Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/sys: use glibc release branch #29873

Closed
codonell opened this issue Jan 22, 2019 · 4 comments

Comments

Projects
None yet
4 participants
@codonell
Copy link

commented Jan 22, 2019

The sys/unix/linux/Dockerfile contains the following lines:

# GNU C library: Released 01 Aug 2018 (we should try to get a secure way to clone this)
RUN git clone --branch glibc-2.28 --depth 1 git://sourceware.org/git/glibc.git

https://github.com/golang/sys/blob/054c452bb702e465e95ce8e7a3d9a6cf0cd1188d/unix/linux/Dockerfile#L17

The release branch for glibc 2.28 has known security vulnerabilities that were fixed in the stable release branch. Please track release/2.28/master in order to stay on top of the most recent fixes backported by the community. The release branches are actively maintained by several distributions in order to keep them useful for distribution rebasing.

Example (using https instead of git, may solve the "secure way" question):
git clone --branch release/2.28/master https://sourceware.org/git/glibc.git glibc-2.28

@gopherbot gopherbot added this to the Unreleased milestone Jan 22, 2019

@ianlancetaylor ianlancetaylor changed the title x/sys: Use glibc release branch. x/sys: use glibc release branch Jan 22, 2019

@ianlancetaylor

This comment has been minimized.

Copy link
Contributor

commented Jan 22, 2019

Hard to believe this makes a difference in this case, but CC @tklauser .

@tklauser

This comment has been minimized.

Copy link
Member

commented Jan 23, 2019

We only use macro constants and type definitions from glibc, so I also don't think it will make a difference. But I don't think it will hurt either. I'll send a CL.

@tklauser

This comment has been minimized.

Copy link
Member

commented Jan 23, 2019

Example (using https instead of git, may solve the "secure way" question):
git clone --branch release/2.28/master https://sourceware.org/git/glibc.git glibc-2.28

Unfortunately this doesn't seem to support shallow clones:

Cloning into 'glibc'...
fatal: dumb http transport does not support shallow capabilities
The command '/bin/sh -c git clone --branch release/2.28/master --depth 1 https://sourceware.org/git/glibc.git' returned a non-zero code: 128

So I think we should stick with the git:// method for now in order to not make the container image unnecessarily large.

@gopherbot

This comment has been minimized.

Copy link

commented Jan 23, 2019

Change https://golang.org/cl/158997 mentions this issue: unix: use glibc release branch in Dockerfile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.