[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#990201: Update golang-github-appc-cni to 1.0 (was Re: singularity-container: CVE-2021-33622)

On 2/19/22 2:08 AM, Andreas Tille wrote:
Am Fri, Feb 18, 2022 at 11:31:23PM +0530 schrieb Nilesh Patra:
| dh_fixperms
| chown -c root.root debian/singularity-container/usr/lib/*/singularity/bin/*
| chown: changing ownership of 'debian/singularity-container/usr/lib/x86_64-linux-gnu/singularity/bin/starter': Operation not permitted
| chown: changing ownership of 'debian/singularity-container/usr/lib/x86_64-linux-gnu/singularity/bin/starter-suid': Operation not permitted
I disabled the attempt `chown -c root.root` which is not permitted on
one hand and not needed on the other hand since the resulting files
inside the Debian package are owned by root anyway.

Yeah, as we discussed in the debian-med video call as well.
Did you happen to test it a bit?

Hope that helped.

It helped a lot!

Seems I got cocky now and realised that there is a new version 3.9.5

It always makes sense to look at the diff before you assume that nothing much
would've changed.
Seems they did major changes in what should essentially looks like a patch release :(
Atleast the commit here[1] shows non-trivial changes

[1]: https://salsa.debian.org/hpc-team/singularity-container/-/commit/0d8440c61b866c7a8ac30739dcca2bff2b04897b

I did not wanted to upload something that is outdated at the time

I think it does make sense to first upload what you have at hand and what is building for you.
It is atleast not worse than what we have currently.

We can focus on new version after that -- well, atleast we are making progress right.

If you agree, please finalise 3.9.4; since 3.9.5 throws grpc/protobuf stuff and it is almost never
straightforward to fix from my past experiences.
It just puts me off, I admit.

of uploading and trusted that it is a minor bugfix release.  Unfortunately
the build has the following issue:

# github.com/sylabs/singularity/vendor/google.golang.org/grpc/status
../vendor/google.golang.org/grpc/status/status.go:176:21: cannot use any (type *any.Any) as type *anypb.Any in append
../vendor/google.golang.org/grpc/status/status.go:190:32: cannot use any (type *anypb.Any) as type *any.Any in argument to ptypes.UnmarshalAny

I do not even see the grpc folder anywhere on salsa now.

$ find . -name grpc | wc -l

So I do not know where this error comes from; or if you have something else locally.

But in any case, I am a bit demotivated now to be spending time to fix this.
Hopefully someone else could chime in.

Please note that I've started to review the vendored copies and replaced
two of these by the Debian packaged code.  I'm not finished - just
wanted to see if I'm breaking something.  IMHO the breakage ist not
caused by the removal of the vendored copies but I wanted to stress this
point here.

Leave the grpc/protobuf deps as it was vendored, I would suggest to not mess around with these
unless you _really_ know what you are doing :)


Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply to: