Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/sys: use glibc release branch #29873

Closed
codonell opened this issue Jan 22, 2019 · 4 comments
Closed

x/sys: use glibc release branch #29873

codonell opened this issue Jan 22, 2019 · 4 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone

Comments

@codonell
Copy link

The sys/unix/linux/Dockerfile contains the following lines:

# GNU C library: Released 01 Aug 2018 (we should try to get a secure way to clone this)
RUN git clone --branch glibc-2.28 --depth 1 git://sourceware.org/git/glibc.git

https://github.com/golang/sys/blob/054c452bb702e465e95ce8e7a3d9a6cf0cd1188d/unix/linux/Dockerfile#L17

The release branch for glibc 2.28 has known security vulnerabilities that were fixed in the stable release branch. Please track release/2.28/master in order to stay on top of the most recent fixes backported by the community. The release branches are actively maintained by several distributions in order to keep them useful for distribution rebasing.

Example (using https instead of git, may solve the "secure way" question):
git clone --branch release/2.28/master https://sourceware.org/git/glibc.git glibc-2.28

@gopherbot gopherbot added this to the Unreleased milestone Jan 22, 2019
@ianlancetaylor ianlancetaylor changed the title x/sys: Use glibc release branch. x/sys: use glibc release branch Jan 22, 2019
@ianlancetaylor ianlancetaylor added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jan 22, 2019
@ianlancetaylor
Copy link
Contributor

Hard to believe this makes a difference in this case, but CC @tklauser .

@tklauser
Copy link
Member

We only use macro constants and type definitions from glibc, so I also don't think it will make a difference. But I don't think it will hurt either. I'll send a CL.

@tklauser
Copy link
Member

Example (using https instead of git, may solve the "secure way" question):
git clone --branch release/2.28/master https://sourceware.org/git/glibc.git glibc-2.28

Unfortunately this doesn't seem to support shallow clones:

Cloning into 'glibc'...
fatal: dumb http transport does not support shallow capabilities
The command '/bin/sh -c git clone --branch release/2.28/master --depth 1 https://sourceware.org/git/glibc.git' returned a non-zero code: 128

So I think we should stick with the git:// method for now in order to not make the container image unnecessarily large.

@gopherbot
Copy link
Contributor

Change https://golang.org/cl/158997 mentions this issue: unix: use glibc release branch in Dockerfile

@golang golang locked and limited conversation to collaborators Jan 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Development

No branches or pull requests

4 participants