Hi, At Foundries.io we intend to update the docker version on the kirkstone branch to the latest available upstream, currently v23. Looks like the better approach can be doing that in the mixin layer, for that a new kirstone lts branch will be required.
This requires a golang update as well but the golang on master is broken for some cases when -linkshared is in use and we are still debugging this issue. I pretend to start this backport when I can stabilize first the golang 1.20 on master. Do you think this approach for updating docker is appropriate and acceptable? Jose Alexander Kanavin <[email protected]> escreveu no dia terça, 7/03/2023 à(s) 09:34: > If you understand the code well, and can be confident that your > backports address the issue correctly and do not introduce new issues, > then by all means go ahead. > > My personal position should be known: I see the whole 'CVE > backporting' industry as a colossal waste. We need to learn to update > to supported upstream versions, and not be scared of breaking > production with that. > > Alex > > On Tue, 7 Mar 2023 at 10:05, Valek, Andrej <[email protected]> > wrote: > > > > Hello Alex, > > > > Yes, that would an option, but afaik it wasn't working quite well. So I > > would still prefer a straight forward solution. > > > > Should I spend some time for creating such patches? Means if there will > > be a potential option for being accepted? > > > > Andrej > > > > On Tue, 2023-03-07 at 07:37 +0100, Alexander Kanavin wrote: > > > You probably should make a kirkstone mixin layer like we did for > > > dunfell. > > > https://git.yoctoproject.org/meta-lts-mixins/ > > > > > > Alex > > > > > > On Tue, 7 Mar 2023 at 07:32, Andrej Valek <[email protected]> > > > wrote: > > > > > > > > Hello everyone, > > > > > > > > I would like to ask you how to proceed with multiple CVEs for > > > > Google Go > > > > component in kirkstone branch. > > > > > > > > CVEs in current version 1.17.13: > > > > - CVE-2022-41722 > > > > - CVE-2022-41725 > > > > - CVE-2022-41724 > > > > - CVE-2022-41723 > > > > > > > > They are fixed in 1.19.6/1.20.1 branches, but a fixing patches are > > > > available for all of them too. Unfortunately there is more then > > > > ~1000 > > > > changed LOC. So not sure if this is the right approach to apply > > > > them. > > > > Not sure if the upgrade is acceptable. > > > > > > > > So how to proceed with this? > > > > > > > > I know, that they aren't a critical one, but would be nice to have > > > > them > > > > fixed. > > > > > > > > Regards, > > > > Andrej > > > > > > > > > > > > > > > > > > -- Best regards, José Quaresma
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#178103): https://lists.openembedded.org/g/openembedded-core/message/178103 Mute This Topic: https://lists.openembedded.org/mt/97444547/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
