Re: Should singularity-container make it to next release?

To: Nilesh Patra <nilesh@debian.org>
Cc: debian-devel@lists.debian.org, debian-hpc@lists.debian.org, David Trudgian <david.trudgian@sylabs.io>, debian-security@lists.debian.org
Subject: Re: Should singularity-container make it to next release?
From: Andreas Tille <tille@debian.org>
Date: Mon, 9 Jan 2023 14:28:22 +0100
Message-id: <[🔎] Y7wWdowf1D0ywoJ5@an3as.eu>
In-reply-to: <20230109102110.dwrdv56mdvebmkgu@nileshpatra.info>
References: <20221012160820.r4tjfrz2v6czmz45@nileshpatra.info> <20230109102110.dwrdv56mdvebmkgu@nileshpatra.info>

Hi,

it would be great if someone from Security Team might raise some
opinion to this question.

Kind regards
    Andreas.

Am Mon, Jan 09, 2023 at 03:51:10PM +0530 schrieb Nilesh Patra:
> Hi,
> 
> On Wed, Oct 12, 2022 at 09:38:27PM +0530, Nilesh Patra wrote:
> > src:singularity-container was lying around in a bad shape for several years
> > and had missed 2 debian releases until me and Andreas picked it up again.
> > It is currently in a reasonably good condition. I was excited to have it in
> > stable release again, but I have a couple of doubts over it.
> > 
> > 1. A little background:
> > singularity-container sync the code from the upstream codebase for sylabs[1]
> > and there also exists a community-maintained fork called apptainer.
> > Sylabs singularity CE seems to sync up a lot of code with apptainer in
> > many releases. The apptainer community announcement page about the split also
> > hints towards saying similar stuff, but this is all the more confusing as it is
> > hard to draw a line b/w them.
> > A while back, I found a reddit comment[4] from the current maintainer of sylabs
> > singularity which has a statement:
> > 
> > | At this point there it appears that Apptainer 1.0 will be very close
> > | to SingularityCE 3.9 which we released recently, given
> > | the picks from SingularityCE into the code base.
> > 
> > So I am absolutely confused if it makes sense to package apptainer at all or
> > should I just let it be?
> > 
> > 2. The _more_ important question:
> > There are CVEs being discovered in singularity-container -- no biggie. However, some
> > of the CVE fixes are simply _hidden_ from the user view.
> > As a concrete example, there was
> > a "CVE-2021-33622" opened[5] against singularity-CE, and the only information
> > upstream provides is that it has been fixed in the 3.7.x of the community edition
> > but there is no information about _what_ the fix was.
> > I tried asking upstream about this but did not get a pin-pointed reply[6] and it
> > appears that upstream is somewhat discrete about these.
> > 
> > A similar bug has been fixed in the latest release, CVE-2022-39237 here[7] but it
> > does not say _what_ patch fixes it exactly.
> > And the problem is that apptainer has addressed the exact same bug in
> > its latest release and they too are un-clear about it[8].
> > 
> > So my fear is that: Once singularity-container hits stable release, and there is
> > a CVE being found. It'd be a hellhole for me/others to find what exactly
> > fixed the CVE (unless it is being clearly stated), and apply that. The only
> > option left would be to upgrade the package to fix the CVE and I don't know if
> > release team would allow that.
> > 
> > And I don't see this problem getting fixed with apptainer as well, since there
> > are bugs that both the codebases would keep on inheriting from one another.
> > And thus I am not sure if this situation is OK for stable release or not.
> > 
> > OTOH, singularity is an important package and many users would be happy to have
> > it in stable -- I have even got a couple of bug reports/texts saying
> > people are happy to see a new update of singularity.
> 
> I started this thread a while back, and decided to simply ask upstream about what their
> opinion is[9]
> It looks like the situation still not fully certain on whether to let singularity make it to stable
> or not.
> 
> I'd appreciate if someone on the list could chime in and give an opinion on if they
> consider it do-able or not for upcoming bookworm release.
> 
> I've kept upstream in CC to avoid ping-pong, and thanks David for a nice elaborate reply.
> 
> > [1]: https://github.com/sylabs/singularity
> > [2]: https://github.com/apptainer/apptainer
> > [3]: https://apptainer.org/news/community-announcement-20211130/
> > [4]: https://www.reddit.com/r/HPC/comments/r61bto/comment/hmspn72/?utm_source=share&utm_medium=web2x&context=3
> > [5]: https://support.sylabs.io/support/solutions/articles/42000087130-3-5-8-security-release-cve-2021-33622-
> > [6]: https://github.com/sylabs/singularity/issues/586
> > [7]: https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8
> > [8]: https://github.com/apptainer/apptainer/releases/tag/v1.1.2
> [9]: https://github.com/sylabs/singularity/issues/1235#issuecomment-1375334909
> 
> -- 
> Best,
> Nilesh



-- 
http://fam-tille.de

Reply to:

Follow-Ups:
- Re: Should singularity-container make it to next release?
  - From: Salvatore Bonaccorso <carnil@debian.org>

Next by Date: open security issues in the git packages
Next by thread: Re: Should singularity-container make it to next release?
Index(es):
- Date
- Thread