Plan release v3.5.11

[jmhbnz]

What would you like to be added?

We recently addressed CVE-2023-47108 and backported this to release 3.5 in #16946.

Given the CVSS score let's ship 3.5.11 quickly to enable downstream consumers to patch.

We should also review recently merged changes to main and release-3.5 to confirm the list of any other included changes in the release.

I propose for this release we also extend the release team beyond 3.5 release manager @serathius and ask for two community volunteers to shadow the process and assist getting the release shipped.

This will give our recently joined community members an opportunity to learn more about the current state of how etcd releases are shipped and contribute to getting release 3.5.11 out the door as quickly as we can.

Why is this needed?

Ensure we patch vulnerabilities as soon as possible, grow our new contributors.

[jmhbnz]

I've created slack thread https://kubernetes.slack.com/archives/C3HD8ARJ5/p1700180400783899 to invite contributors to form a small release team to help get 3.5.11 published.

This is a trial for creating more formal release teams for future etcd releases to help reduce workload of our current release managers for 3.5 and 3.4.

[jmhbnz]

Confirmed release team will be @serathius, @sharathsivakumar, @bsctl.

@sharathsivakumar and @bsctl can you please reply to confirm your timezone so that @serathius can book the release publishing zoom/google meet call?

Additionally - @sharathsivakumar and @bsctl it would be a huge help if you can begin listing what will be included in this release by reviewing changes to release-3.5 branch since 3.5.10, for example refer to example: #16733

[bsctl]

CET

[sharathsivakumar]

CEST

[ahrtr]

Can we take this as a higher priority task?

[sharathsivakumar]

@ahrtr I am working on this along with @bsctl and @serathius . I am currently listing issues that need to be added for this release. I think I should be done by tomorrow. Then the next steps would be to look for backports and release it.

[ahrtr]

Then the next steps would be to look for backports

We don't have to do it in 3.5.11. I am thinking it would be better to release 3.5.11 asap due to the two CVEs already resolved.

[sharathsivakumar]

@ahrtr Confirming here, the 2 CVE's fixed are:

-GHSA-qppj-fm5r-hxr3
-GHSA-8pgv-569h-w5rw

correct?

[ahrtr]

@ahrtr Confirming here, the 2 CVE's fixed are:

-GHSA-qppj-fm5r-hxr3 -GHSA-8pgv-569h-w5rw

correct?

Please see the current 3.5.11's changelog.

• One is CVE-2023-47108
• the other is the security fix included in golang 1.20.11.

[sharathsivakumar]

Here is the list of issues to be added for the release. Please review and let me know if changes are required.
cc: @bsctl @serathius @ahrtr @jmhbnz

[serathius]

Looks good, @sharathsivakumar can you update the https://github.com/etcd-io/etcd/blob/main/CHANGELOG/CHANGELOG-3.5.md based on that?

[sharathsivakumar]

On it!

[sharathsivakumar]

@serathius we are ready to go proceed with the release. Details are here
cc: @bsctl @jmhbnz @ahrtr

[serathius]

Done https://github.com/etcd-io/etcd/releases/tag/v3.5.11