Hi,
it would be great if someone from Security Team might raise some
opinion to this question.
Kind regards
Andreas.
Am Mon, Jan 09, 2023 at 03:51:10PM +0530 schrieb Nilesh Patra:
> Hi,
>
> On Wed, Oct 12, 2022 at 09:38:27PM +0530, Nilesh Patra wrote:
> > src:singularity-container was lying around in a bad shape for several years
> > and had missed 2 debian releases until me and Andreas picked it up again.
> > It is currently in a reasonably good condition. I was excited to have it in
> > stable release again, but I have a couple of doubts over it.
> >
> > 1. A little background:
> > singularity-container sync the code from the upstream codebase for sylabs[1]
> > and there also exists a community-maintained fork called apptainer.
> > Sylabs singularity CE seems to sync up a lot of code with apptainer in
> > many releases. The apptainer community announcement page about the split
> > also
> > hints towards saying similar stuff, but this is all the more confusing as
> > it is
> > hard to draw a line b/w them.
> > A while back, I found a reddit comment[4] from the current maintainer of
> > sylabs
> > singularity which has a statement:
> >
> > | At this point there it appears that Apptainer 1.0 will be very close
> > | to SingularityCE 3.9 which we released recently, given
> > | the picks from SingularityCE into the code base.
> >
> > So I am absolutely confused if it makes sense to package apptainer at all or
> > should I just let it be?
> >
> > 2. The _more_ important question:
> > There are CVEs being discovered in singularity-container -- no biggie.
> > However, some
> > of the CVE fixes are simply _hidden_ from the user view.
> > As a concrete example, there was
> > a "CVE-2021-33622" opened[5] against singularity-CE, and the only
> > information
> > upstream provides is that it has been fixed in the 3.7.x of the community
> > edition
> > but there is no information about _what_ the fix was.
> > I tried asking upstream about this but did not get a pin-pointed reply[6]
> > and it
> > appears that upstream is somewhat discrete about these.
> >
> > A similar bug has been fixed in the latest release, CVE-2022-39237 here[7]
> > but it
> > does not say _what_ patch fixes it exactly.
> > And the problem is that apptainer has addressed the exact same bug in
> > its latest release and they too are un-clear about it[8].
> >
> > So my fear is that: Once singularity-container hits stable release, and
> > there is
> > a CVE being found. It'd be a hellhole for me/others to find what exactly
> > fixed the CVE (unless it is being clearly stated), and apply that. The only
> > option left would be to upgrade the package to fix the CVE and I don't know
> > if
> > release team would allow that.
> >
> > And I don't see this problem getting fixed with apptainer as well, since
> > there
> > are bugs that both the codebases would keep on inheriting from one another.
> > And thus I am not sure if this situation is OK for stable release or not.
> >
> > OTOH, singularity is an important package and many users would be happy to
> > have
> > it in stable -- I have even got a couple of bug reports/texts saying
> > people are happy to see a new update of singularity.
>
> I started this thread a while back, and decided to simply ask upstream about
> what their
> opinion is[9]
> It looks like the situation still not fully certain on whether to let
> singularity make it to stable
> or not.
>
> I'd appreciate if someone on the list could chime in and give an opinion on
> if they
> consider it do-able or not for upcoming bookworm release.
>
> I've kept upstream in CC to avoid ping-pong, and thanks David for a nice
> elaborate reply.
>
> > [1]: https://github.com/sylabs/singularity
> > [2]: https://github.com/apptainer/apptainer
> > [3]: https://apptainer.org/news/community-announcement-20211130/
> > [4]:
> > https://www.reddit.com/r/HPC/comments/r61bto/comment/hmspn72/?utm_source=share&utm_medium=web2x&context=3
> > [5]:
> > https://support.sylabs.io/support/solutions/articles/42000087130-3-5-8-security-release-cve-2021-33622-
> > [6]: https://github.com/sylabs/singularity/issues/586
> > [7]: https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8
> > [8]: https://github.com/apptainer/apptainer/releases/tag/v1.1.2
> [9]: https://github.com/sylabs/singularity/issues/1235#issuecomment-1375334909
>
> --
> Best,
> Nilesh
--
http://fam-tille.de
