[GOMODJAIL]: suggesting to replace indirect module syndtr/gocapability #4183
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: apostasie <[email protected]>
|
This was uncovered while working on #4180 |
|
Failures are docker hub 429, gomodjail concurrency issue, and one of the EL8 flakes. |
👍 Also CDI shouldn't depend on runtime-tools as runtime-tools is also relatively inactive |
|
@AkihiroSuda you did mean to close this, right? (just checking if you are saying "this problem must go upstream", or if you closed accidentally - either way is fine with me). |
|
Let me close this. I don't think we should fork the repo just for eliminating the single Thanks anyway for heading this up. |
|
Sure. No problem. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See README for detailed rationale.
TL;DR:
This indirect dependency has an unavoidable
init()routine that will systematicallyopenatandfcntl(reading/proc/sys/kernel/cap_last_cap), even / while it is not necessary.gomodjailwill (righfully) block this, resulting in a series of loud warnings - or we would have tounconfinethis dependency.Precisely because this project has been abandoned for multiple years and the maintainer seem to have vanished, marking it unconfined feels exactly like the kind of things we should not do - as a likely candidate for a supply chain compromise.
This PR suggests we replace it.
The only part we do need is mundane (the mere list of linux capabilities), which is what we implement here from https://github.com/torvalds/linux/blob/master/include/uapi/linux/capability.h
Note that the state of this dependency has already raised concerns enough that most recent contributors have closed their PRs over there, and at least RH Kolyshkin did fork it: https://github.com/kolyshkin/capability
An alternative future / better solution would be for opencontainers/runtime-tools to address this on their side, since the dependency is getting pulled by them: