PR#1: Update to 1.5.9. Fixes FTBFS. Closes rhbz#2045277. - rpms/containerd

rpms / containerd

#1 Update to 1.5.9. Fixes FTBFS. Closes rhbz#2045277.

Merged a year ago by gotmax23. Opened a year ago by gotmax23.

rpms/ gotmax23/containerd rawhide into rawhide

Update to 1.5.9. Fixes FTBFS. Closes rhbz#2045277.

Maxwell G • a year ago

4d7fc0d

containerd.spec

file modified

+8 -3

		`@@ -7,7 +7,7 @@`

		`# https://github.com/containerd/containerd`
		`%global goipath github.com/containerd/containerd`
		`- Version: 1.5.8`
		`+ Version: 1.5.9`

		`%gometa`

		`@@ -26,7 +26,7 @@`
		`BUILDING.md README.md RELEASES.md`

		`Name: %{goname}`
		`- Release: 2%{?dist}`
		`+ Release: 1%{?dist}`
		`Summary: Open and reliable container runtime`

		`# Upstream license specification: Apache-2.0`
		`@@ -168,7 +168,7 @@`
		`%gopkg`

		`%prep`
		`- %goprep`
		`+ %goprep -k`
		`%autopatch -p1`
		`# Used only for generation:`
		`rm -rf cmd/protoc-gen-gogoctrd`
		`@@ -234,6 +234,11 @@`
		`%gopkgfiles`

		`%changelog`
		`+ * Mon Jan 31 2022 Maxwell G <gotmax@e.email> - 1.5.9-1`
		`+ - Update to 1.5.9. Fixes FTBFS. Closes rhbz#2045277.`
		`+ - Mitigates CVE-2021-43816. Closes rhbz#2044434. Closes rhbz#2044436.`
		`+ - Temporarily build using vendored dependencies.`
		`+`
		`* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.8-2`
		`- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild`

sources

file modified

+1 -1

		`@@ -1,1 +1,1 @@`
		`- SHA512 (containerd-1.5.8.tar.gz) = c769506ff6d98689c46ffee94d70ae00ef2f32e0daac1e631cbe8a587f67c7e4f83eb3895707362bdf46198b61823c99df1d8ca61095ab1415de5596f106fd07`
		`+ SHA512 (containerd-1.5.9.tar.gz) = 13d5b8bcfd811b1abf67008d1c664962f315cd45d885adaa88847bcc4f1c5d743dccd62bc34fe77348ca18a4f8841ce7a8a022cccb275b19b59017b3fbf1054b`

gotmax23 commented a year ago

Does this look okay to you, @eclipseo? I started updating the dependencies in preparation for Containerd 1.6.0, but apparently, the CVE was fixed in this release. As you know, the package was already FTBFS before then. Passing -k to %goprep keeps the bundled deps and go build uses them for building instead of the ones in $GOPATH, but it does not effect the contents or the generated requires of the final containerd-devel package.

Update to 1.5.9. Fixes FTBFS. Closes rhbz#2045277.
Mitigates CVE-2021-43816. Closes rhbz#2044434. Closes rhbz#2044436.
Temporarily build using vendored dependencies.

eclipseo commented a year ago

Is this compatible with the update of golang-github-containerd-cgroups? During my tests, I thought 1.6.0+ because of that change.
Also why do you bundle?
Check out https://copr.fedorainfracloud.org/coprs/eclipseo/goldflags/builds/
There is a dep problem I haven't been able to solve yet

gotmax23 commented a year ago

The golang-github-containerd-cgroups update was in preparation for containerd 1.6.0. I didn't realize that there was a release before then until afterwards due to release-monitoring.org not creating a bug for it.

I temporarily enabled the bundled dependencies so we can get this release out to fix the containerd CVE without waiting on fixing all the dependencies. The CVE was announced a week ago, so we should try to get a fix out ASAP. It looks like the primary maintainer, @olem, is MIA2, so he has not yet taken care of it.

I will take a look at the dependency issue you mentioned.

Pull-Request has been merged by gotmax23

a year ago

gotmax23 commented a year ago

I'm going to merge this now. Afterwards, we should finish updating the dependencies for containerd 1.6.0 so we can revert the bundling then.