Hi,
src:singularity-container was lying around in a bad shape for several years
and had missed 2 debian releases until me and Andreas picked it up again.
It is currently in a reasonably good condition. I was excited to have it in
stable release again, but I have a couple of doubts over it.
1. A little background:
singularity-container sync the code from the upstream codebase for sylabs[1]
and there also exists a community-maintained fork called apptainer.
Sylabs singularity CE seems to sync up a lot of code with apptainer in
many releases. The apptainer community announcement page about the split also
hints towards saying similar stuff, but this is all the more confusing as it is
hard to draw a line b/w them.
A while back, I found a reddit comment[4] from the current maintainer of sylabs
singularity which has a statement:
| At this point there it appears that Apptainer 1.0 will be very close
| to SingularityCE 3.9 which we released recently, given
| the picks from SingularityCE into the code base.
So I am absolutely confused if it makes sense to package apptainer at all or
should I just let it be?
for the moment, I would be happy to have singularity itself. Adding its fork is nice, but mean extra work so I think we should focus on "main" tool for the moment and see after....
2. The _more_ important question:
There are CVEs being discovered in singularity-container -- no biggie. However, some
of the CVE fixes are simply _hidden_ from the user view.
As a concrete example, there was
a "CVE-2021-33622" opened[5] against singularity-CE, and the only information
upstream provides is that it has been fixed in the 3.7.x of the community edition
but there is no information about _what_ the fix was.
I tried asking upstream about this but did not get a pin-pointed reply[6] and it
appears that upstream is somewhat discrete about these.
A similar bug has been fixed in the latest release, CVE-2022-39237 here[7] but it
does not say _what_ patch fixes it exactly.
And the problem is that apptainer has addressed the exact same bug in
its latest release and they too are un-clear about it[8].
So my fear is that: Once singularity-container hits stable release, and there is
a CVE being found. It'd be a hellhole for me/others to find what exactly
fixed the CVE (unless it is being clearly stated), and apply that. The only
option left would be to upgrade the package to fix the CVE and I don't know if
release team would allow that.
And I don't see this problem getting fixed with apptainer as well, since there
are bugs that both the codebases would keep on inheriting from one another.
And thus I am not sure if this situation is OK for stable release or not.
won't be OK for stable release which will expect only security fixes, no full upgrades....
many software do not provide such detailed information, and I agree that required taskforce to follow CVE details in source code can be quite complex to obtain (or even not feasible).
You also need knowledge of the tool/language.
Last resort is to keep CVEs open.... this is the case for different tools :-(
OTOH, singularity is an important package and many users would be happy to have
it in stable -- I have even got a couple of bug reports/texts saying
people are happy to see a new update of singularity.
+1 for important package for several communities :-)
Olivier
Any opinions?
[1]: https://github.com/sylabs/singularity
[2]: https://github.com/apptainer/apptainer
[3]: https://apptainer.org/news/community-announcement-20211130/
[4]: https://www.reddit.com/r/HPC/comments/r61bto/comment/hmspn72/?utm_source=share&utm_medium=web2x&context=3
[5]: https://support.sylabs.io/support/solutions/articles/42000087130-3-5-8-security-release-cve-2021-33622-
[6]: https://github.com/sylabs/singularity/issues/586
[7]: https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8
[8]: https://github.com/apptainer/apptainer/releases/tag/v1.1.2
--
Best,
Nilesh