Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New patch version please #1453

Open
jpnauta opened this issue Mar 7, 2024 · 20 comments
Open

New patch version please #1453

jpnauta opened this issue Mar 7, 2024 · 20 comments

Comments

@jpnauta
Copy link

jpnauta commented Mar 7, 2024

Hi maintainers! Is it possible to release a new patch version of SOPS? There are critical CVEs like this one that have been fixed several months ago, but are not included in the latest v3.8.1 release.
@webertrlz
Copy link

Or a new release, I need the feature --mac-only-encrypted

@jonasbadstuebner
Copy link

Would also love a new patch release.

@julienkosinski
Copy link

julienkosinski commented May 21, 2024
edited

Yes there are a lot of new useful features, and if there's CVEs to fix this feels urgent because SOPS is a dependency of tools (I have in mind FluxCD) where using git version is not an option...

Considering the situation, just bumping the version and release a 3.9.0 (if there's no time to have a clean release note, well, in my opinion, this is very understandable) might be adequate, don't you think? @felixfontein

@very-doge-wow
Copy link

I am also waiting for support of SOPS_DECRYPTION_ORDER, please release 🙏

@marcofranssen
Copy link

marcofranssen commented Jun 3, 2024
edited

Are there any plans for cutting a new release? We are specifically looking for AWS EKS PodIdentity support see viaduct-ai/kustomize-sops#250 which would require a bump of the AWS SDK.

Would be great if a comment could be given on the plans/feasibility to cut a new release somewhere very soon. We have 2 options:

  • Abandon SOPS and move to another solution that has PodIdentity support (External Secrets Operator).
  • Update SOPS and KSOPS to a newer release and continue to support the project.

Happy to support and help getting a new release done, but can't do anything without support from maintainers.

@truongnht
Copy link

@felixfontein would need your input on this

@felixfontein
Copy link
Contributor

I cannot really provide much input here since this doesn't depend on me alone. I'll happily help reviewing and merging things for a soonish 3.9.0 release, but I cannot do this on my own from the maintainer side.

Pinging @getsops/maintainers

@sabre1041
Copy link

The answer to this question regarding a patch release is yes. The bigger question relates to when. And that depends on the features that are desired to be included in such a release. I will also discuss this topic with @getsops/maintainers to throw out an initial milestone that we can track against and provide greater visibility for the community

@jonasbadstuebner
Copy link

What is blocking you from creating a patch release from the current state of main right now?

@jonasbadstuebner
Copy link

Can‘t you find an intermediate solution until your organizational changes are done?
How did releases happen before you split out from Mozilla?

@felixfontein
Copy link
Contributor

@jonasbadstuebner we already merged features. It's too late for a patch release, the next release will be a feature release - unless we want to revert quite a bit.

@jonasbadstuebner
Copy link

I see, thanks for explaining.

Can’t you create a 3.9.0 release that includes all features that are in main right now and you move open topics to 3.10.0?

@jonasbadstuebner
Copy link

To me it seems that you are standing in your own way.

@sabre1041
Copy link

I see, thanks for explaining.

Can’t you create a 3.9.0 release that includes all features that are in main right now and you move open topics to 3.10.0?

but what about end users who are waiting on a feature that miss out on a 3.9.0 release? would that be fair to them? thats where we need to assess what issues are out there. can we perform a release immediately? maybe. but thats something that needs to be assessed.

Fear not. a release will occur for the community to take advantage of

@jonasbadstuebner
Copy link

I don’t understand. You mean someone who is waiting for a feature that does not make it in to 3.9.0?
I suggest they wait for 3.10.0 then.

@jonasbadstuebner
Copy link

It’s not about „fair“, it’s about showing that your product is well maintained and not dead.

If you are thinking „fair“:
Is it fair that some users are vulnerable to certain CVEs because you don’t want to release 3.9.0 for the users that want new features?

@jonasbadstuebner
Copy link

jonasbadstuebner commented Jun 3, 2024
edited

Just decide on a release cycle, every 2 or 3 weeks and include everything that has been merged up until this point. If there are more than zero new features, it’s a feature release. If it only includes patches, it’s a patch release.

If you include too many features, you might get a lot of issues reporting bugs and the users have to roll back months of changes. And the people that opened the PRs for the feature might be long gone and not there to help with the bugs they introduced.

@truongnht
Copy link

I see, thanks for explaining.
Can’t you create a 3.9.0 release that includes all features that are in main right now and you move open topics to 3.10.0?

but what about end users who are waiting on a feature that miss out on a 3.9.0 release? would that be fair to them? thats where we need to assess what issues are out there. can we perform a release immediately? maybe. but thats something that needs to be assessed.

Fear not. a release will occur for the community to take advantage of

I kinda agree with @jonasbadstuebner, I donot understand what blocks your team from frequent releases when needed.

@sabre1041
Copy link

I see, thanks for explaining.
Can’t you create a 3.9.0 release that includes all features that are in main right now and you move open topics to 3.10.0?

but what about end users who are waiting on a feature that miss out on a 3.9.0 release? would that be fair to them? thats where we need to assess what issues are out there. can we perform a release immediately? maybe. but thats something that needs to be assessed.
Fear not. a release will occur for the community to take advantage of

I kinda agree with @jonasbadstuebner, I donot understand what blocks your team from frequent releases when needed.

Please understand that the group of maintainers are volunteers as part of an open source community project. We certainly hear the feedback from the community and will prioritize both more frequent releases as well as further transparency in both the process, as well as when releases can be expected.

Based on the progress of this thread, we have been discussing several options and will share them shortly so that end users can understand when the next release and the set of features will be available

@marcofranssen
Copy link

Great to see activity. I think most important now is to get releases rolling. What is part of those releases shouldn't be about fairness or be bundled with to be features. Most important is probably to release whatever is ready. That way we can unblock the majority of community + allow them to give feedback/improve on new features.

Happy to assist where possible so we can also get the feature in there for AWS PodIdentity asap.

Lets keep those releases rolling, then we as a community will thrive.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@marcofranssen @sabre1041 @julienkosinski @jpnauta @truongnht @felixfontein @webertrlz @jonasbadstuebner @very-doge-wow