#1 Update to 1.5.9. Fixes FTBFS. Closes rhbz#2045277.
Merged a year ago by gotmax23. Opened a year ago by gotmax23.
rpms/ gotmax23/containerd rawhide  into  rawhide

file modified
+8 -3
@@ -7,7 +7,7 @@ 

  

  # https://github.com/containerd/containerd

  %global goipath         github.com/containerd/containerd

- Version:                1.5.8

+ Version:                1.5.9

  

  %gometa

  
@@ -26,7 +26,7 @@ 

                          BUILDING.md README.md RELEASES.md

  

  Name:           %{goname}

- Release:        2%{?dist}

+ Release:        1%{?dist}

  Summary:        Open and reliable container runtime

  

  # Upstream license specification: Apache-2.0
@@ -168,7 +168,7 @@ 

  %gopkg

  

  %prep

- %goprep

+ %goprep -k

  %autopatch -p1

  # Used only for generation:

  rm -rf cmd/protoc-gen-gogoctrd
@@ -234,6 +234,11 @@ 

  %gopkgfiles

  

  %changelog

+ * Mon Jan 31 2022 Maxwell G <gotmax@e.email> - 1.5.9-1

+ - Update to 1.5.9. Fixes FTBFS. Closes rhbz#2045277.

+ - Mitigates CVE-2021-43816. Closes rhbz#2044434. Closes rhbz#2044436.

+ - Temporarily build using vendored dependencies.

+ 

  * Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.8-2

  - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild

  

file modified
+1 -1
@@ -1,1 +1,1 @@ 

- SHA512 (containerd-1.5.8.tar.gz) = c769506ff6d98689c46ffee94d70ae00ef2f32e0daac1e631cbe8a587f67c7e4f83eb3895707362bdf46198b61823c99df1d8ca61095ab1415de5596f106fd07

+ SHA512 (containerd-1.5.9.tar.gz) = 13d5b8bcfd811b1abf67008d1c664962f315cd45d885adaa88847bcc4f1c5d743dccd62bc34fe77348ca18a4f8841ce7a8a022cccb275b19b59017b3fbf1054b

Does this look okay to you, @eclipseo? I started updating the dependencies in preparation for Containerd 1.6.0, but apparently, the CVE was fixed in this release. As you know, the package was already FTBFS before then. Passing -k to %goprep keeps the bundled deps and go build uses them for building instead of the ones in $GOPATH, but it does not effect the contents or the generated requires of the final containerd-devel package.


  • Update to 1.5.9. Fixes FTBFS. Closes rhbz#2045277.
  • Mitigates CVE-2021-43816. Closes rhbz#2044434. Closes rhbz#2044436.
  • Temporarily build using vendored dependencies.

Is this compatible with the update of golang-github-containerd-cgroups? During my tests, I thought 1.6.0+ because of that change.
Also why do you bundle?
Check out https://copr.fedorainfracloud.org/coprs/eclipseo/goldflags/builds/
There is a dep problem I haven't been able to solve yet

The golang-github-containerd-cgroups update was in preparation for containerd 1.6.0. I didn't realize that there was a release before then until afterwards due to release-monitoring.org not creating a bug for it.

I temporarily enabled the bundled dependencies so we can get this release out to fix the containerd CVE without waiting on fixing all the dependencies. The CVE was announced a week ago, so we should try to get a fix out ASAP. It looks like the primary maintainer, @olem, is MIA2, so he has not yet taken care of it.

I will take a look at the dependency issue you mentioned.

Pull-Request has been merged by gotmax23

a year ago

I'm going to merge this now. Afterwards, we should finish updating the dependencies for containerd 1.6.0 so we can revert the bundling then.

Metadata