unpin binutils

[lichao127]

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

/kind release

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area engine

/area tests

/area proposals

/area CI

What this PR does / why we need it:
binutils was pinned to version 2.30-22 in #397 because binutils-2.31 requires kernel > 4.16. Current based image (debian:buster) is on kernel 5.10. There's no need to pin to the lower version. This will keep it patched.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:
NO

NONE

[poiana]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: lichao127
Once this PR has been reviewed and has the lgtm label, please assign leogr for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• docker/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[poiana]

Welcome @lichao127! It looks like this is your first PR to falcosecurity/falco 🎉

[leogr]

cc @FedeDP @Andreagit97

[FedeDP]

Hi! Thanks for this PR!

binutils was pinned to version 2.30-22 in #397 because binutils-2.31 requires kernel > 4.16

I don't think that's true; the issue is that drivers built using newer binutils are not going to work on older kernels; that's what the comment says after all:

debian:stable head contains binutils 2.31, which generates
binaries that are incompatible with kernels < 4.16. So manually
forcibly install binutils 2.30-22 instead.

Basically, we need to use old binutils version to have a wider compat matrix!

[lichao127]

I don't think that's true; the issue is that drivers built using newer binutils are not going to work on older kernels; that's what the comment says after all:
Basically, we need to use old binutils version to have a wider compat matrix!

Pinning binutils to an old version means it will not be patched for CVEs like CVE-2018-10372, CVE-2018-10534 etc. It also blocks other packages from security patching as a lot of packages have dependencies on it.

Also, the base image has changed from debian:stable to debian:buster in #1719.
The comments added in #397 should either be updated to reflect the reason to pin binutils, or they should be cleaned up.

[FedeDP]

Pinning binutils to an old version means it will not be patched for CVEs like GHSA-pw2g-xg7w-mccx, GHSA-672m-f2rr-8wvq etc. It also blocks other packages from security patching as a lot of packages have dependencies on it.

Yep that's an issue, for sure. Still, we need the widest possible compatibility unfortunately.

Also, the base image has changed from debian:stable to debian:buster in #1719.

Yes because debian:stable switched to bullseye but we needed buster.

cc also @LucaGuerra

[FedeDP]

Moving to 0.36
/milestone 0.36.0

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[lichao127]

/remove-lifecycle stale

[leogr]

cc @LucaGuerra

[FedeDP]

Ehy, #2718 is updating the default Falco image to Debian 12 (keeping the current image as legacy). Do you think this would still be needed?

[FedeDP]

Moving to TBD until further user input.
/milestone TBD

[Andreagit97]

To be honest I would close it since the issue should be solved by #2718... Of course, if this is not the case feel free to re-open it! :)