GNU bug report logs -
#34459
Docker and containerd bundled dependencies — what to do?
Previous Next
To reply to this bug, email your comments to 34459 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#34459; Package
guix.
(Tue, 12 Feb 2019 18:17:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Tue, 12 Feb 2019 18:17:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Tue, Feb 12, 2019 at 01:45:01AM +0100, Danny Milosavljevic wrote:
> Docker still contains some vendored dependencies, among those github.com/opencontainers/runc,
> in directory "vendor", and so does containerd. It might make sense to also remove them now.
I didn't do anything regarding the vendored / bundled deps in my patches
related to CVE-2019-5736 <https://bugs.gnu.org/34446>.
Regarding Docker, the update to 18.09.2 ostensibly fixed CVE-2019-5736,
I suppose by updating the bundled copy of runc.
For containerd I didn't change the package at all.
Both Docker and containerd depend on our runc package. If they don't
actually use it but instead use their bundled copy, we should remove the
dependency and document the bundling, or work on unbundling.
Unfortunately this is complicated for us in recent versions of Go:
https://lists.gnu.org/archive/html/guix-devel/2018-11/msg00223.html
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 6 years and 120 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.