Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#995171: need newer release
17 views
Skip to first unread message
Yaroslav Halchenko
Sep 27, 2021, 9:40:04 AM9/27/21
to
Package: singularity-container
Version: 3.5.2+ds1-1
Severity: normal
Current upstream release is 3.8.3
https://github.com/sylabs/singularity/releases/tag/v3.8.3
I expect it having addressed a number (if not all) CVE issues we have opened in
debian against the package.
For thta reason marking this issue at least as normal, instead of
wishlist.
-- System Information:
Debian Release: 11.0
APT prefers unstable
APT policy: (600, 'unstable'), (300, 'experimental'), (100, 'unstable-debug'), (100, 'oldstable-updates'), (100, 'stable'), (100, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-7-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages singularity-container depends on:
ii ca-certificates 20210119
ii containernetworking-plugins 0.9.0-1+b3
ii libc6 2.31-12
ii libseccomp2 2.5.1-1
ii squashfs-tools 1:4.4-2
Versions of packages singularity-container recommends:
ii e2fsprogs 1.46.2-1
singularity-container suggests no packages.
-- Configuration Files:
/etc/singularity/singularity.conf changed [not included]
-- debconf-show failed
Version: 3.5.2+ds1-1
Severity: normal
Current upstream release is 3.8.3
https://github.com/sylabs/singularity/releases/tag/v3.8.3
I expect it having addressed a number (if not all) CVE issues we have opened in
debian against the package.
For thta reason marking this issue at least as normal, instead of
wishlist.
-- System Information:
Debian Release: 11.0
APT prefers unstable
APT policy: (600, 'unstable'), (300, 'experimental'), (100, 'unstable-debug'), (100, 'oldstable-updates'), (100, 'stable'), (100, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-7-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages singularity-container depends on:
ii ca-certificates 20210119
ii containernetworking-plugins 0.9.0-1+b3
ii libc6 2.31-12
ii libseccomp2 2.5.1-1
ii squashfs-tools 1:4.4-2
Versions of packages singularity-container recommends:
ii e2fsprogs 1.46.2-1
singularity-container suggests no packages.
-- Configuration Files:
/etc/singularity/singularity.conf changed [not included]
-- debconf-show failed
Andreas Tille
Jan 24, 2022, 5:00:04 AM1/24/22
to
Hi Yaroslav,
$ apt showsrc singularity-container | grep Uploaders
Uploaders: Dave Love <f...@gnu.org>, Mehdi Dogguy <me...@debian.org>, Yaroslav Halchenko <deb...@onerussian.com>, Afif Elghraoui <af...@debian.org>, Dmitry Smirnov <onl...@debian.org>, Benda Xu <o...@debian.org>
shows you as Uploader of singularity-container. Is there any reason you
file this bug report instead of simply uploading a new version of this
package?
When doing so I'd recommend the following patch:
diff --git a/debian/watch b/debian/watch
index 140951c..e4f994d 100644
--- a/debian/watch
+++ b/debian/watch
@@ -6,4 +6,4 @@ repacksuffix=+ds1,\
repack,compression=xz,\
dversionmangle=s{[+~](dfsg|ds)\d*}{},\
" https://github.com/sylabs/singularity/releases \
- (?:.*/)?singularity-(\d[\d\.]*)\.tar\.gz
+ (?:.*/)?singularity-ce-(\d[\d\.]*)\.tar\.gz
I admit I've never used singularity before but this might change in the
near future. Thus I'm wondering why we have 4 open bugs with CVE
numbers and are lagging several versions behind upstream. May be there
is a good reason to stick to the outdated security problematic version
which I simply do not understand?
Kind regards
Andreas.
--
http://fam-tille.de
$ apt showsrc singularity-container | grep Uploaders
Uploaders: Dave Love <f...@gnu.org>, Mehdi Dogguy <me...@debian.org>, Yaroslav Halchenko <deb...@onerussian.com>, Afif Elghraoui <af...@debian.org>, Dmitry Smirnov <onl...@debian.org>, Benda Xu <o...@debian.org>
shows you as Uploader of singularity-container. Is there any reason you
file this bug report instead of simply uploading a new version of this
package?
