Hi all, > + Security support? > I see upstream comments that they will disclose the relevant > fix/commit for CVE, then it should be enough. I think most packages in
Just noting here that I've added a bit more on the GitHub thread r.e. exactly what form fixes are available in with respect to the lifecycle of SingularityCE versions. TLDR... * We only do patch releases for a minor x.y version of the open-source SingularityCE for ~6 months. * For versions of SingularityCE that we turn into a commercial SingularityPRO release.... our security policy means we will provide diffs only for security fixes that we apply to open source code in SingularityPRO, *and that apply* to the SingularityCE version from which SingularityPRO was branched. It is not guaranteed that every security issue in SingularityCE 3.9 is covered by diffs we release based on the (closed) long term support work for SingularityPRO 3.9. Security issues arising from older dependencies in SingularityCE would need to be tracked separately, for example. * Everything else will need backporting by the distro. We follow dependency updates (including major version updates) quickly, and we only target the latest 2 versions (upstream supported) of Go. This may impact the ease of backporting significantly over the course of a Debian stable release. Cheers, -- David Trudgian Sylabs Inc.