Re: Buster to be released with singularity-container?
[adding Debian HPC team to the loop]
On Mon, Dec 17, 2018 at 07:41:39PM -0500, Afif Elghraoui wrote:
> Hi, Salvatore
> على ٩/٤/١٤٤٠ هـ ٩:٣٢ ص، كتب Salvatore Bonaccorso:
> > Hi Affif,
> > I would like to come back to this given the freeze for buster is
> > approaching now and the recent CVE-2018-19295 raised a warning flag.
> > Do you think we will be able to really support
> > src:singularity-container during the buster cycle? Otherwise I would
> > suggest we keep it out of testing and prevent an inclusion in buster
> > if that looks not doable.
> > For instance would we would be able to isolately fix CVE-2018-19295?
> > In this case the changes between 2.6.0 and 2.6.1 on github would be
> > overviewable and the patch extractable, but for other cases in past
> > that was not so easy, and upstream does distinguish between the
> > ocmmunity and pro version, providing patches for the later customers.
> > But we need your input here as the maintainers :)
> > What do you think?
> It's hard to say since this latest CVE is not really a good example. 2.6.1
> was released as a courtesy--security support is only promised for the latest
> version, which is 3.0.1 currently, so I don't know what this situation would
> look like if that wasn't the case. I will need to contact upstream and find
Ack, thanks let us know the outcome, bearing in mind that we have
still time but not too much.
> By the way, as long as there isn't anything secret in this communication, I
> think it's best to use the debian-hpc list since this package is
> team-maintained there.
No nothing private here, just wanted to make sure to reach out the
primary responsible persons for the package.
Thanks for you time here invested, very much appreciated!