When doing so I'd recommend the following patch:
diff --git a/debian/watch b/debian/watch
index 140951c..e4f994d 100644
--- a/debian/watch
+++ b/debian/watch
@@ -6,4 +6,4 @@ repacksuffix=+ds1,\
repack,compression=xz,\
dversionmangle=s{[+~](dfsg|ds)\d*}{},\
" https://github.com/sylabs/singularity/releases \
- (?:.*/)?singularity-(\d[\d\.]*)\.tar\.gz
+ (?:.*/)?singularity-ce-(\d[\d\.]*)\.tar\.gz
I admit I've never used singularity before but this might change in the
near future. Thus I'm wondering why we have 4 open bugs with CVE
numbers and are lagging several versions behind upstream. May be there
is a good reason to stick to the outdated security problematic version
which I simply do not understand?
Kind regards
Andreas.
--
http://fam-tille.de
Andreas Tille
Jan 24, 2022, 10:40:07 AM1/24/22
to
Hi Yaroslav,
Am Mon, Jan 24, 2022 at 10:11:21AM -0500 schrieb Yaroslav Halchenko:
>
> > " https://github.com/sylabs/singularity/releases \
> > - (?:.*/)?singularity-(\d[\d\.]*)\.tar\.gz
> > + (?:.*/)?singularity-ce-(\d[\d\.]*)\.tar\.gz
>
> cool -- applied
:-)
> > Thus I'm wondering why we have 4 open bugs with CVE
> > numbers and are lagging several versions behind upstream. May be there
> > is a good reason to stick to the outdated security problematic version
> > which I simply do not understand?
>
> shortage of time/ppl?
OK, just wanted to make sure there is no technical reason.
> I have started to update packaging for 3.9.4+ds1 but got stuck on
> updating the 2nd patch which seems "too involved" for a go-ignorant me.
> Any help would be welcomed. I have pushed update of source tree etc
I might have a look once I get permissions to push directly.
Am Mon, Jan 24, 2022 at 10:11:21AM -0500 schrieb Yaroslav Halchenko:
>
> > " https://github.com/sylabs/singularity/releases \
> > - (?:.*/)?singularity-(\d[\d\.]*)\.tar\.gz
> > + (?:.*/)?singularity-ce-(\d[\d\.]*)\.tar\.gz
>
:-)
> > Thus I'm wondering why we have 4 open bugs with CVE
> > numbers and are lagging several versions behind upstream. May be there
> > is a good reason to stick to the outdated security problematic version
> > which I simply do not understand?
>
OK, just wanted to make sure there is no technical reason.
> I have started to update packaging for 3.9.4+ds1 but got stuck on
> updating the 2nd patch which seems "too involved" for a go-ignorant me.
> Any help would be welcomed. I have pushed update of source tree etc
I might have a look once I get permissions to push directly.
Yaroslav Halchenko
Jan 24, 2022, 10:40:07 AM1/24/22
to
On Mon, 24 Jan 2022, Andreas Tille wrote:
> $ apt showsrc singularity-container | grep Uploaders
> Uploaders: Dave Love <f...@gnu.org>, Mehdi Dogguy <me...@debian.org>, Yaroslav Halchenko <deb...@onerussian.com>, Afif Elghraoui <af...@debian.org>, Dmitry Smirnov <onl...@debian.org>, Benda Xu <o...@debian.org>
> shows you as Uploader of singularity-container. Is there any reason you
> file this bug report instead of simply uploading a new version of this
> package?
and I either did not have time or "foo" to update the packaging.
And that is what I typically do even when working "by myself" - to
record relevant issues against corresponding project/package in that
project/package issue tracker.
> When doing so I'd recommend the following patch:
> diff --git a/debian/watch b/debian/watch
> index 140951c..e4f994d 100644
> --- a/debian/watch
> +++ b/debian/watch
> @@ -6,4 +6,4 @@ repacksuffix=+ds1,\
> repack,compression=xz,\
> dversionmangle=s{[+~](dfsg|ds)\d*}{},\
> " https://github.com/sylabs/singularity/releases \
> - (?:.*/)?singularity-(\d[\d\.]*)\.tar\.gz
> + (?:.*/)?singularity-ce-(\d[\d\.]*)\.tar\.gz
> I admit I've never used singularity before but this might change in the
> near future.
computing in scientific context.
> Thus I'm wondering why we have 4 open bugs with CVE
> numbers and are lagging several versions behind upstream. May be there
> is a good reason to stick to the outdated security problematic version
> which I simply do not understand?
I have started to update packaging for 3.9.4+ds1 but got stuck on
updating the 2nd patch which seems "too involved" for a go-ignorant me.
Any help would be welcomed. I have pushed update of source tree etc
Yaroslav O. Halchenko
Center for Open Neuroscience http://centerforopenneuroscience.org
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
WWW: http://www.linkedin.com/in/yarik
Afif Elghraoui
Jan 24, 2022, 12:20:05 PM1/24/22
to
Hi, Andreas!
