Plan to release etcd v3.5.18

[ivanvc]

What would you like to be added?

The etcd patch release criteria has been met for our release-3.5 stable release branch so we should release v3.5.18.

The list of commits included since the previous release is: v3.5.17...release-3.5:

• [3.5] support custom content check offline in v2store #19113
• [3.5] Bump golang-jwt/jwt to 4.5.1 to address GO-2024-3250 #18899
• [3.5] add tls min/max version to grpc proxy #18829
• [3.5] fix runtime error: comparing uncomparable type #18937
• [3.5] Print warning message for deprecated v2 flags if set #18999
• [3.5] Print warning message for deprecated v2 flags if set #18999

Work in progress CHANGELOG is: https://github.com/etcd-io/etcd/blob/main/CHANGELOG/CHANGELOG-3.5.md#v3518-tbc

List of pull requests we still need to backport from main to release-3.5 before the patch release is issued:

• build(deps): bump golang.org/x/crypto from 0.29.0 to 0.31.0 in /tests #19043
• build(deps): bump golang.org/x/net from 0.32.0 to 0.33.0 #19101

Release team

GitHub handle	Role
@jmhbnz	Release Lead
@ivanvc	Release Advisor
@ghouscht	Release Shadow

Why is this needed?

Regular patch releases are vital to ensure our users have bug-free and secure software.

[ivanvc]

I'd like to be a release advisor/shadow, as I'd like to see someone else running the release script after the first improvements from #18604. However, I can also be the lead if there are no volunteers.

[ghouscht]

I haven't had much time in the last few weeks to help with etcd development but I think I could once again be a shadow for the release. I think I'm not yet familiar enough with the process to be a lead.

[taraspos]

@ivanvc would it be possible to include patches to x/crypto and x/net to resolve following vulnerabilities?

• GHSA-v778-237x-gjrc
• GHSA-w32m-9786-jp63

[cwayne18]

@taraspos looks like x/net was bumped here: bf3bb6d

[taraspos]

Yeah, but it needs to be backported into the release-3.5 branch to get into the 3.5.x release as far as I understand:

• https://github.com/etcd-io/etcd/blob/release-3.5/go.mod#L87-L88

[cwayne18]

oof, of course you're correct, sorry, still seems i have holiday-brain. It would certainly be good to have those fixes included for us

[ivanvc]

@ivanvc would it be possible to include patches to x/crypto and x/net to resolve following vulnerabilities?

* [GHSA-v778-237x-gjrc](https://github.com/advisories/GHSA-v778-237x-gjrc)

* [GHSA-w32m-9786-jp63](https://github.com/advisories/GHSA-w32m-9786-jp63)

This makes sense. We're not directly affected by the vulnerability (https://github.com/etcd-io/etcd/actions/runs/12551556226/job/34996167337), but it's still a dependency with a CVE, and according to our Dependency Management documentation.

[ivanvc]

@jmhbnz, would you be interested in being part of the release team?

[jmhbnz]

@jmhbnz, would you be interested in being part of the release team?

Thanks for the reminder on this, yes we need to get this release cut, we could aim to do it later this week perhaps.

I'll take lead for this one. Are you available to be a second pair of eyes for me as release advisor @ivanvc?

[ivanvc]

I'll take lead for this one. Are you available to be a second pair of eyes for me as release advisor @ivanvc?

Absolutely. Looks like we have a team. I'll groom to see if there are other potential PRs to backport. We also need to merge #19113 first.