On 3/6/19 10:03 AM, Shengjing Zhu wrote: > I think the runc should be fixed. > > But I don't like the patch you suggested. It's confused to user. If > you set the git commit to the upstream one, like > ccb5efd37fb7c86364786e9137e22948751de7ed for 1.0.0-rc6, the user would > think it's 1.0.0-rc6 indeed, but apparently it's not, it's 1.0.0-rc6 > with CVE-2019-5736 patch.
Indeed, you're right. > So I would suggest to use the debian package version in the commit > field. More specifically: > > diff --git a/debian/rules b/debian/rules > index 81df53b..0087b6b 100755 > --- a/debian/rules > +++ b/debian/rules > @@ -5,7 +5,11 @@ > > export DH_GOPKG := github.com/opencontainers/runc > export DH_GOLANG_INSTALL_EXTRA := libcontainer/seccomp/fixtures > + > +include /usr/share/dpkg/pkg-info.mk > + > TAGS=apparmor seccomp selinux ambient > +LDFLAGS := -X main.version=$(DEB_VERSION_UPSTREAM) -X > main.gitCommit=$(DEB_VERSION) > > %: > dh $@ --buildsystem=golang --with=golang --builddirectory=_build > @@ -33,7 +37,7 @@ override_dh_auto_configure: > # ln -svrf vendor/github.com/opencontainers/specs > _build/src/github.com/opencontainers/ > > override_dh_auto_build: > - dh_auto_build -- -tags "$(TAGS)" > + dh_auto_build -- -tags "$(TAGS)" -ldflags "$(LDFLAGS)" > > override_dh_auto_test: > DH_GOLANG_EXCLUDES="libcontainer/integration" \ Thanks for the patch, I applied it and force-pushed it to wip/909644. Feel free to merge if you like it. > And we're late to fix this before hard freeze. If we want this fix > included in buster, we should ask release team to unblock. Ok, I will do that if you upload the package then.