Upgrade Go version 1.23.4 and pkg github.com/moby/sys/user, golang.org/x/sys #154
Conversation
vkamlesh
changed the title
|
See https://github.com/tianon/gosu/blob/master/SECURITY.md#version-updates (I don't believe there have been any actual functional updates to the code we use that warrant updating) |
|
@tianon Maybe releasing a version that consists of two parts (functional version + golang version -> gosu-1.17_1.23.4) could help with the concern that if there are no functional changes, you should not release the new version just because of the newer golang used for the build? Similar to how they version Flink images. I'd deeply appreciate having the option to download the newer version of gosu and put it on top of the Filink image rather than wasting time on requesting and justifying an exception for the dozens of golang vulnerabilities highlighted by Jfrog Xray scanner. It's a common request, after all, let's have some solution. The guides like this https://internetworking.dev/mitigating-gosu-security-concerns/ is crazy. //cc @vkamlesh |
|
Maybe, from the functionality point of view, vulnerabilities detected are not a threat, since docker build process is a local process and maybe |
|
Seems like a bad posture to me @tianon. The official Postgres Docker container uses gosu and inherits all the 1.18.2 golang CVEs. Sure, they may be harmless for how gosu is used, but that doesn't mean it isn't an irritant for the less informed. Seems like a dependency refresh every year or two wouldn't be a bad thing. And it will keep you relevant instead of making people want to fork or replace gosu. I could care less about gosu, but I keep inheriting these CVEs. Please consider a refresh patch release or Bezuhlyi/m0t1x's lovely recommendation. And man, an easy button is just teed up for you right here. |
|
@tianon when can we merge this PR and have a newer release? |
No description provided.