Re: Buster to be released with singularity-container?

To: team@security.debian.org
Cc: debian-hpc@lists.debian.org
Subject: Re: Buster to be released with singularity-container?
From: Afif Elghraoui <afif@debian.org>
Date: Sat, 12 Jan 2019 17:51:04 -0500
Message-id: <[🔎] d0fd2ce0-a91b-a62f-0160-d14d56777d3d@debian.org>
In-reply-to: <BCBB0FBA-A526-4327-BD19-98B313141DCD@debian.org>
References: <20180501123528.GA429@eldamar.local> <1A3C5E8B-43AB-495A-9B73-2BF7067C5E59@debian.org> <20180502163036.GA9000@inutil.org> <20180505213521.GC9285@eldamar.local> <1660e8c8-d935-225a-cdff-4d8f16de26c7@debian.org> <20180506070950.GA4522@eldamar.local> <0fc75f69-fda5-9fb3-1bd0-01956309880c@debian.org> <20181216143240.GA6950@eldamar.local> <2a4ed9ed-1742-6d66-4e09-5424f5af8c49@debian.org> <20181218051816.kq2jnb35wzpgusbb@lorien.valinor.li> <BCBB0FBA-A526-4327-BD19-98B313141DCD@debian.org>

Hi again, Salavatore & rest of the security team

على ١٢‏/٤‏/١٤٤٠ هـ ‫١:٢٤ م، كتب Afif Elghraoui:



On December 18, 2018 12:18:16 AM EST, Salvatore Bonaccorso <carnil@debian.org> wrote:


But we need your input here as the maintainers :)

What do you think?



It's hard to say since this latest CVE is not really a good example.

2.6.1

was released as a courtesy--security support is only promised for the

latest

version, which is 3.0.1 currently, so I don't know what this

situation would

look like if that wasn't the case. I will need to contact upstream

and find

out.


Ack, thanks let us know the outcome, bearing in mind that we have
still time but not too much.


I contacted upstream. The worst-case scenario is that a new vulnerability is found which does not affect the current version, but affects the version in Stable. Upstream would still issue a CVE, but may not issue a patch at all. We may be on our own to patch it in that case. I personally don't feel that I'm up to it. Not sure about anyone else.

Discussion about this has come up in the upstream google group [1]. Thestatement by upstream ishttps://groups.google.com/a/lbl.gov/d/msg/singularity/kbtX1UekVrg/KKpjEysBDAAJ, but I would just like to be clear on the possibility of an exceptionto update a version in Stable in case of large code changes--asmentioned in your FAQ page [2]--since it seems that this would be theproblematic case we'd encounter. It seems we'll be fine in other cases.


regards
Afif


1. https://groups.google.com/a/lbl.gov/forum/#!topic/singularity/kbtX1UekVrg
2. https://www.debian.org/security/faq#oldversion

--
Afif Elghraoui | عفيف الغراوي
http://afif.ghraoui.name

Reply to:

Prev by Date: Bug#919026: singularity-container: implausibly old timestamps when creating containers
Next by Date: Processed: Bug #919026 in singularity-container marked as pending
Previous by thread: Re: Buster to be released with singularity-container?
Next by thread: singularity-container is marked for autoremoval from testing
Index(es):
- Date
- Thread