Hi Paul, hi Afif, On Sat, Jun 08, 2019 at 09:26:06PM +0200, Paul Gevers wrote: > Control: tags -1 moreinfo > > Hi Afif, > > On Wed, 15 May 2019 03:47:28 -0400 Afif Elghraoui <[email protected]> wrote: > > Please unblock package singularity-container/3.1.1+ds-1 > > > > This package is prone to security vulnerabilities. Upstream provides > > long-term support for selected versions to their paid users, but also > > releases all code changes (including backported security patches) to the > > community. > > > > Both 3.0.x and 3.1.x were released earlier this year and it was not > > known at the time which of these would be the LTS version. 3.0.3 is what > > I bet on and what is in Testing now, but it now turns out that I was > > wrong and it's actually 3.1. Using it would greatly facilitate our > > ability to provide support over the lifetime of Buster. > > > > The benefits of doing this have also just been clearly demonstrated: > > Upstream just released 3.2.0, adding new features as well as fixing > > security issues affecting versions 3.1.0 and up, but because 3.1 is > > under LTS support for their paid users, they also provided the security > > patches backported to 3.1 (see the 3.2.0 release notes - > > https://github.com/sylabs/singularity/releases/tag/v3.2.0 ). > > > > So I apologize for the large diff, but I think we'd be in much better > > shape having this upstream version in Buster. Especially because of the > > large diff, backporting patches to 3.0 without the help from upstream > > that we'd get by using 3.1 would be unnecessarily more burdensome. > > > > many thanks for your time and consideration > > Your proposed changes very much do not align with the freeze policy, so > you're asking for an exception for a new upstream release. This package > is currently listed to be auto-removed due to docker.io, so I am not > going to review it now. docker.io is a major concern for the > security-team so that needs to be resolved first. If that gets resolved > in a timely manner, i.e. before it is auto-removed, please ping this bug > (e.g. by removing the moreinfo bug).
I do agree that the changes are not really reviewable given the size of the diff. But with Afifs argument and now the package not beeing marked as autoremoved: if we want to support singularity-container security wise in buster we would need to bite into the apple and accept this late new version bump for buster as the 3.1 version. So I think the two options we have is (in order of preference): 1. unblock singularity-container and let the 3.1 based version in to buster, or 2. remove singularity-container from buster. Cc'in [email protected] for further comments. Regards, Salvatore