On 1/24/22 07:24, Andreas Tille wrote:
> I might have a look once I get permissions to push directly.
Access granted. I don't get email notifications when someone makes an
access request, so I rely on someone emailing the list saying "hey, I
want to join"
thanks and regards
Afif
--
Afif Elghraoui | عفيف الغراوي
https://afif.ghraoui.name
On 1/24/22 07:24, Andreas Tille wrote:
> I might have a look once I get permissions to push directly.
access request, so I rely on someone emailing the list saying "hey, I
want to join"
thanks and regards
Afif
--
Afif Elghraoui | عفيف الغراوي
https://afif.ghraoui.name
Andreas Tille
Jan 25, 2022, 3:40:03 AM1/25/22
to
Hi Yaroslav,
Am Mon, Jan 24, 2022 at 10:11:21AM -0500 schrieb Yaroslav Halchenko:
>
Am Mon, Jan 24, 2022 at 10:11:21AM -0500 schrieb Yaroslav Halchenko:
>
> > " https://github.com/sylabs/singularity/releases \
> > - (?:.*/)?singularity-(\d[\d\.]*)\.tar\.gz
> > + (?:.*/)?singularity-ce-(\d[\d\.]*)\.tar\.gz
>
> cool -- applied
I can't see this in master branch.
> > - (?:.*/)?singularity-(\d[\d\.]*)\.tar\.gz
> > + (?:.*/)?singularity-ce-(\d[\d\.]*)\.tar\.gz
>
> cool -- applied
> I have started to update packaging for 3.9.4+ds1 but got stuck on
> updating the 2nd patch which seems "too involved" for a go-ignorant me.
> Any help would be welcomed. I have pushed update of source tree etc
Benda Xu
Jan 25, 2022, 9:40:05 AM1/25/22
to
I looked upon singularity-3.9.2. It has several dependencies that will
need coordinated updates of the go packages.
Benda
need coordinated updates of the go packages.
Benda
Yaroslav Halchenko
Jan 25, 2022, 11:30:04 AM1/25/22
to
> I can't see this in master branch.
> > I have started to update packaging for 3.9.4+ds1 but got stuck on
> > updating the 2nd patch which seems "too involved" for a go-ignorant me.
> > Any help would be welcomed. I have pushed update of source tree etc
> To what branch?
oh, I didn't spot that `gbp push` doesn't push not yet tagged work?
> > I have started to update packaging for 3.9.4+ds1 but got stuck on
> > updating the 2nd patch which seems "too involved" for a go-ignorant me.
> > Any help would be welcomed. I have pushed update of source tree etc
> To what branch?
pushed now:
(git)lena:~exppsy/singularity-container[master]
$> gbp push
gbp:info: Pushing upstream/3.9.4+ds1 to origin
gbp:info: Pushing refs/heads/upstream to origin:refs/heads/upstream
gbp:info: Pushing refs/heads/pristine-tar to origin:refs/heads/pristine-tar
$> git push
Enumerating objects: 3237, done.
Counting objects: 100% (3209/3209), done.
Delta compression using up to 12 threads
Compressing objects: 100% (2143/2143), done.
Writing objects: 100% (2572/2572), 3.14 MiB | 1.64 MiB/s, done.
Total 2572 (delta 622), reused 1954 (delta 300), pack-reused 0
remote: Resolving deltas: 100% (622/622), completed with 237 local objects.
To salsa.debian.org:hpc-team/singularity-container.git
aa00514f8..fb5dcc7b6 master -> master
* [new tag] debian/2.6.1-2+nd2 -> debian/2.6.1-2+nd2
* [new tag] upstream/3.2.1+ds -> upstream/3.2.1+ds
> Kind regards
> Andreas.
Andreas Tille
Jan 25, 2022, 1:10:03 PM1/25/22
to
Am Tue, Jan 25, 2022 at 11:24:13AM -0500 schrieb Yaroslav Halchenko:
>
> > To what branch?
>
> oh, I didn't spot that `gbp push` doesn't push not yet tagged work?
Uhhhmmm, no, its pushing at my side. Do you have some specific config
>
> > To what branch?
>
> oh, I didn't spot that `gbp push` doesn't push not yet tagged work?
which might prevent this?
> pushed now:
>
> (git)lena:~exppsy/singularity-container[master]
> $> gbp push
> gbp:info: Pushing upstream/3.9.4+ds1 to origin
> gbp:info: Pushing refs/heads/upstream to origin:refs/heads/upstream
> gbp:info: Pushing refs/heads/pristine-tar to origin:refs/heads/pristine-tar
>
> $> git push
> Enumerating objects: 3237, done.
