This is in the security Teams review queue (which is the proper next step). Thanks Seth for all your work on this already.
I wanted to summarize after the discussion about Go-vendoring at the recent sprint: - we expect (as in Docker) to handle runc/containerd special for SRUs providing an upstream experience which means regular MRE updates. - due to that over time we will have to move the GO dependencies forward which we can't for de-vendorized packages - Therefore it was agreed that we will do an initial check if a few could be used de-vendorized that are already done (e.g. due to former LXD activities) but not de-vendorize/MIR new packages. - We will provide a list of used vendorized code and tags/commits of it to security for their tracking for alerts - Going forward on updates we will check if some of them will then have to switch from de-vendorized to vendorized code. In that case we will keep security updated with the new list of vendored code for their tracking for alerts. -- TODOs (other than the ongoing security review) --- @Andreas will at some point do a check which (of the many) dependencies could (right now) be used from pre-de-vendorized packages - security had a particular interest in golang-golang-x-crypto-dev which was already in main for Juju (bug 1267393) but no more has a dep holding it in at the moment. A bunch more are in bug 1711317 bug 1520679 bug 1711265 That will hopefully help Seth and the half-million LOC at least a bit as maybe at least a few can be skiped. @Andreas - the txt files (see comment #7) with executable should be fixable either in the upstream build system or as a safety cleanup in d/rules - could you take a look at these as well? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1819761 Title: [MIR] containerd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/containerd/+bug/1819761/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
