Bug#990201: Update golang-github-appc-cni to 1.0 (was Re: singularity-container: CVE-2021-33622)

To: debian-go@lists.debian.org
Cc: 990201@bugs.debian.org
Subject: Bug#990201: Update golang-github-appc-cni to 1.0 (was Re: singularity-container: CVE-2021-33622)
From: Andreas Tille <andreas@an3as.eu>
Date: Fri, 18 Feb 2022 21:38:27 +0100
Message-id: <[🔎] YhADw9XxvZhuiK+0@an3as.eu>
Reply-to: Andreas Tille <andreas@an3as.eu>, 990201@bugs.debian.org
In-reply-to: <3f99a166-9094-dd08-8705-b4fc27a2013a@riseup.net>
References: <[🔎] Yg+RiGfU5ORu95it@an3as.eu> <[🔎] 1b9c83d7-5ad1-526d-93e8-35c3c1c75c78@riseup.net> <[🔎] CAFyCLW_2Oi73-y5b18yUk5r7GFS9yg7D-3aTmGx9+4c_tdO6wg@mail.gmail.com> <Yg/D8ToeJaDezsuI@an3as.eu> <CAFyCLW8OvrDdPEurW2AL1TyfKqru8zo6CcLKZ5vh7kazY46_jg@mail.gmail.com> <Yg/H5Chk9lWkxFqn@an3as.eu> <CAFyCLW8XADF3m88sSWvxgWb0XbFFoA_2mSa8MSJWEfCixAvUNw@mail.gmail.com> <Yg/WWSrWWf0a7FEm@an3as.eu> <3f99a166-9094-dd08-8705-b4fc27a2013a@riseup.net> <162438285127.2542698.9089117666708982053.reportbug@eldamar.lan>

Hi again,

I can confirm I've got version 3.9.4 building thanks to all your
help.

Am Fri, Feb 18, 2022 at 11:31:23PM +0530 schrieb Nilesh Patra:
> | dh_fixperms
> | chown -c root.root debian/singularity-container/usr/lib/*/singularity/bin/*
> | chown: changing ownership of 'debian/singularity-container/usr/lib/x86_64-linux-gnu/singularity/bin/starter': Operation not permitted
> | chown: changing ownership of 'debian/singularity-container/usr/lib/x86_64-linux-gnu/singularity/bin/starter-suid': Operation not permitted
> 
> I am not really sure why this is done, but since this is more package related and has not got much to do with golang-land, I leave
> this onto you to carry fwd.

I disabled the attempt `chown -c root.root` which is not permitted on
one hand and not needed on the other hand since the resulting files
inside the Debian package are owned by root anyway.

> Hope that helped.

It helped a lot!

Seems I got cocky now and realised that there is a new version 3.9.5
out.  I did not wanted to upload something that is outdated at the time
of uploading and trusted that it is a minor bugfix release.  Unfortunately
the build has the following issue:

...
github.com/sylabs/singularity/vendor/github.com/prometheus/client_golang/prometheus
github.com/sylabs/singularity/vendor/google.golang.org/grpc/status
# github.com/sylabs/singularity/vendor/google.golang.org/grpc/status
../vendor/google.golang.org/grpc/status/status.go:176:21: cannot use any (type *any.Any) as type *anypb.Any in append
../vendor/google.golang.org/grpc/status/status.go:190:32: cannot use any (type *anypb.Any) as type *any.Any in argument to ptypes.UnmarshalAny
encoding/gob
html
html/template
...


Please note that I've started to review the vendored copies and replaced
two of these by the Debian packaged code.  I'm not finished - just
wanted to see if I'm breaking something.  IMHO the breakage ist not
caused by the removal of the vendored copies but I wanted to stress this
point here.

Kind regards

       Andreas.


-- 
http://fam-tille.de

Reply to:

Follow-Ups:
- Bug#990201: extra vendor/ directory
  - From: Benda Xu <orv@debian.org>

References:
- Re: singularity-container: CVE-2021-33622
  - From: Andreas Tille <andreas@an3as.eu>
- Re: singularity-container: CVE-2021-33622
  - From: Nilesh Patra <nilesh@riseup.net>
- Bug#990201: Update golang-github-appc-cni to 1.0 (was Re: singularity-container: CVE-2021-33622)
  - From: Shengjing Zhu <zhsj@debian.org>

Prev by Date: Re: singularity-container: CVE-2021-33622
Next by Date: Bug#990201: Update golang-github-appc-cni to 1.0 (was Re: singularity-container: CVE-2021-33622)
Previous by thread: Bug#990201: Update golang-github-appc-cni to 1.0 (was Re: singularity-container: CVE-2021-33622)
Next by thread: Bug#990201: Update golang-github-appc-cni to 1.0 (was Re: singularity-container: CVE-2021-33622)
Index(es):
- Date
- Thread