Hi,

src:singularity-container was lying around in a bad shape for several years
and had missed 2 debian releases until me and Andreas picked it up again.
It is currently in a reasonably good condition. I was excited to have it in stable release again, but I have a couple of doubts over it.

1. A little background:
singularity-container sync the code from the upstream codebase for sylabs[1] and there also exists a community-maintained fork called apptainer.
Sylabs singularity CE seems to sync up a lot of code with apptainer in
many releases. The apptainer community announcement page about the split also hints towards saying similar stuff, but this is all the more confusing as it is hard to draw a line b/w them.
A while back, I found a reddit comment[4] from the current maintainer of sylabs singularity which has a statement:

| At this point there it appears that Apptainer 1.0 will be very close
| to SingularityCE 3.9 which we released recently, given
| the picks from SingularityCE into the code base.

So I am absolutely confused if it makes sense to package apptainer at all or should I just let it be?

2. The _more_ important question:
There are CVEs being discovered in singularity-container -- no biggie. However, some
of the CVE fixes are simply _hidden_ from the user view.
As a concrete example, there was
a "CVE-2021-33622" opened[5] against singularity-CE, and the only information upstream provides is that it has been fixed in the 3.7.x of the community edition
but there is no information about _what_ the fix was.
I tried asking upstream about this but did not get a pin-pointed reply[6] and it
appears that upstream is somewhat discrete about these.

A similar bug has been fixed in the latest release, CVE-2022-39237 here[7] but it
does not say _what_ patch fixes it exactly.
And the problem is that apptainer has addressed the exact same bug in
its latest release and they too are un-clear about it[8].

So my fear is that: Once singularity-container hits stable release, and there is
a CVE being found. It'd be a hellhole for me/others to find what exactly
fixed the CVE (unless it is being clearly stated), and apply that. The only option left would be to upgrade the package to fix the CVE and I don't know if release team would allow that.

And I don't see this problem getting fixed with apptainer as well, since there are bugs that both the codebases would keep on inheriting from one another.
And thus I am not sure if this situation is OK for stable release or not.

OTOH, singularity is an important package and many users would be happy to have it in stable -- I have even got a couple of bug reports/texts saying
people are happy to see a new update of singularity.

Any opinions?

[1]: https://github.com/sylabs/singularity
[2]: https://github.com/apptainer/apptainer
[3]: https://apptainer.org/news/community-announcement-20211130/
[4]: https://www.reddit.com/r/HPC/comments/r61bto/comment/hmspn72/?utm_source=share&utm_medium=web2x&context=3
[5]: https://support.sylabs.io/support/solutions/articles/42000087130-3-5-8-security-release-cve-2021-33622-
[6]: https://github.com/sylabs/singularity/issues/586
[7]: https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8
[8]: https://github.com/apptainer/apptainer/releases/tag/v1.1.2

--
Best,
Nilesh

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQSglbZu4JAkvuai8HIqJ5BL1yQ+2gUCY0bmcgAKCRAqJ5BL1yQ+ 2iLnAP4v2h9r719Uz/KHrPMpaDkc5gasjq+y6hJLZJLXyWfDOgD+JOggk4igCdz4 eRsq1c0ZfQeM2UlHFItpZ7vfaJse0Qw=
=deX5
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Le mer. 12 oct. 2022 à 18:08, Nilesh Patra <[email protected]> a écrit :

Hi,

src:singularity-container was lying around in a bad shape for several years and had missed 2 debian releases until me and Andreas picked it up again.
It is currently in a reasonably good condition. I was excited to have it in stable release again, but I have a couple of doubts over it.

1. A little background:
singularity-container sync the code from the upstream codebase for
sylabs[1]
and there also exists a community-maintained fork called apptainer.
Sylabs singularity CE seems to sync up a lot of code with apptainer in
many releases. The apptainer community announcement page about the split
also
hints towards saying similar stuff, but this is all the more confusing as
it is
hard to draw a line b/w them.
A while back, I found a reddit comment[4] from the current maintainer of sylabs
singularity which has a statement:

| At this point there it appears that Apptainer 1.0 will be very close
| to SingularityCE 3.9 which we released recently, given
| the picks from SingularityCE into the code base.

So I am absolutely confused if it makes sense to package apptainer at all
or
should I just let it be?

for the moment, I would be happy to have singularity itself. Adding its
fork is nice, but mean extra work so I think we should focus on "main" tool
for the moment and see after....

2. The _more_ important question:
There are CVEs being discovered in singularity-container -- no biggie. However, some
of the CVE fixes are simply _hidden_ from the user view.
As a concrete example, there was
a "CVE-2021-33622" opened[5] against singularity-CE, and the only
information
upstream provides is that it has been fixed in the 3.7.x of the community edition
but there is no information about _what_ the fix was.
I tried asking upstream about this but did not get a pin-pointed reply[6]
and it
appears that upstream is somewhat discrete about these.

A similar bug has been fixed in the latest release, CVE-2022-39237 here[7] but it
does not say _what_ patch fixes it exactly.
And the problem is that apptainer has addressed the exact same bug in
its latest release and they too are un-clear about it[8].

So my fear is that: Once singularity-container hits stable release, and
there is
a CVE being found. It'd be a hellhole for me/others to find what exactly fixed the CVE (unless it is being clearly stated), and apply that. The only option left would be to upgrade the package to fix the CVE and I don't
know if
release team would allow that.

And I don't see this problem getting fixed with apptainer as well, since there
are bugs that both the codebases would keep on inheriting from one another. And thus I am not sure if this situation is OK for stable release or not.

won't be OK for stable release which will expect only security fixes, no
full upgrades....
many software do not provide such detailed information, and I agree that required taskforce to follow CVE details in source code can be quite
complex to obtain (or even not feasible).
You also need knowledge of the tool/language.

Last resort is to keep CVEs open.... this is the case for different tools
:-(

OTOH, singularity is an important package and many users would be happy to have
it in stable -- I have even got a couple of bug reports/texts saying
people are happy to see a new update of singularity.

+1 for important package for several communities :-)

Olivier

Any opinions?