> Counting objects: 100% (3209/3209), done.
> Delta compression using up to 12 threads
> Compressing objects: 100% (2143/2143), done.
> Writing objects: 100% (2572/2572), 3.14 MiB | 1.64 MiB/s, done.
> Total 2572 (delta 622), reused 1954 (delta 300), pack-reused 0
> remote: Resolving deltas: 100% (622/622), completed with 237 local objects.
> To salsa.debian.org:hpc-team/singularity-container.git
> aa00514f8..fb5dcc7b6 master -> master
> * [new tag] debian/2.6.1-2+nd2 -> debian/2.6.1-2+nd2
> * [new tag] upstream/3.2.1+ds -> upstream/3.2.1+ds
Andreas Tille
Jan 27, 2022, 5:10:05 AM1/27/22
to
Control: tags -1 help
Hi,
I pushed several changes to singularity-container Git[1] (including
changing debian/.gitlab-ci.yaml to get build logs I can link to). I
also upgraded two golang packages (golang-github-blang-semver-dev and
golang-github-vbauerster-mpb-dev) to the versions that are needed by
singularity-container 3.9.4. While upgrading
golang-github-blang-semver-dev helped to get rid of some error
message inside the build log this is not the case for the latest
version of golang-github-vbauerster-mpb-dev:
...
GO singularity
[+] GO_TAGS "containers_image_openpgp exclude_graphdriver_btrfs exclude_graphdriver_devicemapper sylog oci_engine singularity_engine fakeroot_engine apparmor selinux seccomp"
/usr/bin/go build -mod=vendor -buildmode=pie -tags "containers_image_openpgp exclude_graphdriver_btrfs exclude_graphdriver_devicemapper sylog oci_engine singularity_engine fakeroot_engine apparmor selinux seccomp" -ldflags="-B 0x`head -c20 /dev/urandom|od -An -tx1|tr -d ' \n'`" -gcflags=github.com/sylabs/singularity/...="-trimpath /build/singularity- container-3.9.4+ds1/_build/src/github.com/sylabs/singularity=>github.com/sylabs/singu...@v0.0.0" -asmflags=github.com/sylabs/singularity/...="-trimpath /build/singularity-container- 3.9.4+ds1/_build/src/github.com/sylabs/singularity=>github.com/sylabs/singu...@v0.0.0" \
-o ./singularity /build/singularity-container-3.9.4+ds1/_build/src/github.com/sylabs/singularity/cmd/singularity
../internal/app/singularity/push.go:23:2: cannot find package "github.com/vbauerster/mpb/v4" in any of:
/build/singularity-container-3.9.4+ds1/_build/src/github.com/sylabs/singularity/vendor/github.com/vbauerster/mpb/v4 (vendor tree)
/usr/lib/go-1.17/src/github.com/vbauerster/mpb/v4 (from $GOROOT)
/build/singularity-container-3.9.4+ds1/_build/src/github.com/vbauerster/mpb/v4 (from $GOPATH)
../internal/app/singularity/push.go:24:2: cannot find package "github.com/vbauerster/mpb/v4/decor" in any of:
/build/singularity-container-3.9.4+ds1/_build/src/github.com/sylabs/singularity/vendor/github.com/vbauerster/mpb/v4/decor (vendor tree)
/usr/lib/go-1.17/src/github.com/vbauerster/mpb/v4/decor (from $GOROOT)
/build/singularity-container-3.9.4+ds1/_build/src/github.com/vbauerster/mpb/v4/decor (from $GOPATH)
../internal/pkg/client/progress.go:13:2: cannot find package "github.com/vbauerster/mpb/v6" in any of:
/build/singularity-container-3.9.4+ds1/_build/src/github.com/sylabs/singularity/vendor/github.com/vbauerster/mpb/v6 (vendor tree)
/usr/lib/go-1.17/src/github.com/vbauerster/mpb/v6 (from $GOROOT)
/build/singularity-container-3.9.4+ds1/_build/src/github.com/vbauerster/mpb/v6 (from $GOPATH)
../internal/pkg/client/progress.go:14:2: cannot find package "github.com/vbauerster/mpb/v6/decor" in any of:
/build/singularity-container-3.9.4+ds1/_build/src/github.com/sylabs/singularity/vendor/github.com/vbauerster/mpb/v6/decor (vendor tree)
/usr/lib/go-1.17/src/github.com/vbauerster/mpb/v6/decor (from $GOROOT)
/build/singularity-container-3.9.4+ds1/_build/src/github.com/vbauerster/mpb/v6/decor (from $GOPATH)
make[2]: *** [Makefile:183: singularity] Error 1
(You can find the full build log in salsa-ci[2])
Since I'm not a Go programmer I wonder whether somebody could give
some helpful hint how to fix this.
Kind regards
Andreas.
PS: I'm not subscribed to debian-go list. Please keep the bug report
in CC.
[1] https://salsa.debian.org/hpc-team/singularity-container
[2] https://salsa.debian.org/hpc-team/singularity-container/-/jobs/2403226
--
http://fam-tille.de
Hi,
I pushed several changes to singularity-container Git[1] (including
changing debian/.gitlab-ci.yaml to get build logs I can link to). I
also upgraded two golang packages (golang-github-blang-semver-dev and
golang-github-vbauerster-mpb-dev) to the versions that are needed by
singularity-container 3.9.4. While upgrading
golang-github-blang-semver-dev helped to get rid of some error
message inside the build log this is not the case for the latest
version of golang-github-vbauerster-mpb-dev:
...
GO singularity
[+] GO_TAGS "containers_image_openpgp exclude_graphdriver_btrfs exclude_graphdriver_devicemapper sylog oci_engine singularity_engine fakeroot_engine apparmor selinux seccomp"
/usr/bin/go build -mod=vendor -buildmode=pie -tags "containers_image_openpgp exclude_graphdriver_btrfs exclude_graphdriver_devicemapper sylog oci_engine singularity_engine fakeroot_engine apparmor selinux seccomp" -ldflags="-B 0x`head -c20 /dev/urandom|od -An -tx1|tr -d ' \n'`" -gcflags=github.com/sylabs/singularity/...="-trimpath /build/singularity- container-3.9.4+ds1/_build/src/github.com/sylabs/singularity=>github.com/sylabs/singu...@v0.0.0" -asmflags=github.com/sylabs/singularity/...="-trimpath /build/singularity-container- 3.9.4+ds1/_build/src/github.com/sylabs/singularity=>github.com/sylabs/singu...@v0.0.0" \
-o ./singularity /build/singularity-container-3.9.4+ds1/_build/src/github.com/sylabs/singularity/cmd/singularity
../internal/app/singularity/push.go:23:2: cannot find package "github.com/vbauerster/mpb/v4" in any of:
/build/singularity-container-3.9.4+ds1/_build/src/github.com/sylabs/singularity/vendor/github.com/vbauerster/mpb/v4 (vendor tree)
/usr/lib/go-1.17/src/github.com/vbauerster/mpb/v4 (from $GOROOT)
/build/singularity-container-3.9.4+ds1/_build/src/github.com/vbauerster/mpb/v4 (from $GOPATH)
../internal/app/singularity/push.go:24:2: cannot find package "github.com/vbauerster/mpb/v4/decor" in any of:
/build/singularity-container-3.9.4+ds1/_build/src/github.com/sylabs/singularity/vendor/github.com/vbauerster/mpb/v4/decor (vendor tree)
/usr/lib/go-1.17/src/github.com/vbauerster/mpb/v4/decor (from $GOROOT)
/build/singularity-container-3.9.4+ds1/_build/src/github.com/vbauerster/mpb/v4/decor (from $GOPATH)
../internal/pkg/client/progress.go:13:2: cannot find package "github.com/vbauerster/mpb/v6" in any of:
/build/singularity-container-3.9.4+ds1/_build/src/github.com/sylabs/singularity/vendor/github.com/vbauerster/mpb/v6 (vendor tree)
/usr/lib/go-1.17/src/github.com/vbauerster/mpb/v6 (from $GOROOT)
/build/singularity-container-3.9.4+ds1/_build/src/github.com/vbauerster/mpb/v6 (from $GOPATH)
../internal/pkg/client/progress.go:14:2: cannot find package "github.com/vbauerster/mpb/v6/decor" in any of:
/build/singularity-container-3.9.4+ds1/_build/src/github.com/sylabs/singularity/vendor/github.com/vbauerster/mpb/v6/decor (vendor tree)
/usr/lib/go-1.17/src/github.com/vbauerster/mpb/v6/decor (from $GOROOT)
/build/singularity-container-3.9.4+ds1/_build/src/github.com/vbauerster/mpb/v6/decor (from $GOPATH)
make[2]: *** [Makefile:183: singularity] Error 1
(You can find the full build log in salsa-ci[2])
Since I'm not a Go programmer I wonder whether somebody could give
some helpful hint how to fix this.
