In general vendored depends are "okay" in that they are a known issue that we generally need to deal with, even if it should be avoided whenever possible.
Blockers: - There is still no team subscriber for the package; ubuntu-server isn't subscribed. - Three open CVE that need fixing in disco; should get an explicit ack by Security that it's maintainable / manageable for them considering both the vendoring and the currently open CVEs / CVE history. This should also see a proper code review by the Security Team. I see various potentially sensitive points in the package, which is in line with container management stuff: dealing with signals, namespaces, cache management? It also appears as this was previously maintained by Michael / Foundations; it should be clarified exactly who should own the maintenance of this package (is it Foundations or Server?) Reassigning to Ubuntu Security for review. ** Changed in: runc (Ubuntu) Assignee: Mathieu Trudel-Lapierre (cyphermox) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1817336 Title: [MIR] runc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/runc/+bug/1817336/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs