Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move Sdk from the dotnet-8 to a new dotnet-8-sdk package #17699

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

Move Sdk from the dotnet-8 to a new dotnet-8-sdk package #17699

wants to merge 4 commits into from

Conversation

debasishbsws
Copy link
Member

@debasishbsws debasishbsws commented Apr 25, 2024
edited
Loading

Fixes: #17580

For new package PRs only

  • the PR is marked as related to a pre-existing package request bug, such as a dependency

@debasishbsws
Remove Sdk from the dotnet and create a new dotnet-sdk package
f2bcdf7 
Signed-off-by: Debasish Biswas <debasishbsws.dev@gmail.com>
@debasishbsws
Copy link
Member Author

Can not able to resolve CVE

@debasishbsws
Copy link
Member Author

Found it all the CVE are showing up because of one package of NuGet that was in older version link

🔎 Scanning "/tmp/artifacts-1/packages/x86_64/dotnet-8-sdk-8.0.204-r0.apk"
├── 📄 /usr/share/dotnet/sdk/8.0.204/cs/NuGet.CommandLine.XPlat.resources.dll
│       📦 NuGet.CommandLine.XPlat 6.0.0.278 (dotnet)
│           Medium CVE-2022-30184 GHSA-3885-8gqc-3wpf fixed in 6.0.2
│
├── 📄 /usr/share/dotnet/sdk/8.0.204/cs/NuGet.Commands.resources.dll
│       📦 NuGet.Commands 6.0.0.278 (dotnet)
│           Medium CVE-2022-30184 GHSA-3885-8gqc-3wpf fixed in 6.0.2
│           High CVE-2023-29337 GHSA-6qmf-mmc7-6c2p fixed in 6.0.5
│           High CVE-2022-41032 GHSA-g3q9-xf95-8hp5 fixed in 6.0.3
│
├── 📄 /usr/share/dotnet/sdk/8.0.204/cs/NuGet.Common.resources.dll
│       📦 NuGet.Common 6.0.0.278 (dotnet)
│           High CVE-2023-29337 GHSA-6qmf-mmc7-6c2p fixed in 6.0.5
│
├── 📄 /usr/share/dotnet/sdk/8.0.204/cs/NuGet.PackageManagement.resources.dll
│       📦 NuGet.PackageManagement 6.0.0.278 (dotnet)
│           High CVE-2023-29337 GHSA-6qmf-mmc7-6c2p fixed in 6.0.5
│
├── 📄 /usr/share/dotnet/sdk/8.0.204/cs/NuGet.Packaging.resources.dll
│       📦 NuGet.Packaging 6.0.0.278 (dotnet)
│           Critical CVE-2024-0057 GHSA-68w7-72jg-6qpp fixed in 6.0.6
│
├── 📄 /usr/share/dotnet/sdk/8.0.204/cs/NuGet.Protocol.resources.dll
│       📦 NuGet.Protocol 6.0.0.278 (dotnet)
│           High CVE-2023-29337 GHSA-6qmf-mmc7-6c2p fixed in 6.0.5
│           High CVE-2022-41032 GHSA-g3q9-xf95-8hp5 fixed in 6.0.3
│
├── 📄 /usr/share/dotnet/sdk/8.0.204/de/NuGet.CommandLine.XPlat.resources.dll
│       📦 NuGet.CommandLine.XPlat 6.0.0.278 (dotnet)
│           Medium CVE-2022-30184 GHSA-3885-8gqc-3wpf fixed in 6.0.2
│
├── 📄 /usr/share/dotnet/sdk/8.0.204/de/NuGet.Commands.resources.dll
│       📦 NuGet.Commands 6.0.0.278 (dotnet)
│           Medium CVE-2022-30184 GHSA-3885-8gqc-3wpf fixed in 6.0.2
│           High CVE-2023-29337 GHSA-6qmf-mmc7-6c2p fixed in 6.0.5
│           High CVE-2022-41032 GHSA-g3q9-xf95-8hp5 fixed in 6.0.3
│
├── 📄 /usr/share/dotnet/sdk/8.0.204/de/NuGet.Common.resources.dll
│       📦 NuGet.Common 6.0.0.278 (dotnet)
│           High CVE-2023-29337 GHSA-6qmf-mmc7-6c2p fixed in 6.0.5
│
├── 📄 /usr/share/dotnet/sdk/8.0.204/de/NuGet.PackageManagement.resources.dll
│       📦 NuGet.PackageManagement 6.0.0.278 (dotnet)
│           High CVE-2023-29337 GHSA-6qmf-mmc7-6c2p fixed in 6.0.5
│
├── 📄 /usr/share/dotnet/sdk/8.0.204/de/NuGet.Packaging.resources.dll
│       📦 NuGet.Packaging 6.0.0.278 (dotnet)
│           Critical CVE-2024-0057 GHSA-68w7-72jg-6qpp fixed in 6.0.6
│
├── 📄 /usr/share/dotnet/sdk/8.0.204/de/NuGet.Protocol.resources.dll
│       📦 NuGet.Protocol 6.0.0.278 (dotnet)
│           High CVE-2023-29337 GHSA-6qmf-mmc7-6c2p fixed in 6.0.5
│           High CVE-2022-41032 GHSA-g3q9-xf95-8hp5 fixed in 6.0.3
│
├── 📄 /usr/share/dotnet/sdk/8.0.204/es/NuGet.CommandLine.XPlat.resources.dll
│       📦 NuGet.CommandLine.XPlat 6.0.0.278 (dotnet)
│           Medium CVE-2022-30184 GHSA-3885-8gqc-3wpf fixed in 6.0.2
│
├── 📄 /usr/share/dotnet/sdk/8.0.204/es/NuGet.Commands.resources.dll
│       📦 NuGet.Commands 6.0.0.278 (dotnet)
│           Medium CVE-2022-30184 GHSA-3885-8gqc-3wpf fixed in 6.0.2
│           High CVE-2023-29337 GHSA-6qmf-mmc7-6c2p fixed in 6.0.5
│           High CVE-2022-41032 GHSA-g3q9-xf95-8hp5 fixed in 6.0.3
│...
...
...

@debasishbsws
Fix all the nuget CVE's
026f0cd 
Signed-off-by: Debasish Biswas <debasishbsws.dev@gmail.com>
@debasishbsws
Do not use tag
f7695d8 
Signed-off-by: Debasish Biswas <debasishbsws.dev@gmail.com>
@debasishbsws debasishbsws changed the title DO NOT MERGE Remove Sdk from the dotnet-8 and create a new dotnet-8-sdk package Move Sdk from the dotnet-8 to a new dotnet-8-sdk package Apr 29, 2024
@debasishbsws debasishbsws self-assigned this Apr 29, 2024
@debasishbsws debasishbsws marked this pull request as ready for review April 29, 2024 07:27
@debasishbsws debasishbsws mentioned this pull request Apr 29, 2024
Closed
@kaniini
Copy link
Collaborator

kaniini commented Apr 29, 2024

The SDK should be built from the same sources as the runtime, as one of the build artifacts. Splitting it out would be inconsistent with every other distribution of .NET.

@debasishbsws
Copy link
Member Author

@kaniini Okay, I understand.

The issue occurred with the PowerShell package update PR it required the sdk version 8.0.204 where in the dotnet/dotnetv8.0.4 release we have the version 8.0.104 of the SDK

Can you suggest what should I do here?
I know there is another repo dotnet/installer which include the new SDK v8.0.104 but the docs suggest to build dotnet-8 from dotnet/dotnet package

@debasishbsws debasishbsws marked this pull request as draft April 29, 2024 10:45
@debasishbsws debasishbsws mentioned this pull request May 2, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@debasishbsws debasishbsws

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Separate the dotnet-8-sdk into its own package
3 participants
@debasishbsws @kaniini @xnox