Kind regards
Andreas.
PS: I'm not subscribed to debian-go list. Please keep the bug report
in CC.
[1] https://salsa.debian.org/hpc-team/singularity-container
[2] https://salsa.debian.org/hpc-team/singularity-container/-/jobs/2403226
--
http://fam-tille.de
Nilesh Patra
Jan 27, 2022, 8:10:04 AM1/27/22
to
Hi Andreas,
On 1/27/22 3:36 PM, Andreas Tille wrote:
> Hi,
> [...] While upgrading
> is not the case for the latest
> version of golang-github-vbauerster-mpb-dev:> [...]
see here[1]
Ideally, it should have different versioned 'XS-Go-Import-Path' for all versions. For instance as done in
blackfriday package see here[4][5]
So as far as I can tell, you could do the following:
a) Package different versions of both with correct import paths, upload to new and then
add B-D on these.
b) (Not highly) recommended) Vendor[6] the old version of golang-github-vbauerster-mpb in the vendor directory and use
that to build. This is messy but would solve the issue. There's already a vendor dir in that package which already
gets a bunch of stuff, so this might not be much worse.
c) Port code to the version 7 of this package (which you uploaded)
d) Revert your upload to version 6 (where it was earlier) and port the code written with version 4 to 6
> Since I'm not a Go programmer I wonder whether somebody could give
> some helpful hint how to fix this.
Me neither, but hopefully that helped a bit?
> PS: I'm not subscribed to debian-go list. Please keep the bug report
> in CC.
Hope I did enough to reach out to you :-))
Regards,
Nilesh
> [1] https://salsa.debian.org/hpc-team/singularity-container
> [2] https://salsa.debian.org/hpc-team/singularity-container/-/jobs/2403226
[3]: https://salsa.debian.org/hpc-team/singularity-container/-/blob/master/go.mod#L48-49
[4]: https://salsa.debian.org/go-team/packages/golang-blackfriday/-/blob/debian/sid/debian/control#L18
[5]: https://salsa.debian.org/go-team/packages/golang-blackfriday-v2/-/blob/debian/sid/debian/control#L17
[6]: https://blog.gopheracademy.com/advent-2015/vendor-folder/
On 1/27/22 3:36 PM, Andreas Tille wrote:
> Hi,
> [...] While upgrading
> golang-github-blang-semver-dev helped to get rid of some error
> message inside the build log this
Great
> message inside the build log this
> is not the case for the latest
> -o ./singularity /build/singularity-container-3.9.4+ds1/_build/src/github.com/sylabs/singularity/cmd/singularity
> ../internal/app/singularity/push.go:23:2: cannot find package "github.com/vbauerster/mpb/v4" in any of:
That's because if you look in singularity's go.mod, it depends on both versions of this package (v4 and v6)
> ../internal/app/singularity/push.go:23:2: cannot find package "github.com/vbauerster/mpb/v4" in any of:
see here[1]
Ideally, it should have different versioned 'XS-Go-Import-Path' for all versions. For instance as done in
blackfriday package see here[4][5]
So as far as I can tell, you could do the following:
a) Package different versions of both with correct import paths, upload to new and then
add B-D on these.
b) (Not highly) recommended) Vendor[6] the old version of golang-github-vbauerster-mpb in the vendor directory and use
that to build. This is messy but would solve the issue. There's already a vendor dir in that package which already
gets a bunch of stuff, so this might not be much worse.
c) Port code to the version 7 of this package (which you uploaded)
d) Revert your upload to version 6 (where it was earlier) and port the code written with version 4 to 6
> Since I'm not a Go programmer I wonder whether somebody could give
> some helpful hint how to fix this.
> PS: I'm not subscribed to debian-go list. Please keep the bug report
> in CC.
Regards,
Nilesh
> [1] https://salsa.debian.org/hpc-team/singularity-container
> [2] https://salsa.debian.org/hpc-team/singularity-container/-/jobs/2403226
[4]: https://salsa.debian.org/go-team/packages/golang-blackfriday/-/blob/debian/sid/debian/control#L18
[5]: https://salsa.debian.org/go-team/packages/golang-blackfriday-v2/-/blob/debian/sid/debian/control#L17
[6]: https://blog.gopheracademy.com/advent-2015/vendor-folder/
Andreas Tille
Jan 27, 2022, 9:00:04 AM1/27/22
to
Hi Nilesh,
Am Thu, Jan 27, 2022 at 06:23:08PM +0530 schrieb Nilesh Patra:
> > is not the case for the latest
> > version of golang-github-vbauerster-mpb-dev:> [...]
