Re: Update golang-github-appc-cni to 1.0 (was Re: singularity-container: CVE-2021-33622)
Hi Nilesh,
Am Sat, Feb 19, 2022 at 02:34:16AM +0530 schrieb Nilesh Patra:
> > I disabled the attempt `chown -c root.root` which is not permitted on
> > one hand and not needed on the other hand since the resulting files
> > inside the Debian package are owned by root anyway.
>
> Yeah, as we discussed in the debian-med video call as well.
> Did you happen to test it a bit?
I checked the permissions in the final package. I'll also try to do
some sensible stuff tomorrow. Since I've got a lintian (missing Apache
NOTICE file - easy to fix) error I stumbled upon some unneeded code
copies and wanted to make this a bit more clean.
> > > Hope that helped.
> >
> > It helped a lot!
> >
> > Seems I got cocky now and realised that there is a new version 3.9.5
> > out.
>
> It always makes sense to look at the diff before you assume that nothing much
> would've changed.
> Seems they did major changes in what should essentially looks like a patch release :(
> Atleast the commit here[1] shows non-trivial changes
>
> [1]: https://salsa.debian.org/hpc-team/singularity-container/-/commit/0d8440c61b866c7a8ac30739dcca2bff2b04897b
You mean
parameters:
go-version:
type: string
default: '1.17.5'
default: '1.17.6'
?
> > I did not wanted to upload something that is outdated at the time
>
> I think it does make sense to first upload what you have at hand and what is building for you.
> It is atleast not worse than what we have currently.
>
> We can focus on new version after that -- well, atleast we are making progress right.
>
> If you agree, please finalise 3.9.4; since 3.9.5 throws grpc/protobuf stuff and it is almost never
> straightforward to fix from my past experiences.
> It just puts me off, I admit.
You perfectly convinced me to target at 3.9.4. I'll try to finish this
tomorrow and delay the switch to 3.9.5.
>
> I do not even see the grpc folder anywhere on salsa now.
>
> $ find . -name grpc | wc -l
> 0
>
> So I do not know where this error comes from; or if you have something else locally.
I'll simply revert the version bump ...
> But in any case, I am a bit demotivated now to be spending time to fix this.
> Hopefully someone else could chime in.
Lets delay this for later.
> > Please note that I've started to review the vendored copies and replaced
> > two of these by the Debian packaged code. I'm not finished - just
> > wanted to see if I'm breaking something. IMHO the breakage ist not
> > caused by the removal of the vendored copies but I wanted to stress this
> > point here.
>
> Leave the grpc/protobuf deps as it was vendored, I would suggest to not mess around with these
> unless you _really_ know what you are doing :)
Yes - thanks a lot for your advise
Andreas.
--
http://fam-tille.de
Reply to: