Re: singularity-container: CVE-2021-33622

[Andreas Tille]

Control: tags -1 help

Hi,

I updated singularity-container in Salsa to the latest available CE
release and added some new Build-Depends.  Unfortunately it does not
build as you can see in salsa-ci[1].  Any help to get the package build
is welcome.  I personally have no idea about Go language nor singularity
and really need the help of previous Uploaders / Go team.

BTW, I keep all people listed as Uploader in CC.  It would be great if
you could confirm that you feel responsible for this package.  Otherwise
we should probably remove your name from the list of Uploaders.

BTW, I also started packaging of apptainer[2].  Five Build-Depends are
in new queue.  I come back with questions once these might have cleared
new.

Kind regards

 Andreas.


[1] https://salsa.debian.org/hpc-team/singularity-container/-/jobs/2404165
[2] https://salsa.debian.org/hpc-team/apptainer

-- 
http://fam-tille.de

Re: singularity-container: CVE-2021-33622

[Nilesh Patra]

On 2/18/22 6:01 PM, Andreas Tille wrote:

Control: tags -1 help

Hi,

I updated singularity-container in Salsa to the latest available CE
release and added some new Build-Depends.  Unfortunately it does not
build as you can see in salsa-ci[1].  Any help to get the package build
is welcome.  I personally have no idea about Go language nor singularity
and really need the help of previous Uploaders / Go team.


You missed to apply the upstream commit properly; I have pushed to fix that 
properly.
Now the build chokes with

|   -o cmd/starter/c/starter 
/home/nilesh/packages/singularity/singularity-container/_build/src/github.com/sylabs/singularity/cmd/starter/main_linux.go
| ../pkg/network/network_linux.go:22:2: cannot find package 
"github.com/containernetworking/cni/pkg/types/100" in any of:
|   
/BUILDDIR/singularity-container/_build/src/github.com/sylabs/singularity/vendor/github.com/containernetworking/cni/pkg/types/100
 (vendor tree)

Now this is because it needs version 1.0.1 of golang-github-appc-cni while we 
have 0.8.1-1 in unstable and the desired version
is still in experimental[1].
So you will need to transition it.

Note that it has some important $rev-deps, however I do not see it doing 
anything much intrusive in psuedo-excuses,
so it might be safe to dput.



BTW, I also started packaging of apptainer[2].  Five Build-Depends are
in new queue.  I come back with questions once these might have cleared
new.


Sure, and thanks for your efforts

[1]: https://tracker.debian.org/pkg/golang-github-appc-cni
[2]: 
https://release.debian.org/britney/pseudo-excuses-experimental.html#golang-github-appc-cni

Regards,
Nilesh



OpenPGP_signature
Description: OpenPGP digital signature

Re: singularity-container: CVE-2021-33622

[Andreas Tille]

Hi Shengjing,

Am Fri, Feb 18, 2022 at 09:11:45PM +0530 schrieb Nilesh Patra:
> | -o cmd/starter/c/starter 
> /home/nilesh/packages/singularity/singularity-container/_build/src/github.com/sylabs/singularity/cmd/starter/main_linux.go
> | ../pkg/network/network_linux.go:22:2: cannot find package 
> "github.com/containernetworking/cni/pkg/types/100" in any of:
> | 
> /BUILDDIR/singularity-container/_build/src/github.com/sylabs/singularity/vendor/github.com/containernetworking/cni/pkg/types/100
>  (vendor tree)
> 
> Now this is because it needs version 1.0.1 of golang-github-appc-cni while we 
> have 0.8.1-1 in unstable and the desired version
> is still in experimental[1].
> So you will need to transition it.

Do you see any reason not to upgrade golang-github-appc-cni?

Kind regards

  Andreas.
 
> [1]: https://tracker.debian.org/pkg/golang-github-appc-cni
> [2]: 
> https://release.debian.org/britney/pseudo-excuses-experimental.html#golang-github-appc-cni

-- 
http://fam-tille.de

Update golang-github-appc-cni to 1.0 (was Re: singularity-container: CVE-2021-33622)

[Shengjing Zhu]

On Fri, Feb 18, 2022 at 11:42 PM Nilesh Patra  wrote:
>
> On 2/18/22 6:01 PM, Andreas Tille wrote:
> > Control: tags -1 help
> >
> > Hi,
> >
> > I updated singularity-container in Salsa to the latest available CE
> > release and added some new Build-Depends.  Unfortunately it does not
> > build as you can see in salsa-ci[1].  Any help to get the package build
> > is welcome.  I personally have no idea about Go language nor singularity
> > and really need the help of previous Uploaders / Go team.
>
> You missed to apply the upstream commit properly; I have pushed to fix that 
> properly.
> Now the build chokes with
>
> |   -o cmd/starter/c/starter 
> /home/nilesh/packages/singularity/singularity-container/_build/src/github.com/sylabs/singularity/cmd/starter/main_linux.go
> | ../pkg/network/network_linux.go:22:2: cannot find package 
> "github.com/containernetworking/cni/pkg/types/100" in any of:
> |   
> /BUILDDIR/singularity-container/_build/src/github.com/sylabs/singularity/vendor/github.com/containernetworking/cni/pkg/types/100
>  (vendor tree)
>
> Now this is because it needs version 1.0.1 of golang-github-appc-cni while we 
> have 0.8.1-1 in unstable and the desired version
> is still in experimental[1].
> So you will need to transition it.
>
> Note that it has some important $rev-deps, however I do not see it doing 
> anything much intrusive in psuedo-excuses,
> so it might be safe to dput.

The pseudo-excuses don't show regression, since I added a patch to
work around. But I'm not satisfied with my own patch. I guess it's
wrong I planned to update
golang-github-containernetworking-plugin, but it seems I forgot
afterwards.

-- 
Shengjing Zhu

Re: Update golang-github-appc-cni to 1.0 (was Re: singularity-container: CVE-2021-33622)

[Andreas Tille]

Am Fri, Feb 18, 2022 at 11:55:55PM +0800 schrieb Shengjing Zhu:
> 
> The pseudo-excuses don't show regression, since I added a patch to
> work around. But I'm not satisfied with my own patch. I guess it's
> wrong I planned to update
> golang-github-containernetworking-plugin, but it seems I forgot
> afterwards.

Will you manage to do this in a foreseeable time frame?

Kind regards and thanks in advance for you support

  Andreas.

-- 
http://fam-tille.de

Re: Update golang-github-appc-cni to 1.0 (was Re: singularity-container: CVE-2021-33622)

[Shengjing Zhu]

On Sat, Feb 19, 2022 at 12:06 AM Andreas Tille  wrote:
>
> Am Fri, Feb 18, 2022 at 11:55:55PM +0800 schrieb Shengjing Zhu:
> >
> > The pseudo-excuses don't show regression, since I added a patch to
> > work around. But I'm not satisfied with my own patch. I guess it's
> > wrong I planned to update
> > golang-github-containernetworking-plugin, but it seems I forgot
> > afterwards.
>
> Will you manage to do this in a foreseeable time frame?
>

Yes. It's needed for updating containerd(which was just released a few
days ago) as well. And I guess it's also needed by podman too.

-- 
Shengjing Zhu

Re: Update golang-github-appc-cni to 1.0 (was Re: singularity-container: CVE-2021-33622)

[Andreas Tille]

Am Sat, Feb 19, 2022 at 12:09:03AM +0800 schrieb Shengjing Zhu:
> Yes. It's needed for updating containerd(which was just released a few
> days ago) as well. And I guess it's also needed by podman too.

Cool.  I'd be happy if you would ping me to let me continue with
singularity.

Kind regards
Andreas.

-- 
http://fam-tille.de

Re: Update golang-github-appc-cni to 1.0 (was Re: singularity-container: CVE-2021-33622)

[Shengjing Zhu]

On Sat, Feb 19, 2022 at 12:23 AM Andreas Tille  wrote:
>
> Am Sat, Feb 19, 2022 at 12:09:03AM +0800 schrieb Shengjing Zhu:
> > Yes. It's needed for updating containerd(which was just released a few
> > days ago) as well. And I guess it's also needed by podman too.
>
> Cool.  I'd be happy if you would ping me to let me continue with
> singularity.
>

I think you can build singularity in experiment for now to see if
there are other failures.

-- 
Shengjing Zhu

Re: singularity-container: CVE-2021-33622

[Andreas Tille]

Hi Dave,

Am Fri, Feb 18, 2022 at 03:48:51PM + schrieb Dave Love:
> I'm wondering why I'm included, though I was thinking I should offer to
> contribute to Debian.

So may be it fits reality better if you will be removed from that list?
I'm usually very inviting and I'm happy about anybody who joins the fun.
But if you are wondering yourself why you are in here it makes no sense
to list you, thought.

> Andreas Tille  writes:
> 
> > I updated singularity-container in Salsa to the latest available CE
> > release and added some new Build-Depends.  Unfortunately it does not
> > build as you can see in salsa-ci[1].  Any help to get the package build
> > is welcome.  I personally have no idea about Go language nor singularity
> > and really need the help of previous Uploaders / Go team.
> 
> [1] is 404 for me, presumably because I don't have access to salsa.

Meanwhile we are some steps further and have some additional ideas.  In
any case it would be great if you could verify that you can view the new
log[3] now (which should be possible annonymously - permissions were set
wrongly before).

In case you want to contribute you are kindly invited to create a salsa
login and I'll happily add you to the project.

> Anyway, is the Fedora packaging any clue
> ?  I know
> it was updated recently, and it includes a patch that isn't in what I
> can see at sources.debian.  (I can interpret .spec files if necessary,
> but that one isn't Fedora-conforming.)  If that helps, it's only fair,
> since I've consulted Debian for Fedora packaging a few times!

:-) Thanks for the hint.  My mail to debian-go mailing list triggered
some progress that will be continued probably after some packages are
upgraded.
 
> (I originally packaged singularity for Fedora, but subsequently disowned
> it.)

I admit I would love to disown some of my packages but usually I fail. ;-)

Kind regards

  Andreas.

[3] https://salsa.debian.org/hpc-team/singularity-container/-/jobs/2486891

-- 
http://fam-tille.de

Bug#1005989: ITP: owncast -- Easy to setup video live streaming and chat server.

[Benedikt Wildenhain]

Package: wnpp
Severity: wishlist
Owner: Benedikt Wildenhain 

* Package name: owncast
  Version : 0.0.10-1
  Upstream Author : Owncast
* URL : https://github.com/owncast/owncast
* License : Expat
  Programming Lang: Go
  Description : Easy to setup video live streaming and chat server.

 Owncast is an open source, self-hosted, decentralized, single user live
 video streaming and chat server for running your own live streams
 similar in style to the large mainstream options.  It offers complete
 ownership over your content, interface, moderation and audience.
 .
 In general Owncast is compatible with any software that uses RTMP to
 broadcast to a remote server. RTMP is what all the major live streaming
 services use, so if you’re currently using one of those it’s likely that
 you can point your existing software at your Owncast instance instead.


The Freedom Box Project (see
https://wiki.debian.org/FreedomBox/LeavingTheCloud) identified Owncast
as one of the projects which would be useful to package.

Re: Update golang-github-appc-cni to 1.0 (was Re: singularity-container: CVE-2021-33622)

[Andreas Tille]

Hi Shengjing,

Am Sat, Feb 19, 2022 at 12:44:39AM +0800 schrieb Shengjing Zhu:
> I think you can build singularity in experiment for now to see if
> there are other failures.

I've bumped Build-Depends: golang-github-appc-cni-dev (>= 1.0.1~) [1]
but when doing so Salsa-CI does not produce helpful logs any more.
Thus I've moved the resulting build log to:

   
https://people.debian.org/~tille/singularity-container/singularity-container_3.9.4+ds1-1_amd64.build
 

Kind regards

  Andreas.

[1] Build-Depends: golang-github-appc-cni-dev (>= 1.0.1~) 

-- 
http://fam-tille.de

Re: singularity-container: CVE-2021-33622

[Dave Love]

I'm wondering why I'm included, though I was thinking I should offer to
contribute to Debian.

Andreas Tille  writes:

> I updated singularity-container in Salsa to the latest available CE
> release and added some new Build-Depends.  Unfortunately it does not
> build as you can see in salsa-ci[1].  Any help to get the package build
> is welcome.  I personally have no idea about Go language nor singularity
> and really need the help of previous Uploaders / Go team.

[1] is 404 for me, presumably because I don't have access to salsa.
Anyway, is the Fedora packaging any clue
?  I know
it was updated recently, and it includes a patch that isn't in what I
can see at sources.debian.  (I can interpret .spec files if necessary,
but that one isn't Fedora-conforming.)  If that helps, it's only fair,
since I've consulted Debian for Fedora packaging a few times!

(I originally packaged singularity for Fedora, but subsequently disowned
it.)

Re: Update golang-github-appc-cni to 1.0 (was Re: singularity-container: CVE-2021-33622)

[Nilesh Patra]

On 2/18/22 10:54 PM, Andreas Tille wrote:

Hi Shengjing,

Am Sat, Feb 19, 2022 at 12:44:39AM +0800 schrieb Shengjing Zhu:

I think you can build singularity in experiment for now to see if
there are other failures.


I've bumped Build-Depends: golang-github-appc-cni-dev (>= 1.0.1~) [1]
but when doing so Salsa-CI does not produce helpful logs any more.
Thus I've moved the resulting build log to:


https://people.debian.org/~tille/singularity-container/singularity-container_3.9.4+ds1-1_amd64.build


I pushed a couple of commits that gets it building and tests passing. However, 
it chokes at
fixperms which has been propagated in d/rules

| make[1]: Entering directory 
'/home/nilesh/packages/singularity/singularity-container'
| dh_fixperms
| chown -c root.root debian/singularity-container/usr/lib/*/singularity/bin/*
| chown: changing ownership of 
'debian/singularity-container/usr/lib/x86_64-linux-gnu/singularity/bin/starter':
 Operation not permitted
| chown: changing ownership of 
'debian/singularity-container/usr/lib/x86_64-linux-gnu/singularity/bin/starter-suid':
 Operation not permitted

I am not really sure why this is done, but since this is more package related 
and has not got much to do with golang-land, I leave
this onto you to carry fwd.
Hope that helped.

Regards,
Nilesh



OpenPGP_signature
Description: OpenPGP digital signature

Re: Update golang-github-appc-cni to 1.0 (was Re: singularity-container: CVE-2021-33622)

[Andreas Tille]

Hi again,

I can confirm I've got version 3.9.4 building thanks to all your
help.

Am Fri, Feb 18, 2022 at 11:31:23PM +0530 schrieb Nilesh Patra:
> | dh_fixperms
> | chown -c root.root debian/singularity-container/usr/lib/*/singularity/bin/*
> | chown: changing ownership of 
> 'debian/singularity-container/usr/lib/x86_64-linux-gnu/singularity/bin/starter':
>  Operation not permitted
> | chown: changing ownership of 
> 'debian/singularity-container/usr/lib/x86_64-linux-gnu/singularity/bin/starter-suid':
>  Operation not permitted
> 
> I am not really sure why this is done, but since this is more package related 
> and has not got much to do with golang-land, I leave
> this onto you to carry fwd.

I disabled the attempt `chown -c root.root` which is not permitted on
one hand and not needed on the other hand since the resulting files
inside the Debian package are owned by root anyway.

> Hope that helped.

It helped a lot!

Seems I got cocky now and realised that there is a new version 3.9.5
out.  I did not wanted to upload something that is outdated at the time
of uploading and trusted that it is a minor bugfix release.  Unfortunately
the build has the following issue:

...
github.com/sylabs/singularity/vendor/github.com/prometheus/client_golang/prometheus
github.com/sylabs/singularity/vendor/google.golang.org/grpc/status
# github.com/sylabs/singularity/vendor/google.golang.org/grpc/status
../vendor/google.golang.org/grpc/status/status.go:176:21: cannot use any (type 
*any.Any) as type *anypb.Any in append
../vendor/google.golang.org/grpc/status/status.go:190:32: cannot use any (type 
*anypb.Any) as type *any.Any in argument to ptypes.UnmarshalAny
encoding/gob
html
html/template
...


Please note that I've started to review the vendored copies and replaced
two of these by the Debian packaged code.  I'm not finished - just
wanted to see if I'm breaking something.  IMHO the breakage ist not
caused by the removal of the vendored copies but I wanted to stress this
point here.

Kind regards

   Andreas.