[1]: https://github.com/sylabs/singularity
[2]: https://github.com/apptainer/apptainer
[3]: https://apptainer.org/news/community-announcement-20211130/
[4]: https://www.reddit.com/r/HPC/comments/r61bto/comment/hmspn72/?utm_source=share&utm_medium=web2x&context=3
[5]: https://support.sylabs.io/support/solutions/articles/42000087130-3-5-8-security-release-cve-2021-33622-
[6]: https://github.com/sylabs/singularity/issues/586
[7]: https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8 [8]: https://github.com/apptainer/apptainer/releases/tag/v1.1.2

--
Best,
Nilesh

<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le mer. 12 oct. 2022 à 18:08, Nilesh Patra &lt;<a href="mailto:[email protected]">[email protected]</a>&gt; a écrit :<br></div><blockquote class="
gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>

src:singularity-container was lying around in a bad shape for several years<br> and had missed 2 debian releases until me and Andreas picked it up again.<br> It is currently in a reasonably good condition. I was excited to have it in<br> stable release again, but I have a couple of doubts over it.<br>

1. A little background:<br>
singularity-container sync the code from the upstream codebase for sylabs[1]<br>
and there also exists a community-maintained fork called apptainer.<br>
Sylabs singularity CE seems to sync up a lot of code with apptainer in<br>
many releases. The apptainer community announcement page about the split also<br>
hints towards saying similar stuff, but this is all the more confusing as it is<br>
hard to draw a line b/w them.<br>
A while back, I found a reddit comment[4] from the current maintainer of sylabs<br>
singularity which has a statement:<br>

| At this point there it appears that Apptainer 1.0 will be very close<br>
| to SingularityCE 3.9 which we released recently, given<br>
| the picks from SingularityCE into the code base.<br>

So I am absolutely confused if it makes sense to package apptainer at all or<br>
should I just let it be?<br></blockquote><div><br></div><div>for the moment, I would be happy to have singularity itself. Adding its fork is nice, but mean extra work so I think we should focus on &quot;main&quot; tool for the moment and see after.... </

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

2. The _more_ important question:<br>
There are CVEs being discovered in singularity-container -- no biggie. However, some<br>
of the CVE fixes are simply _hidden_ from the user view.<br>
As a concrete example, there was<br>
a &quot;CVE-2021-33622&quot; opened[5] against singularity-CE, and the only information<br>
upstream provides is that it has been fixed in the 3.7.x of the community edition<br>
but there is no information about _what_ the fix was.<br>
I tried asking upstream about this but did not get a pin-pointed reply[6] and it<br>
appears that upstream is somewhat discrete about these.<br>

A similar bug has been fixed in the latest release, CVE-2022-39237 here[7] but it<br>
does not say _what_ patch fixes it exactly.<br>
And the problem is that apptainer has addressed the exact same bug in<br>
its latest release and they too are un-clear about it[8].<br>

So my fear is that: Once singularity-container hits stable release, and there is<br>
a CVE being found. It&#39;d be a hellhole for me/others to find what exactly<br>
fixed the CVE (unless it is being clearly stated), and apply that. The only<br> option left would be to upgrade the package to fix the CVE and I don&#39;t know if<br>
release team would allow that.<br>

And I don&#39;t see this problem getting fixed with apptainer as well, since there<br>
are bugs that both the codebases would keep on inheriting from one another.<br> And thus I am not sure if this situation is OK for stable release or not.<br></blockquote><div><br></div><div>won&#39;t be OK for stable release which will expect only security fixes, no full upgrades....</div><div>many software do not provide such
detailed information, and I agree that required taskforce to follow CVE details in source code can be quite complex to obtain (or even not feasible).</div><div>You also need knowledge of the tool/language.</div><div><br></div><div>Last resort is to keep
CVEs open.... this is the case for different tools  :-(</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

OTOH, singularity is an important package and many users would be happy to have<br>
it in stable -- I have even got a couple of bug reports/texts saying<br>
people are happy to see a new update of singularity.<br></blockquote><div><br></div><div><br></div><div>+1 for important package for several communities :-)<br></div><div><br></div><div>Olivier</div><div><br></div><div> </div><blockquote class="gmail_
quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

Any opinions?<br>

[1]: <a href="https://github.com/sylabs/singularity" rel="noreferrer" target="_blank">https://github.com/sylabs/singularity</a><br>
[2]: <a href="https://github.com/apptainer/apptainer" rel="noreferrer" target="_blank">https://github.com/apptainer/apptainer</a><br>
[3]: <a href="https://apptainer.org/news/community-announcement-20211130/" rel="noreferrer" target="_blank">https://apptainer.org/news/community-announcement-20211130/</a><br>
[4]: <a href="https://www.reddit.com/r/HPC/comments/r61bto/comment/hmspn72/?utm_source=share&amp;utm_medium=web2x&amp;context=3" rel="noreferrer" target="_blank">https://www.reddit.com/r/HPC/comments/r61bto/comment/hmspn72/?utm_source=share&amp;utm_
medium=web2x&amp;context=3</a><br>
[5]: <a href="https://support.sylabs.io/support/solutions/articles/42000087130-3-5-8-security-release-cve-2021-33622-" rel="noreferrer" target="_blank">https://support.sylabs.io/support/solutions/articles/42000087130-3-5-8-security-release-cve-2021-33622-
</a><br>
[6]: <a href="https://github.com/sylabs/singularity/issues/586" rel="noreferrer" target="_blank">https://github.com/sylabs/singularity/issues/586</a><br>
[7]: <a href="https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8" rel="noreferrer" target="_blank">https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8</a><br>
[8]: <a href="https://github.com/apptainer/apptainer/releases/tag/v1.1.2" rel="noreferrer" target="_blank">https://github.com/apptainer/apptainer/releases/tag/v1.1.2</a><br>

-- <br>
Best,<br>
Nilesh<br>
</blockquote></div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Oct 13, 2022 at 12:20 AM olivier sallou <[email protected]> wrote:

Last resort is to keep CVEs open.... this is the case for different tools :-(

This shouldn't apply to singularity which is a sandbox/container tool...

--
Shengjing Zhu

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

Am Wed, Oct 12, 2022 at 06:20:11PM +0200 schrieb olivier sallou:

| At this point there it appears that Apptainer 1.0 will be very close
| to SingularityCE 3.9 which we released recently, given
| the picks from SingularityCE into the code base.

So I am absolutely confused if it makes sense to package apptainer at all or
should I just let it be?

for the moment, I would be happy to have singularity itself. Adding its
fork is nice, but mean extra work so I think we should focus on "main" tool for the moment and see after....

My colleagues also stick to singulatity. I once commited to apptainer
since I've got the hint that this might be more promising than fixing singularity. Since you finally managed to fix singularity (thanks
again) the interest in apptainer is not as urgent any more.

