Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: release #146

Merged
merged 1 commit into from
Aug 9, 2023
Merged

chore: release #146

merged 1 commit into from
Aug 9, 2023

Conversation

frol
Copy link
Collaborator

@frol frol commented Jun 6, 2023

🤖 New release

  • borsh: 0.11.0 -> 1.0.0-alpha.1
  • borsh-derive: 0.11.0 -> 1.0.0-alpha.1
  • borsh-derive-internal: 0.11.0 -> 1.0.0-alpha.1
  • borsh-schema-derive-internal: 0.11.0 -> 1.0.0-alpha.1
Changelog

borsh

1.0.0-alpha.1 - 2023-08-07

Bug Fixes

Documentation

Features

Miscellaneous Tasks

Refactor

Testing

Ci

  • Only release-plz after other checks pass


This PR was generated with release-plz and semi-automatically with @dj8yfo.

@frol
Copy link
Collaborator Author

frol commented Jun 6, 2023

I am hesitant to cut this release now as it resolves the RUSTSEC issue which might trigger many projects to upgrade borsh to 0.11.1 version and they might fall into the trap of a more severe issue: #138 (comment) (some solution is needed)

cc @mina86 @iho

P.S. It is weird that release-plz suggests cutting 0.12.0 instead of 0.11.1 and dumps too many records to the CHANGELOG (again). These should also be investigated.

@frol frol changed the title chore(borsh): release v0.11.1 chore: release Jun 6, 2023
@frol frol force-pushed the release-plz/2023-06-06T21-17-02Z branch from 46b31cc to 68adce5 Compare June 6, 2023 21:51
@maxammann
Copy link

I am hesitant to cut this release now as it resolves the RUSTSEC issue which might trigger many projects to upgrade borsh to 0.11.1

It is possible to delay resolving the RustSec issue. It is a manual process after all.

But I'm not sure if I understand why we would want to delay the release of #138

@mina86
Copy link
Contributor

mina86 commented Jun 7, 2023

But I'm not sure if I understand why we would want to delay the release of #138

#138 changes serialisation format and updating to borsh release with it can silently break the code.

The usual solution for security fix would be to have a point releases for affected versions.

I have a rather brutal opinion of #138. I believe it should have never been merged and that at this point the best course of action is to revert it and yank 0.11 release. Then, this security fix can be cherry picked and released as 0.10.1.

@frol
Copy link
Collaborator Author

frol commented Jun 7, 2023

@mina86 I requested to yank 0.11.0 version of borsh from Crates.io before it is too late. But I would like to explore the way to implement a proper solution to #138, that does not leave us in a space where we need to carry "bugs" forever.

@frol frol mentioned this pull request Jun 7, 2023
@mina86
Copy link
Contributor

mina86 commented Jun 7, 2023

One option is to add #[borsh(use_discriminant = true|false)] annotation and break compilation if it’s not present. Then, once no one is using releases older than 0.12 switch the default and stop breaking compilation.

Copy link
Collaborator Author

@frol frol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dj8yfo Your updates to the PR look great, and I only want to ask you to update it with the information about the following ones:

P.S. And resolve the merge conflict 🙏

@dj8yfo dj8yfo force-pushed the release-plz/2023-06-06T21-17-02Z branch from f158906 to 76158a0 Compare August 7, 2023 16:26
@frol frol merged commit f8631a5 into master Aug 9, 2023
7 checks passed
@frol frol deleted the release-plz/2023-06-06T21-17-02Z branch August 9, 2023 07:40
@maxammann
Copy link

I'll take care of the RUSTSEC issue as soon as this gets stable :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants