On Monday, 17 June 2019 6:02:50 AM AEST Shengjing Zhu wrote: > On Sun, Jun 16, 2019 at 11:47 PM Shengjing Zhu <z...@debian.org> wrote: > > So I would suggest we remove rkt from buster.
Personally I wouldn't do that but rules are rules so whatever... It is reasonable to assume that application containers are not perfectly secure and having that in mind assess the risks. Vulnerabilities in question begin with assumption that attacker compromised "/bin/bash" inside containers. But how?? My containers don't run services as "root" and most containers are orchestrated by Nomad so I don't use "rkt enter" either. Those containers where I might use "rkt enter" are not exposed externally so if attacker can compromise them on intranet then I have a bigger problem. Of course someone might be less immune to those vulnerabilities... Anyway, IMHO even with those vulnerabilities by default _rkt_ is more secure than Docker and _rkt_ have much smaller code base hence lesser attack surface than Docker. I would reclassify those vulnerabilities with lesser severity to avoid removal from Buster. But I have no energy to argue and push for inclusion. Too much effort and time were spent for inclusion of these tools already... > Which means the acbuild and nomad(build-rdepends) will also be removed. > For acbuild, it is also discontinued by upstream[1]. > > [1] https://github.com/containers/build You are forgetting that it is still a useful tool (and a necessary companion for _rkt_) that have no alternatives in Debian. Volatility in Golang ecosystem is insane and I doubt it is reasonable to hold Golang to the same standards as other programming languages yet. For example Golang hasn't even stabilised versioning of libraries -- a something that Perl done over 20 years ago... Maturity and production readiness of many Golang libraries can be questioned. > For nomad, you can disable the rkt driver, by patching > client/driver/driver.go. But this should go through a unblock process. I'm not doing that. Nomad is useless to me without _rkt_ and Podman support is not available yet: https://github.com/hashicorp/nomad/issues/5312 -- Regards, Dmitry Smirnov. --- Every decent man is ashamed of the government he lives under. -- H. L. Mencken
signature.asc
Description: This is a digitally signed message part.