-- 
http://fam-tille.de

Re: Update golang-github-appc-cni to 1.0 (was Re: singularity-container: CVE-2021-33622)

[Nilesh Patra]

On 2/19/22 2:08 AM, Andreas Tille wrote:

Am Fri, Feb 18, 2022 at 11:31:23PM +0530 schrieb Nilesh Patra:

| dh_fixperms
| chown -c root.root debian/singularity-container/usr/lib/*/singularity/bin/*
| chown: changing ownership of 
'debian/singularity-container/usr/lib/x86_64-linux-gnu/singularity/bin/starter':
 Operation not permitted
| chown: changing ownership of 
'debian/singularity-container/usr/lib/x86_64-linux-gnu/singularity/bin/starter-suid':
 Operation not permitted
[...]>

I disabled the attempt `chown -c root.root` which is not permitted on
one hand and not needed on the other hand since the resulting files
inside the Debian package are owned by root anyway.


Yeah, as we discussed in the debian-med video call as well.
Did you happen to test it a bit?


Hope that helped.


It helped a lot!

Seems I got cocky now and realised that there is a new version 3.9.5
out. 


It always makes sense to look at the diff before you assume that nothing much
would've changed.
Seems they did major changes in what should essentially looks like a patch 
release :(
Atleast the commit here[1] shows non-trivial changes

[1]: 
https://salsa.debian.org/hpc-team/singularity-container/-/commit/0d8440c61b866c7a8ac30739dcca2bff2b04897b


I did not wanted to upload something that is outdated at the time


I think it does make sense to first upload what you have at hand and what is 
building for you.
It is atleast not worse than what we have currently.

We can focus on new version after that -- well, atleast we are making progress 
right.

If you agree, please finalise 3.9.4; since 3.9.5 throws grpc/protobuf stuff and 
it is almost never
straightforward to fix from my past experiences.
It just puts me off, I admit.


of uploading and trusted that it is a minor bugfix release.  Unfortunately
the build has the following issue:

...
github.com/sylabs/singularity/vendor/github.com/prometheus/client_golang/prometheus
github.com/sylabs/singularity/vendor/google.golang.org/grpc/status
# github.com/sylabs/singularity/vendor/google.golang.org/grpc/status
../vendor/google.golang.org/grpc/status/status.go:176:21: cannot use any (type 
*any.Any) as type *anypb.Any in append
../vendor/google.golang.org/grpc/status/status.go:190:32: cannot use any (type 
*anypb.Any) as type *any.Any in argument to ptypes.UnmarshalAny
encoding/gob
html
html/template
...


I do not even see the grpc folder anywhere on salsa now.

$ find . -name grpc | wc -l
0

So I do not know where this error comes from; or if you have something else 
locally.

But in any case, I am a bit demotivated now to be spending time to fix this.
Hopefully someone else could chime in.


Please note that I've started to review the vendored copies and replaced
two of these by the Debian packaged code.  I'm not finished - just
wanted to see if I'm breaking something.  IMHO the breakage ist not
caused by the removal of the vendored copies but I wanted to stress this
point here.


Leave the grpc/protobuf deps as it was vendored, I would suggest to not mess 
around with these
unless you _really_ know what you are doing :)

Regards,
Nilesh



OpenPGP_signature
Description: OpenPGP digital signature

Re: Update golang-github-appc-cni to 1.0 (was Re: singularity-container: CVE-2021-33622)

[Andreas Tille]

Hi Nilesh,

Am Sat, Feb 19, 2022 at 02:34:16AM +0530 schrieb Nilesh Patra:
> > I disabled the attempt `chown -c root.root` which is not permitted on
> > one hand and not needed on the other hand since the resulting files
> > inside the Debian package are owned by root anyway.
> 
> Yeah, as we discussed in the debian-med video call as well.
> Did you happen to test it a bit?

I checked the permissions in the final package.  I'll also try to do
some sensible stuff tomorrow.  Since I've got a lintian (missing Apache
NOTICE file - easy to fix) error I stumbled upon some unneeded code
copies and wanted to make this a bit more clean.
 
> > > Hope that helped.
> > 
> > It helped a lot!
> > 
> > Seems I got cocky now and realised that there is a new version 3.9.5
> > out.
> 
> It always makes sense to look at the diff before you assume that nothing much
> would've changed.
> Seems they did major changes in what should essentially looks like a patch 
> release :(
> Atleast the commit here[1] shows non-trivial changes
> 
> [1]: 
> https://salsa.debian.org/hpc-team/singularity-container/-/commit/0d8440c61b866c7a8ac30739dcca2bff2b04897b

You mean

parameters:
  go-version:
type: string
default: '1.17.5'
default: '1.17.6'

?
 
