Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refresh ci-debian-buster container image used for build #74

Closed
planetf1 opened this issue Apr 23, 2024 · 11 comments · Fixed by #85
Closed

Refresh ci-debian-buster container image used for build #74

planetf1 opened this issue Apr 23, 2024 · 11 comments · Fixed by #85
Assignees

Comments

@planetf1
Copy link

Followon from open-quantum-safe/liboqs#1702

The openquantumsafe/ci-debian-custer-amd64:latest image is used as part of our ci process

When working on the above PR I noticed we weren't pinning the version spec of this image (though the tooling did not detect this).

I inspected the image with a scan on quay.io

This is used for testing/verification, rather than supplying images for consumers, but it looks as if it could do with being updated - any images/sw used for tests could be compromised to hide an injected vulnerability.

The current image has quite old java (1.11.0), and also older versions of qemu and other tools. See list

@planetf1
Copy link
Author

@baentsch thanks for the pointer to the ci repo in the PR.

I think the observation here is that we could/should update the CI image, so could we transfer this issue over to https://github.com/open-quantum-safe/ci-containers

In terms of open-quantum-safe/tsc#5 I think ensuring efficiency is important, but we should review the base & additional dependencies 'periodically' (tools like dependabot can help, and be scheduled to run, for example, monthly - and sites like quay.io can help with (free) image scans)

@baentsch
Copy link
Member

so could we transfer this issue over

That was the first thing I tried, but I guess some LF-permissioning manipulations made this impossible for me.

we should review the base & additional dependencies 'periodically'

Makes sense. Feel free to go ahead implementing a PR in the sub-project to do this automatically.

@planetf1
Copy link
Author

Makes sense. Feel free to go ahead implementing a PR in the sub-project to do this automatically.

Can you assign to me and see what I can do.

@dstebila
Copy link
Member

Looks like I have permission to transfer the issue to ci-containers, which I can do if you want. Or we can leave it here to ensure Michael's permissions get resolved.

@baentsch
Copy link
Member

Please go ahead, Douglas. I don't need more permissions -- very much to the contrary.

@baentsch
Copy link
Member

Can you assign to me and see what I can do.

Are you saying you don't even have permission to assign this to yourself? Sounds not quite right either.

@dstebila dstebila transferred this issue from open-quantum-safe/liboqs Apr 23, 2024
@dstebila
Copy link
Member

Okay, I've moved this to the ci-containers repository and assigned to @planetf1

@ryjones
Copy link

ryjones commented Apr 24, 2024

Please go ahead, Douglas. I don't need more permissions -- very much to the contrary.

This is confusing. You have write access to both repos, so you should have permission to transfer the issue.
Screenshot 2024-04-24 at 04 52 30

As far as assigning issues, @planetf1 isn't a member of the org with any permissions, and may need added.

@baentsch
Copy link
Member

This is confusing. You have write access to both repos

Thanks for taking a look. I tried again and realized a UI "feature" I wasn't aware of: As there are too many repos I can transfer to, only some are displayed in the "transfer pop-up". If I manually type in a non-displayed target repo to the search box, it becomes visible and the transfer would/should succeed. Sorry for making you look into this.

@baentsch
Copy link
Member

baentsch commented May 7, 2024

This is to question whether it's really sensible to put work into Buster: It's running out of support this June. Suggest to rather put effort into moving to Bookworm (if at all -- Debian is none of the OQS supported platforms)...

@planetf1
Copy link
Author

@baentsch agree with bookworm, but thanks for the pointer. It doesn't even appear in Tier 3 of your list. We do refer to debian in various places in our build etc so it may be preferable to retain

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants