According to the report from comment #6, of the 17 vendorized packages runc uses, 16 exist as debs in universe, and 1 (go-criu) isn't packaged at all.
We can de-vendorize the 16 packages, assuming the versions we have in universe are ok (some are ahead of the vendored code, some are behind). Lucas has a branch for this, where runc has build-depends on those 16 packages. The resulting deb gets a Built-Using entry: $ dpkg --info ../runc_1.0.0~rc8+git20190923.3e425f80+ds1-0ubuntu1_amd64.deb |grep Built-Using Built-Using: go-md2man (= 1.0.10+ds-1), golang-1.13 (= 1.13.5-1ubuntu1), golang-blackfriday (= 1.5.2+git20190616.a925a15-1), golang-dbus (= 5.0.3-1), golang-github-containerd-console (= 0.0~git20170925.84eeaae-1), golang-github-coreos-go-systemd (= 22.0.0-1), golang-github-cyphar-filepath-securejoin (= 0.2.2-1), golang-github-docker-go-units (= 0.4.0-3), golang-github-mrunalp-fileutils (= 0.0~git20160930.0.4ee1cc9-1), golang-github-opencontainers-selinux (= 1.3.0-2), golang-github-opencontainers-specs (= 1.0.1+git20190408.a1b50f6-1), golang-github-pkg-errors (= 0.8.1-1), golang-github-urfave-cli (= 1.22.2-1), golang-github-vishvananda-netlink (= 1.0.0+git20181030.023a6da-1), golang-github-vishvananda-netns (= 0.0~git20170707.0.86bef33-1), golang-go.crypto (= 1:0.0~git20190701.4def268-2), golang-gocapability-dev (= 0.0+git20180916.d983527-1), golang-golang-x-sys (= 0.0~git20190726.fc99dfb-1ubuntu2), golang-goprotobuf (= 1.3.2-2), golang-logrus (= 1.3.0-1) > - Therefore it was agreed that we will do an initial check if a few could be > used > de-vendorized that are already done (e.g. due to former LXD activities) but > not > de-vendorize/MIR new packages. So, since none of the packages that runc build-depends on have been MIRed before, do we keep the runc package as is and proceed with the security review with the vendored code? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1817336 Title: [MIR] runc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/runc/+bug/1817336/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