OTOH, singularity is an important package and many users would be happy to have
it in stable -- I have even got a couple of bug reports/texts saying
people are happy to see a new update of singularity.

+1 for important package for several communities :-)

+1

Thanks again

Andreas.

--
http://fam-tille.de

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

To: [email protected]
Copy: [email protected]
Copy: [email protected] (Andreas Tille)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------nyPQGqPx7F3jegdEut6r608l
Content-Type: multipart/mixed; boundary="------------wNbEz6t5oDpS7QPDmesk7fxg"

--------------wNbEz6t5oDpS7QPDmesk7fxg
Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

DQoNCk9uIDEyLzEwLzIyIDk6MzggcG0sIE5pbGVzaCBQYXRyYSB3cm90ZToNCj4gU28gbXkg ZmVhciBpcyB0aGF0OiBPbmNlIHNpbmd1bGFyaXR5LWNvbnRhaW5lciBoaXRzIHN0YWJsZSBy ZWxlYXNlLCBhbmQgdGhlcmUgaXMNCj4gYSBDVkUgYmVpbmcgZm91bmQuIEl0J2QgYmUgYSBo ZWxsaG9sZSBmb3IgbWUvb3RoZXJzIHRvIGZpbmQgd2hhdCBleGFjdGx5DQo+IGZpeGVkIHRo ZSBDVkUgKHVubGVzcyBpdCBpcyBiZWluZyBjbGVhcmx5IHN0YXRlZCksIGFuZCBhcHBseSB0 aGF0LiBUaGUgb25seQ0KPiBvcHRpb24gbGVmdCB3b3VsZCBiZSB0byB1cGdyYWRlIHRoZSBw YWNrYWdlIHRvIGZpeCB0aGUgQ1ZFIGFuZCBJIGRvbid0IGtub3cgaWYNCj4gcmVsZWFzZSB0 ZWFtIHdvdWxkIGFsbG93IHRoYXQuDQoNCklmIHlvdSBjYW4ndCBoYXZlIGl0IGluIHN0YWJs ZSwgY29uc2lkZXIgZmFzdHRyYWNrLmRlYmlhbi5uZXQgYXMgYW5vdGhlciANCm9wdGlvbiB0 aHJvdWdoIHdoaWNoIHlvdSBjYW4gc2hpcCBuZXcgdXBzdHJlYW0gdmVyc2lvbnMgZGlyZWN0 bHkuIFdlIA0KaGF2ZSBiZWVuIHNoaXBwaW5nIGdpdGxhYiBhbmQgdmlydHVhbCBib3ggdmlh IHRoaXMgcmVwbyBmb3IgdHdvIHJlbGVhc2VzIA0KYWxyZWFkeS4gQXQgcHJlc2VudCB0aGlz IGlzIHVub2ZmaWNpYWwsIGJ1dCBpZiB0aGVyZSBpcyBlbm91Z2ggaW50ZXJlc3QgDQp3ZSBj YW4gcHJvcG9zZSBtYWtpbmcgaXQgb2ZmaWNpYWwgYXQgc29tZSBwb2ludCAobGlrZSBiYWNr cG9ydHMgd2hpY2ggDQpzdGFydGVkIG91dCBhcyB1bm9mZmljaWFsIGJ1dCBsYXRlciBiZWNh bWUgb2ZmaWNpYWwpLg0K
--------------wNbEz6t5oDpS7QPDmesk7fxg
Content-Type: application/pgp-keys; name="OpenPGP_0x8F53E0193B294B75.asc" Content-Disposition: attachment; filename="OpenPGP_0x8F53E0193B294B75.asc" Content-Description: OpenPGP public key
Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsFNBF41S9ABEADELm+hJ5iCLke3NvzOH+cE8LvZ8ZLR/r296bpYxNpx08fXPlj3 8YeBErqKKvh6kGaOaUEUBCkDzKhqJxU/1T++2iRTUnhTqjS1hBte/IxPiIjcHFiA d69U+UAwGMEMpBGWNUd0VqKH3ZKd8eokztP1rML+nCyXId/Kfg5qZAoKCqRRqOpS fs31YRoxRk/OqSn81h2GfrxgBWGpFMMrtujfpUmJMx9Qm3JgVt39r2Hj2Ee1JLrq OP7S7Gm1a+rZOZwV0UtRucRiUzVn8otL7QR7udjYjccJUjdFRshgDV+2w5w40HZg cqEuTPqj1BxwPzkYIpLjQbdrLSOMzp7OVrEuomAntyoL6lOnlWV5+R9upC+6bGT7 GtOwhmd9iGPezgfpnM/BrJAvyQ4BN+nHj7/1aEECu0NN76hip+z9TRTw1mHQnpZa HUnT2pBPY+grwLi5QlvjOqBICtWPI6fSIT5kZj1tLPZwIed1Q5zxjlo1zbOzotJc GapvNHlc+o7jvlT5vrXzFoycsQOlLyZpU0tuzOTRalxyim7ZgKugiXF/er772G05 VKU0T+jnqL1Hc0sMKCJGafhX2/7ZD67CUM2gFmh9IQcouOBdSasOGHSAdTmukvsr D2oh2JlgLQh0hXPdXxei5CBPe27x+SncYQ1fj7drdHBqCcjKJH1++Zn8hwARAQAB zTtQcmF2ZWVuIEFyaW1icmF0aG9kaXlpbCAoUGlyYXRlKSA8cHJhdmVlbkBvbmVu ZXRiZXlvbmQub3JnPsLBjgQTAQoAOBYhBNMIY+JgIOVD9HGag49T4Bk7KUt1BQJe NUxdAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEI9T4Bk7KUt1QGUP+gPz +TxNz1l6KwfRaEcoaWJm8r2TaEPU5iZkkNZL5eGe1uGQ3AV1wonRJTR2cFcdq2oU