> > I did not wanted to upload something that is outdated at the time
> 
> I think it does make sense to first upload what you have at hand and what is 
> building for you.
> It is atleast not worse than what we have currently.
> 
> We can focus on new version after that -- well, atleast we are making 
> progress right.
> 
> If you agree, please finalise 3.9.4; since 3.9.5 throws grpc/protobuf stuff 
> and it is almost never
> straightforward to fix from my past experiences.
> It just puts me off, I admit.

You perfectly convinced me to target at 3.9.4.  I'll try to finish this
tomorrow and delay the switch to 3.9.5.
 
> 
> I do not even see the grpc folder anywhere on salsa now.
> 
> $ find . -name grpc | wc -l
> 0
> 
> So I do not know where this error comes from; or if you have something else 
> locally.

I'll simply revert the version bump ...
 
> But in any case, I am a bit demotivated now to be spending time to fix this.
> Hopefully someone else could chime in.

Lets delay this for later.
 
> > Please note that I've started to review the vendored copies and replaced
> > two of these by the Debian packaged code.  I'm not finished - just
> > wanted to see if I'm breaking something.  IMHO the breakage ist not
> > caused by the removal of the vendored copies but I wanted to stress this
> > point here.
> 
> Leave the grpc/protobuf deps as it was vendored, I would suggest to not mess 
> around with these
> unless you _really_ know what you are doing :)

Yes - thanks a lot for your advise

 Andreas. 




-- 
http://fam-tille.de

Bug#1006012: ITP: golang-github-aws-aws-sdk-go -- AWS SDK for the Go programming language.

[Benedikt Wildenhain]

Package: wnpp
Severity: wishlist
Owner: Benedikt Wildenhain 

* Package name: golang-github-aws-aws-sdk-go
  Version : 1.43.1-1
  Upstream Author : Amazon Web Services
* URL : https://github.com/aws/aws-sdk-go
* License : Apache-2.0
  Programming Lang: Go
  Description : AWS SDK for the Go programming language.

 aws-sdk-go is the official Amazon Web Service SDK for the Go
 programming language.
 .
 The SDK is composed of two main components, SDK core, and service
 clients.
 .
  * aws - SDK core, provides common shared types such as Config, Logger,
and utilities to make working with API parameters easier.
  * service - Clients for AWS services. All services supported by the SDK
are available under this folder.

I'd like to package this as it will be a build requirement for owncast
(ITP Bug 1005989). However, I do not use S3 services myself and it is
not necessary to have an S3 account to use owncast.


signature.asc
Description: PGP signature

extra vendor/ directory

[Benda Xu]

Hi Andreas,

Many thanks for taking care of the 3.9 series!


I am confused of the 'vendor/' directory in tag 'upstream/3.9.5+ds1'.

The upstream release at

  https://github.com/sylabs/singularity/releases/tag/v3.9.5

does not have the directory anymore. Neither does the git repo

  https://github.com/sylabs/singularity


What mechanism are we using to re-vendor things into the +ds tarballs?

Cheers,
Benda

Re: extra vendor/ directory

[Andreas Tille]

Hi Benda,

Am Sat, Feb 19, 2022 at 11:34:22AM +0800 schrieb Benda Xu:
> Many thanks for taking care of the 3.9 series!

You are welcome.  I was somehow forced to do this since I need a
working singularity. ;-)
 
> I am confused of the 'vendor/' directory in tag 'upstream/3.9.5+ds1'.
> 
> The upstream release at
> 
>   https://github.com/sylabs/singularity/releases/tag/v3.9.5
> 
> does not have the directory anymore. Neither does the git repo
> 
>   https://github.com/sylabs/singularity

I was confused as well and you are right that if you point the watch
file at .*/v? you get the plain singularity code.  However the tarball
that is fetched by the watch file is

.*/singularity-  (which I now fixed to .*/singularity-ce)

and this contains the vendor/ directory.
 
> What mechanism are we using to re-vendor things into the +ds tarballs?

I just took over what former Uploaders decided for.  My goal is now to
check what vendored code copies can be removed for the new version. 

Kind regards

 Andreas.

-- 
http://fam-tille.de