailing zeros #18288
• [3.5] Backport fix(server/embed) enforce non-empty client TLS if scheme is https/unixs #18289