pJjpZByYPd1YDyFcbKOFglOiAG8cGrA/y0ySIOpWO06Mx/lMdRsrzsgIJxQ2tUvK RRiksVnL79JpLZzHOXBH7B6RZkUriv2RhsVKOcjca9ybbtrSPfQnWt80CXaEHqM0 ZbpcUdyn7IfMm0eWX/itV6AuLhldYDF/8LHTRdrQcbgBeQZ/RqT6j3MuASQvTTDP hMq9JlWWKTuqrNQgGRlSKTq0PotRpEw566kyrlQUhLr9WRKXI76WTmeHoVqTl6AO 3lIXuYKS4gvvAlMokcVSlkHDuqQlRURrqqGj1MvEpqA5+Rj8Yhe9kOU94VKb2JMN ctr7674kbwXaovJ4Uw5TmV06Jf57m+xcHej42oKLRVCcnAUNIUdveWQLNzF+DCF8 AloNoA+bTGXYqnHGPFjODfx6qVl6Wf1DLop8RCGzfZ461vlKmoYX1azForxcM59C t71tt/syYOeg4nWGGfPIPnreMU+675uV2UZBt9qjGbiXHqdFZ5hS65T4yD4PEr8B 0+y2ODWG3NTGTwymm25zyJWt5R70oVW2waTIF/EIXqLQVGf9V+CrPpjCcY8RXwmi ukCqyEEPioVDm4dFz/vUID9k8n6pFTfUTK6IEkz9zTVQcmF2ZWVuIEFyaW1icmF0 aG9kaXlpbCAoUGlyYXRlKSA8cHJhdmVlbkBkZWJpYW4ub3JnPsLBjgQTAQoAOBYh BNMIY+JgIOVD9HGag49T4Bk7KUt1BQJeNUvQAhsDBQsJCAcCBhUKCQgLAgQWAgMB Ah4BAheAAAoJEI9T4Bk7KUt1s7UP/A1uePUU82oYk6IpO9HAjNsXYzsDod5+khOh PMbaynU1aLUHf7VePDDIVZvG7cqTdhsKJE5tN2n8eBvdM5gcroWSN+91Q5o3Eodk AE5LMz8EEPJRu4Ke0DVCPsmipvZnJhZnDNAw8lXcifnM8Ug1cKv4CcsnwzVrZwaS K6NJtfUeij1yHzKyBvzntnq2f6qIBnWHd1Cn+muoHkb398UFBJYHOI8+KmN1blQx SzteAx/x6/SuTwqjRQGRUqXKt3Ny0mzXUl1UM9YimW1chAMYJ0jR0lzHzGqn/mxu 0+iHQeguZV6JR04na4T2KMr+3ca9njC/vb8x361rQPihbDVb6erDX2ZAXVUp+N7j ejN10bjvo8IqV3OR9+OtbvY3NFJKYp+1qkPTJwC57GRfQfg4H+yvViNr+41Sg9u2 eYZqmJjwHr1y55VGah65rEBKKfOrS1aLFOvZ9SXNF6qERrB40wvzCMlmmQR2LvFZ DjuT6WvlDwIrR2O8IwLfVRbaPViQHOBh76EE2o02RNfeElkQtIa9kEm9H8vpvwSf 3eeelLeSaUtnqeR9A7u/Iw5cDRtKWnsjTX1FL1+6FxlAmEJKUzbUFxaIoQjpxFS9 POn1LDKSQNm2Wu29ZGFH8ehxN7S8Pkdk2wAjLPbZY02AW5DbCEsAqnv4GSI6W6aB AU2FWltZzsFNBF41S9ABEACVC9nYANHof17++lJrywB3+V+h4kZTtXSfWNt+IH2k KOj223PqTUz9orKktHEbYhsDx4Rl9+CMBMXqkuO8dH3fIoI1MFISBxPSaH6wWQ0x osucu3Latb6cUNjY6NEevTjEACAIE4oVooZH7Wd0CJ6EOdtP2nVZRV+RMa/HAsWo 3sslXq3IQLRxD+Fmh5AmK01ZC0wsuCrXOW62dz1pL4bPVJ1Jd1JiWlmYOSobO+Y/ yafDhwl+OF/Hrexxq0vuhODYHvL+RrY1dobbL/onVbaT1qG10L8fv3IOc/Cit6bw sjWR/tKcN9oxAIx9n//G+gG8avQ3FOl3tvak6zsqPXuHrXhRjxDcXJBNitN0S+PV VSZbouLfm8fe9OdYmg+fPFxUfwl1RwTedW+KDcxrZBiu4mw43YXAiIUHIRb2RYOP TEeQplao2w+vmL73dLntLCT6AlLf67KkAbrBhLAqoxJwMtJlV2cGAiwA9DJDOTRZ ccWWK+Oqo6u8kZ++GDgIA9XLYuT5hPi01qaqQ30Kp5b7+uLM6oL5ixdNyee4HmPk vsZVnrBmjIPs4fXKjCQxFPSK/u6NBdkRVHzkkprqHdIZJBKk6un1NMfZu4eErbJh S8afzLJ4KdA+w60WfRW04Q3NSX5ujkD0dCaXWcBc3G73VFX8B4khaCcLmEFHVXxm mwARAQABwsF2BBgBCgAgFiEE0whj4mAg5UP0cZqDj1PgGTspS3UFAl41S9ACGwwA CgkQj1PgGTspS3U8DA//UsAXVN5qKIHYI1Vh+jg5c0qOgK2dK2ja4g39zOiTwtno inOSiQlIiDItlcoMxw/NJJ88AVwX37jQ3UzMoC4iNgakh+KW5lz7mJyRskAKfWJt uSYPHkLiAIMARxVp+UbkPl3TAekLDOY/W4yhJaIBC4HNh86GC4/jjDjVvnpUdq8y qAAhmIDo0uNbeKs6W0WRtcw5j8ngrfLr6TK0TEF3DPtFFrSTqZsnWdKoNqVovY1I 1oEsiiroizpVcD8ehPOQVyOH1mK37TsHFd8bDVMcAkJwIqImvI4bk7iesmIwGo+T 0lPw+ynR3vqeVxGmcQCJFZnAv3I6b5KVHizAxWuZvTmyJ1OV9qqetjBPCDTRG9cr 1VYSZx6nn1T7xaIUyeU4G7fdAeC15i+eHtFfHynEfQTODcFICsyEpCMxj+V3wKcI adGUqFDRrZ8eGalEGicaxJfp9z21I8myeP27o+GqPC9qIzmjSxgHrdK2dwXsorlI V6TP+Q1Gov55aloTFHPrRgHUtPAJOUL8yr4Xmxz1EWM/X1v4d/3VLhuRc9Pf0qNE onHDBpTnAWlV0Gw+hKOWRxbhVPcdM8bWMs0h8ZR3oMWwINv1NW/M4nAoM7kNZXaA YQB8GeSD8T62P+16ofutoa8ziJPY+L+wbW7G5lHdDgcfpO/bDXxLPmGS8O/t/7U=
=drm+
-----END PGP PUBLIC KEY BLOCK-----

--------------wNbEz6t5oDpS7QPDmesk7fxg--

--------------nyPQGqPx7F3jegdEut6r608l--

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEE0whj4mAg5UP0cZqDj1PgGTspS3UFAmNHJWoFAwAAAAAACgkQj1PgGTspS3WB lxAAu4k17i18co0B3tRg5f7ciVaQPS2H5U6w/btVlZKQVsH6DCmM+4zkrEulTDF3ZdnAnTCcg3Mi mDrNeKl333y5ewBgSnOM2KQNro7a6dfg14C8CB7WC4YeiGn+hy8SnZjyCHaZ179a2TuBbRvTM5Jw ahezP1LZouDampAfkRM08wXXg+c0GqmNaC3twVJ5nu1wf+t+9EVyH1dzQryAtY4s3TF4gmrA/whF 8DORMFi0q6r/aXRQNIDXsD38vdi9gPpIcLBJiE7cvycMr4SNsESRwZq5S7pLWPgPagZZMOwOCdxR 4tazKNfH4ZQCmK2ucZY+9AWkt1qkr/41wJ+Bsh2nRLbbG5IJkjCLvQRrK8Heq/O0lWoThZ3OHvEP RoJXI5xnoo/Yd0J0vYeESO7UQ5bxN61IcsyszONKNPeNCSRfTujl5sOkwlx1W2ioEqLQzhzdcR28 OpH38AbNIfS4tJNvwJOEshj3d8urxZMgYO4AanKykPtCd6GrdWVFpF8mALR3xoCAK3NOBqqwM1/G uV08ouYS5SvIXlIy972RpqWVRgJuTRrECZ2G7VRYpvQDPVndn8MzV+x83kL622vrzw1zVXszP2f0 AVjJsnAPZFUjgZLkdw3ywyUmIQLosSkS7G5ZCnNcO2uQMgVb5AyGy7Z6b6d/zx2ti9qA1v2ckw4U dko=
=4e77
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On Wed, Oct 12, 2022 at 09:38:27PM +0530, Nilesh Patra wrote:

src:singularity-container was lying around in a bad shape for several years and had missed 2 debian releases until me and Andreas picked it up again.
It is currently in a reasonably good condition. I was excited to have it in stable release again, but I have a couple of doubts over it.

1. A little background:
singularity-container sync the code from the upstream codebase for sylabs[1] and there also exists a community-maintained fork called apptainer.
Sylabs singularity CE seems to sync up a lot of code with apptainer in
many releases. The apptainer community announcement page about the split also hints towards saying similar stuff, but this is all the more confusing as it is
hard to draw a line b/w them.
A while back, I found a reddit comment[4] from the current maintainer of sylabs
singularity which has a statement:

| At this point there it appears that Apptainer 1.0 will be very close
| to SingularityCE 3.9 which we released recently, given
| the picks from SingularityCE into the code base.

So I am absolutely confused if it makes sense to package apptainer at all or should I just let it be?

2. The _more_ important question:
There are CVEs being discovered in singularity-container -- no biggie. However, some
of the CVE fixes are simply _hidden_ from the user view.
As a concrete example, there was
a "CVE-2021-33622" opened[5] against singularity-CE, and the only information upstream provides is that it has been fixed in the 3.7.x of the community edition
but there is no information about _what_ the fix was.
I tried asking upstream about this but did not get a pin-pointed reply[6] and it
appears that upstream is somewhat discrete about these.

A similar bug has been fixed in the latest release, CVE-2022-39237 here[7] but it
does not say _what_ patch fixes it exactly.
And the problem is that apptainer has addressed the exact same bug in
its latest release and they too are un-clear about it[8].

So my fear is that: Once singularity-container hits stable release, and there is
a CVE being found. It'd be a hellhole for me/others to find what exactly fixed the CVE (unless it is being clearly stated), and apply that. The only option left would be to upgrade the package to fix the CVE and I don't know if
release team would allow that.

And I don't see this problem getting fixed with apptainer as well, since there
are bugs that both the codebases would keep on inheriting from one another. And thus I am not sure if this situation is OK for stable release or not.

OTOH, singularity is an important package and many users would be happy to have
it in stable -- I have even got a couple of bug reports/texts saying
people are happy to see a new update of singularity.

I started this thread a while back, and decided to simply ask upstream about what their
opinion is[9]
It looks like the situation still not fully certain on whether to let singularity make it to stable
or not.

I'd appreciate if someone on the list could chime in and give an opinion on if they
consider it do-able or not for upcoming bookworm release.

I've kept upstream in CC to avoid ping-pong, and thanks David for a nice elaborate reply.

[1]: https://github.com/sylabs/singularity
[2]: https://github.com/apptainer/apptainer
[3]: https://apptainer.org/news/community-announcement-20211130/
[4]: https://www.reddit.com/r/HPC/comments/r61bto/comment/hmspn72/?utm_source=share&utm_medium=web2x&context=3
[5]: https://support.sylabs.io/support/solutions/articles/42000087130-3-5-8-security-release-cve-2021-33622-
[6]: https://github.com/sylabs/singularity/issues/586
[7]: https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8 [8]: https://github.com/apptainer/apptainer/releases/tag/v1.1.2

[9]: https://github.com/sylabs/singularity/issues/1235#issuecomment-1375334909

--
Best,
Nilesh

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQSglbZu4JAkvuai8HIqJ5BL1yQ+2gUCY7vqlgAKCRAqJ5BL1yQ+ 2lgiAQCy8FVFqB7QfnAsCXvWjisbvlsL9gxf6UFYHoFlx9y8ZwD9EeLb9/DNaXky u9XWYWRDYDQlj+428jHnkIjOAvWf6wc=
=dgf2
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Nilesh,

On Mon, Jan 9, 2023 at 6:21 PM Nilesh Patra <[email protected]> wrote:

I started this thread a while back, and decided to simply ask upstream about what their
opinion is[9]
It looks like the situation still not fully certain on whether to let singularity make it to stable
or not.

I'd appreciate if someone on the list could chime in and give an opinion on if they
consider it do-able or not for upcoming bookworm release.

Could you list the concerns that you have?

+ Security support?
I see upstream comments that they will disclose the relevant
fix/commit for CVE, then it should be enough. I think most packages in
Debian rely on the Debian maintainer to backport the fix.
+ Lacking tests? (as per upstream concerns in the Github issue)
Do you plan to enable all the tests? I see you have disabled many tests[1]
Or even better, could you run the integration/e2e tests with
autopkgtest? For example, you can take a look at the containerd
package that I've maintained[2].

[1] https://salsa.debian.org/hpc-team/singularity-container/-/blob/debian/3.10.3+ds1-1/debian/rules#L68
[2] https://salsa.debian.org/go-team/packages/containerd/-/blob/debian/sid/debian/tests/cri-integration
https://salsa.debian.org/go-team/packages/containerd/-/blob/debian/sid/debian/tests/integration

--
Shengjing Zhu

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi all,

+ Security support?
I see upstream comments that they will disclose the relevant
fix/commit for CVE, then it should be enough. I think most packages in

Just noting here that I've added a bit more on the GitHub thread r.e.
exactly what form fixes are available in with respect to the lifecycle
of SingularityCE versions.

TLDR...

* We only do patch releases for a minor x.y version of the open-source SingularityCE for ~6 months.

* For versions of SingularityCE that we turn into a commercial
SingularityPRO release.... our security policy means we will provide
diffs only for security fixes that we apply to open source code in SingularityPRO, *and that apply* to the SingularityCE version from
which SingularityPRO was branched. It is not guaranteed that every
security issue in SingularityCE 3.9 is covered by diffs we release
based on the (closed) long term support work for SingularityPRO 3.9.
Security issues arising from older dependencies in SingularityCE would
need to be tracked separately, for example.

* Everything else will need backporting by the distro. We follow
dependency updates (including major version updates) quickly, and we
only target the latest 2 versions (upstream supported) of Go. This may
impact the ease of backporting significantly over the course of a
Debian stable release.

Cheers,

--
David Trudgian
Sylabs Inc.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.security

Hi,

it would be great if someone from Security Team might raise some
opinion to this question.

Kind regards
Andreas.

Am Mon, Jan 09, 2023 at 03:51:10PM +0530 schrieb Nilesh Patra:

Hi,

On Wed, Oct 12, 2022 at 09:38:27PM +0530, Nilesh Patra wrote:

src:singularity-container was lying around in a bad shape for several years and had missed 2 debian releases until me and Andreas picked it up again. It is currently in a reasonably good condition. I was excited to have it in stable release again, but I have a couple of doubts over it.

1. A little background:
singularity-container sync the code from the upstream codebase for sylabs[1]
and there also exists a community-maintained fork called apptainer.
Sylabs singularity CE seems to sync up a lot of code with apptainer in
many releases. The apptainer community announcement page about the split also
hints towards saying similar stuff, but this is all the more confusing as it is
hard to draw a line b/w them.
A while back, I found a reddit comment[4] from the current maintainer of sylabs
singularity which has a statement:

| At this point there it appears that Apptainer 1.0 will be very close
| to SingularityCE 3.9 which we released recently, given
| the picks from SingularityCE into the code base.

So I am absolutely confused if it makes sense to package apptainer at all or
should I just let it be?

2. The _more_ important question:
There are CVEs being discovered in singularity-container -- no biggie. However, some
of the CVE fixes are simply _hidden_ from the user view.
As a concrete example, there was
a "CVE-2021-33622" opened[5] against singularity-CE, and the only information
upstream provides is that it has been fixed in the 3.7.x of the community edition
but there is no information about _what_ the fix was.
I tried asking upstream about this but did not get a pin-pointed reply[6] and it
appears that upstream is somewhat discrete about these.

A similar bug has been fixed in the latest release, CVE-2022-39237 here[7] but it
does not say _what_ patch fixes it exactly.
And the problem is that apptainer has addressed the exact same bug in
its latest release and they too are un-clear about it[8].

So my fear is that: Once singularity-container hits stable release, and there is
a CVE being found. It'd be a hellhole for me/others to find what exactly fixed the CVE (unless it is being clearly stated), and apply that. The only option left would be to upgrade the package to fix the CVE and I don't know if
release team would allow that.

And I don't see this problem getting fixed with apptainer as well, since there
are bugs that both the codebases would keep on inheriting from one another. And thus I am not sure if this situation is OK for stable release or not.

OTOH, singularity is an important package and many users would be happy to have
it in stable -- I have even got a couple of bug reports/texts saying
people are happy to see a new update of singularity.

I started this thread a while back, and decided to simply ask upstream about what their
opinion is[9]
It looks like the situation still not fully certain on whether to let singularity make it to stable
or not.

I'd appreciate if someone on the list could chime in and give an opinion on if they
consider it do-able or not for upcoming bookworm release.

I've kept upstream in CC to avoid ping-pong, and thanks David for a nice elaborate reply.

[1]: https://github.com/sylabs/singularity
[2]: https://github.com/apptainer/apptainer
[3]: https://apptainer.org/news/community-announcement-20211130/
[4]: https://www.reddit.com/r/HPC/comments/r61bto/comment/hmspn72/?utm_source=share&utm_medium=web2x&context=3
[5]: https://support.sylabs.io/support/solutions/articles/42000087130-3-5-8-security-release-cve-2021-33622-
[6]: https://github.com/sylabs/singularity/issues/586
[7]: https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8 [8]: https://github.com/apptainer/apptainer/releases/tag/v1.1.2

[9]: https://github.com/sylabs/singularity/issues/1235#issuecomment-1375334909

--
Best,
Nilesh

--
http://fam-tille.de

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.security

Hi Andreas,

[Note if you want direct input from the Debian security team it's
usually better to loop in the team email address directly rather the
general discussion list debian-security, adding [email protected] to
recipients]

On Mon, Jan 09, 2023 at 02:28:22PM +0100, Andreas Tille wrote:

Hi,

it would be great if someone from Security Team might raise some
opinion to this question.

Kind regards
Andreas.

Am Mon, Jan 09, 2023 at 03:51:10PM +0530 schrieb Nilesh Patra:

Hi,

On Wed, Oct 12, 2022 at 09:38:27PM +0530, Nilesh Patra wrote:

src:singularity-container was lying around in a bad shape for several years
and had missed 2 debian releases until me and Andreas picked it up again. It is currently in a reasonably good condition. I was excited to have it in
stable release again, but I have a couple of doubts over it.

1. A little background:
singularity-container sync the code from the upstream codebase for sylabs[1]
and there also exists a community-maintained fork called apptainer. Sylabs singularity CE seems to sync up a lot of code with apptainer in many releases. The apptainer community announcement page about the split also
hints towards saying similar stuff, but this is all the more confusing as it is
hard to draw a line b/w them.
A while back, I found a reddit comment[4] from the current maintainer of sylabs
singularity which has a statement:

| At this point there it appears that Apptainer 1.0 will be very close
| to SingularityCE 3.9 which we released recently, given
| the picks from SingularityCE into the code base.

So I am absolutely confused if it makes sense to package apptainer at all or
should I just let it be?

2. The _more_ important question:
There are CVEs being discovered in singularity-container -- no biggie. However, some
of the CVE fixes are simply _hidden_ from the user view.
As a concrete example, there was
a "CVE-2021-33622" opened[5] against singularity-CE, and the only information
upstream provides is that it has been fixed in the 3.7.x of the community edition
but there is no information about _what_ the fix was.
I tried asking upstream about this but did not get a pin-pointed reply[6] and it
appears that upstream is somewhat discrete about these.

A similar bug has been fixed in the latest release, CVE-2022-39237 here[7] but it
does not say _what_ patch fixes it exactly.
And the problem is that apptainer has addressed the exact same bug in
its latest release and they too are un-clear about it[8].

So my fear is that: Once singularity-container hits stable release, and there is
a CVE being found. It'd be a hellhole for me/others to find what exactly fixed the CVE (unless it is being clearly stated), and apply that. The only
option left would be to upgrade the package to fix the CVE and I don't know if
release team would allow that.

And I don't see this problem getting fixed with apptainer as well, since there
are bugs that both the codebases would keep on inheriting from one another.
And thus I am not sure if this situation is OK for stable release or not.

OTOH, singularity is an important package and many users would be happy to have
it in stable -- I have even got a couple of bug reports/texts saying people are happy to see a new update of singularity.

I started this thread a while back, and decided to simply ask upstream about what their
opinion is[9]
It looks like the situation still not fully certain on whether to let singularity make it to stable
or not.

I'd appreciate if someone on the list could chime in and give an opinion on if they
consider it do-able or not for upcoming bookworm release.

I've kept upstream in CC to avoid ping-pong, and thanks David for a nice elaborate reply.

[1]: https://github.com/sylabs/singularity
[2]: https://github.com/apptainer/apptainer
[3]: https://apptainer.org/news/community-announcement-20211130/
[4]: https://www.reddit.com/r/HPC/comments/r61bto/comment/hmspn72/?utm_source=share&utm_medium=web2x&context=3
[5]: https://support.sylabs.io/support/solutions/articles/42000087130-3-5-8-security-release-cve-2021-33622-
[6]: https://github.com/sylabs/singularity/issues/586
[7]: https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8
[8]: https://github.com/apptainer/apptainer/releases/tag/v1.1.2

[9]: https://github.com/sylabs/singularity/issues/1235#issuecomment-1375334909

So in my understanding of the above the situation around singularity-container, which lead for buster to https://bugs.debian.org/917867 and keeping it out of the stable release, did not really change in the aspect of beeing able to patch vulnerabilities to the stable branch once upstream versions moved on, is this correct interpretation? In context from #917867, it was even in stretch at first, but needed to be removed after stretch was released in a point release.

If this is correct, then we probably should not include singularity-container in bookworm, better than possibly need to remove it after bookworm release in a point release.

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.security

On Sat, Jan 21, 2023 at 08:34:40PM +0100, Salvatore Bonaccorso wrote:

So in my understanding of the above the situation around singularity-container,
which lead for buster to https://bugs.debian.org/917867 and keeping it out of the stable release, did not really change in the aspect of beeing able to patch
vulnerabilities to the stable branch once upstream versions moved on, is this correct interpretation? In context from #917867, it was even in stretch at first, but needed to be removed after stretch was released in a point release.

If this is correct, then we probably should not include singularity-container in bookworm, better than possibly need to remove it after bookworm release in a
point release.

Agreed.

Cheers,
Moritz

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.security

On Thu, Jan 26, 2023 at 09:51:21AM +0100, Paul Gevers wrote:

On 25-01-2023 20:14, Moritz Muehlenhoff wrote:

On Sat, Jan 21, 2023 at 08:34:40PM +0100, Salvatore Bonaccorso wrote:

So in my understanding of the above the situation around singularity-container,
which lead for buster to https://bugs.debian.org/917867 and keeping it out of
the stable release, did not really change in the aspect of beeing able to patch
vulnerabilities to the stable branch once upstream versions moved on, is this
correct interpretation? In context from #917867, it was even in stretch at
first, but needed to be removed after stretch was released in a point release.

I guess something that changed since then is that upstream is aware
about it and can help a bit with backporting. However the onus to
maintain it in stable is still on the maintainer and security@ (to some
extent)
It is bit of a high-effort maintainance (in stable) as far as I can see.

I have forwarded this message as bug #1029669. Unless we get more confidence that it's supportable, let's keep it out of stable. I guess fasttrack [1] is currently the best forum to supply singularity-container to our users.

Since I had done quite a bit of work on this, I'm a sad to see this
happen, as fasttrack still has much less visibility / availability than
an official stable release, or even backports.

[1] https://fasttrack.debian.net/

--
Best,
Nilesh

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQSglbZu4JAkvuai8HIqJ5BL1yQ+2gUCY9JCngAKCRAqJ5BL1yQ+ 2sfCAP9+VNRlymuVNVcnUkRL4+kzA3q4uhH4YE/V+jXR7Tr+7wEAib1GUAHjv23g HF3CDJ5aNf1ngPJgYGqWcVkpKGOZ1AY=
=Kzsf
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.security
To: [email protected] (Andreas Tille)
To: [email protected] (Nilesh Patra)
To: [email protected]
To: [email protected]
To: [email protected] (David Trudgian)
To: [email protected]
To: [email protected] (Debian Security Team)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------dSSLY8OcFuPhY5wk3A0TMlzb
Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

SGksDQoNCk9uIDI1LTAxLTIwMjMgMjA6MTQsIE1vcml0eiBNdWVobGVuaG9mZiB3cm90ZToN Cj4gT24gU2F0LCBKYW4gMjEsIDIwMjMgYXQgMDg6MzQ6NDBQTSArMDEwMCwgU2FsdmF0b3Jl IEJvbmFjY29yc28gd3JvdGU6DQo+PiBTbyBpbiBteSB1bmRlcnN0YW5kaW5nIG9mIHRoZSBh Ym92ZSB0aGUgc2l0dWF0aW9uIGFyb3VuZCBzaW5ndWxhcml0eS1jb250YWluZXIsDQo+PiB3 aGljaCBsZWFkIGZvciBidXN0ZXIgdG8gaHR0cHM6Ly9idWdzLmRlYmlhbi5vcmcvOTE3ODY3 IGFuZCBrZWVwaW5nIGl0IG91dCBvZg0KPj4gdGhlIHN0YWJsZSByZWxlYXNlLCBkaWQgbm90 IHJlYWxseSBjaGFuZ2UgaW4gdGhlIGFzcGVjdCBvZiBiZWVpbmcgYWJsZSB0byBwYXRjaA0K Pj4gdnVsbmVyYWJpbGl0aWVzIHRvIHRoZSBzdGFibGUgYnJhbmNoIG9uY2UgdXBzdHJlYW0g dmVyc2lvbnMgbW92ZWQgb24sIGlzIHRoaXMNCj4+IGNvcnJlY3QgaW50ZXJwcmV0YXRpb24/ IEluIGNvbnRleHQgZnJvbSAjOTE3ODY3LCBpdCB3YXMgZXZlbiBpbiBzdHJldGNoIGF0DQo+ PiBmaXJzdCwgYnV0IG5lZWRlZCB0byBiZSByZW1vdmVkIGFmdGVyIHN0cmV0Y2ggd2FzIHJl bGVhc2VkIGluIGEgcG9pbnQgcmVsZWFzZS4NCj4+DQo+PiBJZiB0aGlzIGlzIGNvcnJlY3Qs IHRoZW4gd2UgcHJvYmFibHkgc2hvdWxkIG5vdCBpbmNsdWRlIHNpbmd1bGFyaXR5LWNvbnRh aW5lcg0KPj4gaW4gYm9va3dvcm0sIGJldHRlciB0aGFuIHBvc3NpYmx5IG5lZWQgdG8gcmVt b3ZlIGl0IGFmdGVyIGJvb2t3b3JtIHJlbGVhc2UgaW4gYQ0KPj4gcG9pbnQgcmVsZWFzZS4N Cj4gDQo+IEFncmVlZC4NCj4gDQo+IENoZWVycywNCj4gICAgICAgICAgTW9yaXR6DQoNCkkg aGF2ZSBmb3J3YXJkZWQgdGhpcyBtZXNzYWdlIGFzIGJ1ZyAjMTAyOTY2OS4gVW5sZXNzIHdl IGdldCBtb3JlIA0KY29uZmlkZW5jZSB0aGF0IGl0J3Mgc3VwcG9ydGFibGUsIGxldCdzIGtl ZXAgaXQgb3V0IG9mIHN0YWJsZS4gSSBndWVzcyANCmZhc3R0cmFjayBbMV0gaXMgY3VycmVu dGx5IHRoZSBiZXN0IGZvcnVtIHRvIHN1cHBseSANCnNpbmd1bGFyaXR5LWNvbnRhaW5lciB0 byBvdXIgdXNlcnMuDQoNClBhdWwNCg0KWzFdIGh0dHBzOi8vZmFzdHRyYWNrLmRlYmlhbi5u ZXQvDQo=

--------------dSSLY8OcFuPhY5wk3A0TMlzb--

-----BEGIN PGP SIGNATURE-----

wsB5BAABCAAjFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAmPSPwkFAwAAAAAACgkQnFyZ6wW9dQqH bQgAiXnNW1Kba5dzXqLqYvVi5CzuGF8iE4Qz93KErC3NsFsOL3H1DkciUFHCmZ0j6vY3Xbm0pXBR 7XVaAScAC6WSS8SyUAT9yRrrVySUQLwHR3B3S4hd4j89JWn/KXJB2/3156Av0mzrIpoczCYWQ/su M74BvehRkvZMbM2C3Qt9Q2gqp3d/CO4Kc2iyqSOo+DeFDE/44KO5n2on2gplAuc1hj1a3xgXpkwl V2tkzru8kkiTM+sWEv8r+huHJCgEC8UKjm7VFhsT1fK/8j/ZdJICMPS3GN3oIkxa8XgIFT93jJA4 2bxQUIuNPCz/oNSiVvvZKoGbfq4N+JJ3sTOg5HNA6g==
=qsZq
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.security

"Nilesh" == Nilesh Patra <[email protected]> writes:

Nilesh> Since I had done quite a bit of work on this, I'm a sad to
Nilesh> see this happen, as fasttrack still has much less visibility
Nilesh> / availability than an official stable release, or even
Nilesh> backports.

Well, if you and a group of people believe you can maintain it in stable
given the additional discussions ith upstream, then explicitly say
you're ready to sign up to maintaining in stable.
I think that's the kind of sing-up-to-do-the-work that the security and
release team are waiting for.

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQSj2jRwbAdKzGY/4uAsbEw8qDeGdAUCY9KapwAKCRAsbEw8qDeG dA2xAQDKg6WVwEJjbfcBTh29H0OSS56TJ342XQCtm5bEB/StygEA7Ar55Fw6ppt+ 1NipmVsjkBQWtsiiD8gIEdYR5Zu8twI=
=QHgA
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.security

Am Thu, Jan 26, 2023 at 08:22:15AM -0700 schrieb Sam Hartman:

Well, if you and a group of people believe you can maintain it in stable given the additional discussions ith upstream, then explicitly say
you're ready to sign up to maintaining in stable.
I think that's the kind of sing-up-to-do-the-work that the security and release team are waiting for.

I'd be happy if singularity would be in stable. I'm not sure how far
I can help out since I'm lacking competence in Go but if needed I might contribute to my limited skills.

Kind regards
Andreas.

--
http://fam-tille.de

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.security

On 26 January 2023 10:26:05 pm IST, Andreas Tille <[email protected]> wrote:

Am Thu, Jan 26, 2023 at 08:22:15AM -0700 schrieb Sam Hartman:

Well, if you and a group of people believe you can maintain it in stable
given the additional discussions ith upstream, then explicitly say
you're ready to sign up to maintaining in stable.
I think that's the kind of sing-up-to-do-the-work that the security and
release team are waiting for.

I'd be happy if singularity would be in stable. I'm not sure how far
I can help out since I'm lacking competence in Go but if needed I might >contribute to my limited skills.

I'd be happy to have it in stable as well, but by no means am I a professional go programmer, and to be really honest I've fixed CVEs only in one or two instances.
Thus, I find it impractical to commit myself (alone) to maintaining it in stable.

But if someone is willing to help out on these fronts, I'd be glad to know.

--
Best,
Nilesh

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)