> > -o ./singularity /build/singularity-container-3.9.4+ds1/_build/src/github.com/sylabs/singularity/cmd/singularity
> > ../internal/app/singularity/push.go:23:2: cannot find package "github.com/vbauerster/mpb/v4" in any of:
>
> That's because if you look in singularity's go.mod, it depends on both versions of this package (v4 and v6)
> see here[1]
> Ideally, it should have different versioned 'XS-Go-Import-Path' for all versions. For instance as done in
> blackfriday package see here[4][5]
>
> So as far as I can tell, you could do the following:
>
> a) Package different versions of both with correct import paths, upload to new and then
> add B-D on these.
I admit this sounds technically clean but I would like to fix the CVEs
in singularity-container rather sooner than later and passing NEW queue
is not promising regarding a quick fix.
> b) (Not highly) recommended) Vendor[6] the old version of golang-github-vbauerster-mpb in the vendor directory and use
> that to build. This is messy but would solve the issue. There's already a vendor dir in that package which already
> gets a bunch of stuff, so this might not be much worse.
Amongst your suggestions this sounds like the most probable *I* feel
able to implement. I would love if someone might beat me with a
better solution.
> c) Port code to the version 7 of this package (which you uploaded)
I've never written a line of code in Go - so this is not for me.
I'd also think this should rather be done upstream.
> d) Revert your upload to version 6 (where it was earlier) and port the code written with version 4 to 6
This will not be sufficient since also version 7 is needed (according
to the docs as well as according to the error message if you build
against version 6.
> > Since I'm not a Go programmer I wonder whether somebody could give
> > some helpful hint how to fix this.
>
> Me neither, but hopefully that helped a bit?
It gave me some interesting ideas and might hopefully inspire others
to step in in case option b) sound to ugly.
> > PS: I'm not subscribed to debian-go list. Please keep the bug report
> > in CC.
>
> Hope I did enough to reach out to you :-))
You did! ;-)
Kind regards
Andreas.
> > [1] https://salsa.debian.org/hpc-team/singularity-container
> > [2] https://salsa.debian.org/hpc-team/singularity-container/-/jobs/2403226
> [3]: https://salsa.debian.org/hpc-team/singularity-container/-/blob/master/go.mod#L48-49
> [4]: https://salsa.debian.org/go-team/packages/golang-blackfriday/-/blob/debian/sid/debian/control#L18
> [5]: https://salsa.debian.org/go-team/packages/golang-blackfriday-v2/-/blob/debian/sid/debian/control#L17
> [6]: https://blog.gopheracademy.com/advent-2015/vendor-folder/
>
>
--
http://fam-tille.de
Am Thu, Jan 27, 2022 at 06:23:08PM +0530 schrieb Nilesh Patra:
> > is not the case for the latest
> > version of golang-github-vbauerster-mpb-dev:> [...]
> > -o ./singularity /build/singularity-container-3.9.4+ds1/_build/src/github.com/sylabs/singularity/cmd/singularity
> > ../internal/app/singularity/push.go:23:2: cannot find package "github.com/vbauerster/mpb/v4" in any of:
>
> That's because if you look in singularity's go.mod, it depends on both versions of this package (v4 and v6)
> see here[1]
> Ideally, it should have different versioned 'XS-Go-Import-Path' for all versions. For instance as done in
> blackfriday package see here[4][5]
>
> So as far as I can tell, you could do the following:
>
> a) Package different versions of both with correct import paths, upload to new and then
> add B-D on these.
in singularity-container rather sooner than later and passing NEW queue
is not promising regarding a quick fix.
> b) (Not highly) recommended) Vendor[6] the old version of golang-github-vbauerster-mpb in the vendor directory and use
> that to build. This is messy but would solve the issue. There's already a vendor dir in that package which already
> gets a bunch of stuff, so this might not be much worse.
able to implement. I would love if someone might beat me with a
better solution.
> c) Port code to the version 7 of this package (which you uploaded)
I'd also think this should rather be done upstream.
> d) Revert your upload to version 6 (where it was earlier) and port the code written with version 4 to 6
to the docs as well as according to the error message if you build
against version 6.
> > Since I'm not a Go programmer I wonder whether somebody could give
> > some helpful hint how to fix this.
>
> Me neither, but hopefully that helped a bit?
to step in in case option b) sound to ugly.
> > PS: I'm not subscribed to debian-go list. Please keep the bug report
> > in CC.
>
> Hope I did enough to reach out to you :-))
Kind regards
Andreas.
