In general vendored depends are "okay" in that they are a known issue
that we generally need to deal with, even if it should be avoided
whenever possible.
Blockers:
- There is still no team subscriber for the package; ubuntu-server isn't
subscribed.
- Three open CVE that need fixing in disco; should get an explicit ack by
Security that it's maintainable / manageable for them considering both the
vendoring and the currently open CVEs / CVE history.
This should also see a proper code review by the Security Team. I see
various potentially sensitive points in the package, which is in line
with container management stuff: dealing with signals, namespaces, cache
management?
It also appears as this was previously maintained by Michael /
Foundations; it should be clarified exactly who should own the
maintenance of this package (is it Foundations or Server?)
Reassigning to Ubuntu Security for review.
** Changed in: runc (Ubuntu)
Assignee: Mathieu Trudel-Lapierre (cyphermox) => Ubuntu Security Team
(ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1817336
Title:
[MIR] runc
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/runc/+bug/1817336/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
