[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Buster to be released with singularity-container?

Hi Afif,

[adding Debian HPC team to the loop]

On Mon, Dec 17, 2018 at 07:41:39PM -0500, Afif Elghraoui wrote:
> Hi, Salvatore
> على ٩‏/٤‏/١٤٤٠ هـ ‫٩:٣٢ ص، كتب Salvatore Bonaccorso:
> > Hi Affif,
> > 
> > I would like to come back to this given the freeze for buster is
> > approaching now and the recent CVE-2018-19295 raised a warning flag.
> > 
> > Do you think we will be able to really support
> > src:singularity-container during the buster cycle? Otherwise I would
> > suggest we keep it out of testing and prevent an inclusion in buster
> > if that looks not doable.
> > 
> > For instance would we would be able to isolately fix CVE-2018-19295?
> > In this case the changes between 2.6.0 and 2.6.1 on github would be
> > overviewable and the patch extractable, but for other cases in past
> > that was not so easy, and upstream does distinguish between the
> > ocmmunity and pro version, providing patches for the later customers.
> > 
> > But we need your input here as the maintainers :)
> > 
> > What do you think?
> > 
> It's hard to say since this latest CVE is not really a good example. 2.6.1
> was released as a courtesy--security support is only promised for the latest
> version, which is 3.0.1 currently, so I don't know what this situation would
> look like if that wasn't the case. I will need to contact upstream and find
> out.

Ack, thanks let us know the outcome, bearing in mind that we have
still time but not too much.

> By the way, as long as there isn't anything secret in this communication, I
> think it's best to use the debian-hpc list since this package is
> team-maintained there.

No nothing private here, just wanted to make sure to reach out the
primary responsible persons for the package.

Thanks for you time here invested, very much appreciated!


Reply to: