On 6/4/21 10:17 AM, Stefan Puiu wrote:
Hi Jonathan,
On Fri, Jun 4, 2021 at 4:07 PM Jonathan Billings billings@negate.org wrote:
On Fri, Jun 04, 2021 at 03:22:09PM +0300, Stefan Puiu wrote:
For a while now, the tool has been complaining that the version of docker we ship is vulnerable to CVE-2019-13139. As far as I can tell, we have a version that includes the fix, based on the Red Hat advisory: https://access.redhat.com/errata/RHBA-2019:3092 says we need docker-1.13.1-104.git4ef4b30, and we have 204.git0be3e21.
They don't understand that docker-1.13.1-204.git0be3e21 > docker-1.13.1-104.git4ef4b30 ?
You could point out that CentOS is a rebuild of RHEL so any RHBAs posted for a particular version of RHEL7 applies to the same version in CentOS 7.
I pointed both things (the newer version and CentOS being a RHEL rebuild) to them, so far it seems they weren't convinced.
I'm trying to work with the tool vendor to sort this out. As a developer, I think checking the code is the best way; I've found the Docker RH fork on github, which has a RHEL branch that seems to be used in both CentOS and RHEL (https://github.com/projectatomic/docker/tree/docker-1.13.1-rhel).
https://git.centos.org/rpms/docker/ is where the RPM SPECs, patches and related files are posted. For example, the one in Extras is:
https://git.centos.org/rpms/docker/tree/c7-extras and you can see the commit to import the 104 release here:
https://git.centos.org/rpms/docker/c/bcf506d56383fd92ea5e3516f8950c43f44079e...
You can look at the commit history for the package: https://git.centos.org/rpms/docker/commits/c7-extras
Interestingly, the r104 looks like it failed automatic debranding, and it didn't get properly debranded until Johnny Hughes manually did it in r108. But I doubt that makes any difference in your issue, although it might have changed any announcements at the time.
I had found the c7-extras branch, I should've probably mentioned that in the first place. It's there that I found the github link; see for example the SPECS/docker.spec change, there is this line:
# docker %global git_docker https://github.com/projectatomic/docker
- %global commit_docker 7f2769b9e0572f62730d91e79e674efd59b7e234
- %global commit_docker 4ef4b30c57f05be26c9387ef0828e86c2ed543b8
So I just went to the github link and searched for the new commit. Probably from there (or from the list of branches) I found the RHEL / CentOS branch.
However, probably the tool people have some kind of different process in place. So my question is: is it reasonable to expect any bugfix or security update fetched from RHEL to CentOS to come with an announcement on the centos-announce mailing list? Is there a filter for some packages? I see docker is in extras, not in CentOS-Base, maybe updates to those are not announced?
I don't see any posts to any lists during the timeframe that it was imported and published by CentOS. I'd honestly like to know if there's any particular rules for how centos-announce posts get generated too. I imagine that now that the Stream releases precede the RHEL package releases, there might be a different set of rules?
I tried to find something in the wiki but apparently I searched too many times and it told me to not search so frequently. Google didn't show anything though.
I've downloaded the archives of centos-announce since January 2019 and grepped for 'docker'. I only see multiple announcements for pcp, which includes a pcp-pmda-docker RPM, and a reference to Dockerhub. Nothing about docker itself.
$ zgrep -i docker 20* 2019-October.txt.gz:db0fdf9b3d888e40a29f021c3200ed40b2be8c05ea27b429783572b3b80ab1ed pcp-pmda-docker-4.3.2-3.el7_7.x86_64.rpm 2019-October.txt.gz:db0fdf9b3d888e40a29f021c3200ed40b2be8c05ea27b429783572b3b80ab1ed pcp-pmda-docker-4.3.2-3.el7_7.x86_64.rpm [...] 2020-May.txt.gz:b6614b82c38dbe8d4de61b81d5d779de7fd13d58c341805dfdb1faa7be86538b pcp-pmda-docker-4.3.2-7.el7_8.x86_64.rpm 2021-March.txt.gz:- We are still in discussions on how to push these properly to Dockerhub.
I also think clarifying the process would help.
I build things as they get pushed to git.centos.org .. obviously some things are more important than others, and extras is less than base .. also we are going through a CentOS Linux 8 release cycle.
We do not announce Extras updates .. only actual OS updates .. on CentOS announce .. and then only for CentOS 7 Linux. So, if something resides in the os/ or updates/ repositories, and if they get announced here:
https://access.redhat.com/errata/#/
Then I announce it. Any other repos, no announcements.
I don't have anything to do with Dockerhub .. someone else will have to answer that.