[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Update golang-github-appc-cni to 1.0 (was Re: singularity-container: CVE-2021-33622)

Hi Nilesh,

Am Sat, Feb 19, 2022 at 02:34:16AM +0530 schrieb Nilesh Patra:
> > I disabled the attempt `chown -c root.root` which is not permitted on
> > one hand and not needed on the other hand since the resulting files
> > inside the Debian package are owned by root anyway.
> 
> Yeah, as we discussed in the debian-med video call as well.
> Did you happen to test it a bit?

I checked the permissions in the final package.  I'll also try to do
some sensible stuff tomorrow.  Since I've got a lintian (missing Apache
NOTICE file - easy to fix) error I stumbled upon some unneeded code
copies and wanted to make this a bit more clean.
 
> > > Hope that helped.
> > 
> > It helped a lot!
> > 
> > Seems I got cocky now and realised that there is a new version 3.9.5
> > out.
> 
> It always makes sense to look at the diff before you assume that nothing much
> would've changed.
> Seems they did major changes in what should essentially looks like a patch release :(
> Atleast the commit here[1] shows non-trivial changes
> 
> [1]: https://salsa.debian.org/hpc-team/singularity-container/-/commit/0d8440c61b866c7a8ac30739dcca2bff2b04897b

You mean

parameters:
  go-version:
    type: string
    default: '1.17.5'
    default: '1.17.6'

?
 
> > I did not wanted to upload something that is outdated at the time
> 
> I think it does make sense to first upload what you have at hand and what is building for you.
> It is atleast not worse than what we have currently.
> 
> We can focus on new version after that -- well, atleast we are making progress right.
> 
> If you agree, please finalise 3.9.4; since 3.9.5 throws grpc/protobuf stuff and it is almost never
> straightforward to fix from my past experiences.
> It just puts me off, I admit.

You perfectly convinced me to target at 3.9.4.  I'll try to finish this
tomorrow and delay the switch to 3.9.5.
 
> 
> I do not even see the grpc folder anywhere on salsa now.
> 
> $ find . -name grpc | wc -l
> 0
> 
> So I do not know where this error comes from; or if you have something else locally.

I'll simply revert the version bump ...
 
> But in any case, I am a bit demotivated now to be spending time to fix this.
> Hopefully someone else could chime in.

Lets delay this for later.
 
> > Please note that I've started to review the vendored copies and replaced
> > two of these by the Debian packaged code.  I'm not finished - just
> > wanted to see if I'm breaking something.  IMHO the breakage ist not
> > caused by the removal of the vendored copies but I wanted to stress this
> > point here.
> 
> Leave the grpc/protobuf deps as it was vendored, I would suggest to not mess around with these
> unless you _really_ know what you are doing :)

Yes - thanks a lot for your advise

     Andreas. 




-- 
http://fam-tille.de
Reply to: