Le mer. 12 oct. 2022 à 18:08, Nilesh Patra <nil...@debian.org> a écrit :
> Hi, > > src:singularity-container was lying around in a bad shape for several years > and had missed 2 debian releases until me and Andreas picked it up again. > It is currently in a reasonably good condition. I was excited to have it in > stable release again, but I have a couple of doubts over it. > > 1. A little background: > singularity-container sync the code from the upstream codebase for > sylabs[1] > and there also exists a community-maintained fork called apptainer. > Sylabs singularity CE seems to sync up a lot of code with apptainer in > many releases. The apptainer community announcement page about the split > also > hints towards saying similar stuff, but this is all the more confusing as > it is > hard to draw a line b/w them. > A while back, I found a reddit comment[4] from the current maintainer of > sylabs > singularity which has a statement: > > | At this point there it appears that Apptainer 1.0 will be very close > | to SingularityCE 3.9 which we released recently, given > | the picks from SingularityCE into the code base. > > So I am absolutely confused if it makes sense to package apptainer at all > or > should I just let it be? > for the moment, I would be happy to have singularity itself. Adding its fork is nice, but mean extra work so I think we should focus on "main" tool for the moment and see after.... > > 2. The _more_ important question: > There are CVEs being discovered in singularity-container -- no biggie. > However, some > of the CVE fixes are simply _hidden_ from the user view. > As a concrete example, there was > a "CVE-2021-33622" opened[5] against singularity-CE, and the only > information > upstream provides is that it has been fixed in the 3.7.x of the community > edition > but there is no information about _what_ the fix was. > I tried asking upstream about this but did not get a pin-pointed reply[6] > and it > appears that upstream is somewhat discrete about these. > > A similar bug has been fixed in the latest release, CVE-2022-39237 here[7] > but it > does not say _what_ patch fixes it exactly. > And the problem is that apptainer has addressed the exact same bug in > its latest release and they too are un-clear about it[8]. > > So my fear is that: Once singularity-container hits stable release, and > there is > a CVE being found. It'd be a hellhole for me/others to find what exactly > fixed the CVE (unless it is being clearly stated), and apply that. The only > option left would be to upgrade the package to fix the CVE and I don't > know if > release team would allow that. > > And I don't see this problem getting fixed with apptainer as well, since > there > are bugs that both the codebases would keep on inheriting from one another. > And thus I am not sure if this situation is OK for stable release or not. > won't be OK for stable release which will expect only security fixes, no full upgrades.... many software do not provide such detailed information, and I agree that required taskforce to follow CVE details in source code can be quite complex to obtain (or even not feasible). You also need knowledge of the tool/language. Last resort is to keep CVEs open.... this is the case for different tools :-( > > OTOH, singularity is an important package and many users would be happy to > have > it in stable -- I have even got a couple of bug reports/texts saying > people are happy to see a new update of singularity. > +1 for important package for several communities :-) Olivier > > Any opinions? > > [1]: https://github.com/sylabs/singularity > [2]: https://github.com/apptainer/apptainer > [3]: https://apptainer.org/news/community-announcement-20211130/ > [4]: > https://www.reddit.com/r/HPC/comments/r61bto/comment/hmspn72/?utm_source=share&utm_medium=web2x&context=3 > [5]: > https://support.sylabs.io/support/solutions/articles/42000087130-3-5-8-security-release-cve-2021-33622- > [6]: https://github.com/sylabs/singularity/issues/586 > [7]: https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8 > [8]: https://github.com/apptainer/apptainer/releases/tag/v1.1.2 > > -- > Best, > Nilesh >