> > [1] https://salsa.debian.org/hpc-team/singularity-container
> > [2] https://salsa.debian.org/hpc-team/singularity-container/-/jobs/2403226
> [3]: https://salsa.debian.org/hpc-team/singularity-container/-/blob/master/go.mod#L48-49
> [4]: https://salsa.debian.org/go-team/packages/golang-blackfriday/-/blob/debian/sid/debian/control#L18
> [5]: https://salsa.debian.org/go-team/packages/golang-blackfriday-v2/-/blob/debian/sid/debian/control#L17
> [6]: https://blog.gopheracademy.com/advent-2015/vendor-folder/
>
>
http://fam-tille.de
Shengjing Zhu
Jan 27, 2022, 11:00:04 AM1/27/22
to
Hi
On Thu, Jan 27, 2022 at 8:53 PM Nilesh Patra <nil...@tchncs.de> wrote:
> c) Port code to the version 7 of this package (which you uploaded)
The port is rather straightforward. I just send the patch to upstream,
please see https://github.com/apptainer/apptainer/pull/182
Andreas, are you aware that singularity is now hosted by linux
foundation and renamed to apptainer?
http://apptainer.org/news/community-announcement-20211130
--
Shengjing Zhu
On Thu, Jan 27, 2022 at 8:53 PM Nilesh Patra <nil...@tchncs.de> wrote:
> c) Port code to the version 7 of this package (which you uploaded)
please see https://github.com/apptainer/apptainer/pull/182
Andreas, are you aware that singularity is now hosted by linux
foundation and renamed to apptainer?
http://apptainer.org/news/community-announcement-20211130
--
Shengjing Zhu
Andreas Tille
Jan 27, 2022, 11:50:03 AM1/27/22
to
Hi,
Am Thu, Jan 27, 2022 at 11:52:26PM +0800 schrieb Shengjing Zhu:
> On Thu, Jan 27, 2022 at 8:53 PM Nilesh Patra <nil...@tchncs.de> wrote:
> > c) Port code to the version 7 of this package (which you uploaded)
>
> The port is rather straightforward. I just send the patch to upstream,
> please see https://github.com/apptainer/apptainer/pull/182
Looks straightforward (even if incomplete - I needed another patch[1].
This leads to some progress in the configure step - but the build fails
later (see salsa-ci[2]). Any further help would be really welcome.
> Andreas, are you aware that singularity is now hosted by linux
> foundation and renamed to apptainer?
> http://apptainer.org/news/community-announcement-20211130
Thanks a lot for the hint. I was not aware of this. However, I need to
admit that I do not consider myself as an active maintainer of the
singularity-container package. I simply found out that the package that
is called as "bread&butter for containerized computing in scientific
context" here in this bug log is neither in stable nor can I find
obvious signs that someone cares for open CVEs. My main intention is to
get singulatity into testing first. The next steps should be decided by
the hopefully re-activated maintainers team.
Kind regards and thanks again for your help
Andreas.
[1] https://salsa.debian.org/hpc-team/singularity-container/-/blob/master/debian/patches/bump_further_mbp_from_v4_to_v7.patch
[2] https://salsa.debian.org/hpc-team/singularity-container/-/jobs/2404165
--
http://fam-tille.de
Am Thu, Jan 27, 2022 at 11:52:26PM +0800 schrieb Shengjing Zhu:
> On Thu, Jan 27, 2022 at 8:53 PM Nilesh Patra <nil...@tchncs.de> wrote:
> > c) Port code to the version 7 of this package (which you uploaded)
>
> The port is rather straightforward. I just send the patch to upstream,
> please see https://github.com/apptainer/apptainer/pull/182
This leads to some progress in the configure step - but the build fails
later (see salsa-ci[2]). Any further help would be really welcome.
> Andreas, are you aware that singularity is now hosted by linux
> foundation and renamed to apptainer?
> http://apptainer.org/news/community-announcement-20211130
admit that I do not consider myself as an active maintainer of the
singularity-container package. I simply found out that the package that
is called as "bread&butter for containerized computing in scientific
context" here in this bug log is neither in stable nor can I find
obvious signs that someone cares for open CVEs. My main intention is to
get singulatity into testing first. The next steps should be decided by
the hopefully re-activated maintainers team.
Kind regards and thanks again for your help
Andreas.
[1] https://salsa.debian.org/hpc-team/singularity-container/-/blob/master/debian/patches/bump_further_mbp_from_v4_to_v7.patch
[2] https://salsa.debian.org/hpc-team/singularity-container/-/jobs/2404165
--
http://fam-tille.de
0 new messages