Verified travis CI is running Golang 1.12.8:

$ go version
go version go1.12.8 linux/amd64

@Random-Liu are there any CRI fixes that need to be vendored into release/1.2 before we cut a release? Anything to call out in release notes?

Codecov Report

Merging #3534 into release/1.2 will decrease coverage by 6.65%.
The diff coverage is n/a.

@@              Coverage Diff               @@
##           release/1.2   #3534      +/-   ##
==============================================
- Coverage        47.76%   41.1%   -6.66%     
==============================================
  Files               91      70      -21     
  Lines             8443    9480    +1037     
==============================================
- Hits              4033    3897     -136     
- Misses            3677    5019    +1342     
+ Partials           733     564     -169

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5e060c4...a9ba2e6. Read the comment docs.

@estesp Yes. Let me do an update.

Updated notes (https://gist.github.com/estesp/d39a93bf47ed57ba2251265a4b718f25) with CRI additions and rebased

ping @estesp I also want to add this issue into release note. #3481 :)

Looks like we need to wait on Golang 1.12.9 (which is imminently being released it looks like) to have the os.RemoveAll without O_CLOEXEC fix for fd leakage. Others were also surprised it wasn't in 1.12.8, but apparently that only took the security fix, and other 1.12.x branch fixes will be in 1.12.9.

@estesp yeah. it is painful...

Updated to

• remove mention of libseccomp (change reverted)
• expand Golang runtime change description to separate 1.12.8 security patches from 1.12.9 bug fix (and added @fuweid requested note of the related issue from @Ace-Tang.
• clarify opening overview to mention http2 not gRPC for the Golang CVEs

TravisCI is now using 1.12.9 (verified in recent PR run); AppVeyor PR #3544 needs to merge to finalize that across Windows + Linux.

Updated release notes with general info about CRI having fixes, and pointing to detailed list in next section. Added notes on last few backports (shim hang, and image & process env "merging"), and removed incorrect note on CRI + libseccomp changes, as those were reverted.

Updated generated release notes gist: https://gist.github.com/estesp/d39a93bf47ed57ba2251265a4b718f25

Release Note LGTM 👍 @estesp Thanks!

@containerd/containerd-maintainers @containerd/containerd-reviewers I believe we are ready to cut the 1.2.8 release; would be good to have some more eyes to make sure the notes captured everything.

LGTM