Docker and containerd bundled de pendencies — what to do?
(address . bug-guix@gnu.org)(name . Danny Milosavljevic)(address . dannym@scratchpost.org)
20190212180321.GB14638@jasmine.lan
On Tue, Feb 12, 2019 at 01:45:01AM +0100, Danny Milosavljevic wrote:
Toggle quote (3 lines)
> Docker still contains some vendored dependencies, among those github.com/opencontainers/runc,
> in directory "vendor", and so does containerd. It might make sense to also remove them now.
I didn't do anything regarding the vendored / bundled deps in my patches
related to CVE-2019-5736 https://bugs.gnu.org/34446.
Regarding Docker, the update to 18.09.2 ostensibly fixed CVE-2019-5736,
I suppose by updating the bundled copy of runc.
For containerd I didn't change the package at all.
Both Docker and containerd depend on our runc package. If they don't
actually use it but instead use their bundled copy, we should remove the
dependency and document the bundling, or work on unbundling.
Unfortunately this is complicated for us in recent versions of Go:
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlxjCmkACgkQJkb6MLrK
fwgQKhAAliEBnAgEiK4TiQmAHNPtQCQdAkSVd70+GDM97L1gJqSMu8d1PBGOH/B9
TX+6tgQvilEvcdrdg2zgnsm+KlVc+a3MM2UK0kiIlehdy9x6vcSkgTWQj/wHRVvn
9rOALnwBnp3LQmicxkz4g7k3QlUlwCH+nr4UXcmugxCKg8MvX0oR2oquGxgA9amI
7jwl231L+59inFmdHVI1obqZZyerhXt2DjKf2iFzyat1TswtM12i+OlaZDReIf0X
DWeZsCWLxMHbtNKJTvfN1gF1f8vDWY03bW920RmfX1y4KWwUVVp3qur7ofIJxytc
/gaxMnfdvXXsHN00W7QlNLJGPEDBdUq6elIoGsTsqE92KvCaZCQusXy7dHf0wZJy
rrACO52DedLK9m0rKREO4TLb8FwnILHAa6ao1arwO3iywj0xthhZ9+WRFbiDQ2oZ
kRi4mX8dXkRZRK/AlNk4LByKe1yDc3sxZHbIlK/8dELWpk+T7Gj47wik6Vf0UDi0
jiQycihQdQCIdppfFtN7ZTqdUVR1u7/Aj69lROulvI50w1rW879FN5X6DvsOP2zA
vl15WFBdQXXbQzCL8AO7fyOYVoPEGp2W7pdTaZWU8JLg5H2mFT41GOvBvhXwfDP9
6OWSEm+WdUm6Dd91Z3ZTms2SvDxP+E3hpgGvT6aVOGaHeCQ5Q40=
=jsqu
-----END PGP SIGNATURE-----