[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Should singularity-container make it to next release?

Hi all,

> +  Security support?
>   I see upstream comments that they will disclose the relevant
> fix/commit for CVE, then it should be enough. I think most packages in

Just noting here that I've added a bit more on the GitHub thread r.e.
exactly what form fixes are available in with respect to the lifecycle
of SingularityCE versions.

TLDR...

* We only do patch releases for a minor x.y version of the open-source
SingularityCE for ~6 months.

* For versions of SingularityCE that we turn into a commercial
SingularityPRO release.... our security policy means we will provide
diffs only for security fixes that we apply to open source code in
SingularityPRO, *and that apply* to the SingularityCE version from
which SingularityPRO was branched. It is not guaranteed that every
security issue in SingularityCE 3.9 is covered by diffs we release
based on the (closed) long term support work for SingularityPRO 3.9.
Security issues arising from older dependencies in SingularityCE would
need to be tracked separately, for example.

* Everything else will need backporting by the distro. We follow
dependency updates (including major version updates) quickly, and we
only target the latest 2 versions (upstream supported) of Go. This may
impact the ease of backporting significantly over the course of a
Debian stable release.

Cheers,

-- 
David Trudgian
Sylabs Inc.
Reply to: