Hi Jonathan, On Fri, Jun 4, 2021 at 4:07 PM Jonathan Billings <billings at negate.org> wrote: > > On Fri, Jun 04, 2021 at 03:22:09PM +0300, Stefan Puiu wrote: > > For a while now, the tool has been complaining that the version of > > docker we ship is vulnerable to CVE-2019-13139. As far as I can tell, > > we have a version that includes the fix, based on the Red Hat > > advisory: https://access.redhat.com/errata/RHBA-2019:3092 says we need > > docker-1.13.1-104.git4ef4b30, and we have 204.git0be3e21. > > They don't understand that > docker-1.13.1-204.git0be3e21 > docker-1.13.1-104.git4ef4b30 ? > > You could point out that CentOS is a rebuild of RHEL so any RHBAs > posted for a particular version of RHEL7 applies to the same version > in CentOS 7. I pointed both things (the newer version and CentOS being a RHEL rebuild) to them, so far it seems they weren't convinced. > > > I'm trying to work with the tool vendor to sort this out. As a > > developer, I think checking the code is the best way; I've found the > > Docker RH fork on github, which has a RHEL branch that seems to be > > used in both CentOS and RHEL > > (https://github.com/projectatomic/docker/tree/docker-1.13.1-rhel). > > https://git.centos.org/rpms/docker/ is where the RPM SPECs, patches > and related files are posted. For example, the one in Extras is: > > https://git.centos.org/rpms/docker/tree/c7-extras and you can see the > commit to import the 104 release here: > > https://git.centos.org/rpms/docker/c/bcf506d56383fd92ea5e3516f8950c43f44079eb?branch=c7-extras > > You can look at the commit history for the package: > https://git.centos.org/rpms/docker/commits/c7-extras > > Interestingly, the r104 looks like it failed automatic debranding, and > it didn't get properly debranded until Johnny Hughes manually did it > in r108. But I doubt that makes any difference in your issue, > although it might have changed any announcements at the time. I had found the c7-extras branch, I should've probably mentioned that in the first place. It's there that I found the github link; see for example the SPECS/docker.spec change, there is this line: # docker %global git_docker https://github.com/projectatomic/docker - %global commit_docker 7f2769b9e0572f62730d91e79e674efd59b7e234 + %global commit_docker 4ef4b30c57f05be26c9387ef0828e86c2ed543b8 So I just went to the github link and searched for the new commit. Probably from there (or from the list of branches) I found the RHEL / CentOS branch. > > > However, probably the tool people have some kind of different process > > in place. So my question is: is it reasonable to expect any bugfix or > > security update fetched from RHEL to CentOS to come with an > > announcement on the centos-announce mailing list? Is there a filter > > for some packages? I see docker is in extras, not in CentOS-Base, > > maybe updates to those are not announced? > > I don't see any posts to any lists during the timeframe that it was > imported and published by CentOS. I'd honestly like to know if > there's any particular rules for how centos-announce posts get > generated too. I imagine that now that the Stream releases precede > the RHEL package releases, there might be a different set of rules? > > I tried to find something in the wiki but apparently I searched too > many times and it told me to not search so frequently. Google didn't > show anything though. I've downloaded the archives of centos-announce since January 2019 and grepped for 'docker'. I only see multiple announcements for pcp, which includes a pcp-pmda-docker RPM, and a reference to Dockerhub. Nothing about docker itself. $ zgrep -i docker 20* 2019-October.txt.gz:db0fdf9b3d888e40a29f021c3200ed40b2be8c05ea27b429783572b3b80ab1ed pcp-pmda-docker-4.3.2-3.el7_7.x86_64.rpm 2019-October.txt.gz:db0fdf9b3d888e40a29f021c3200ed40b2be8c05ea27b429783572b3b80ab1ed pcp-pmda-docker-4.3.2-3.el7_7.x86_64.rpm [...] 2020-May.txt.gz:b6614b82c38dbe8d4de61b81d5d779de7fd13d58c341805dfdb1faa7be86538b pcp-pmda-docker-4.3.2-7.el7_8.x86_64.rpm 2021-March.txt.gz:- We are still in discussions on how to push these properly to Dockerhub. I also think clarifying the process would help. Thanks, Stefan.