Friday, 2022-01-07

kata-irc-bot<liubin0329> You can check kernel's config by methods in this thread https://superuser.com/questions/287371/obtain-kernel-config-from-currently-running-linux-system06:46
kata-irc-bot<thomas.garnier> Hi, I have a question about security for dependencies. I have noticed that you package QEMU and other VMM binaries as part of your releases. How do you handle security vulnerabilities in them? I didn’t see documentation about that but maybe I missed it. Thank you.20:03
kata-irc-bot<feng.wang> For example, in January 2021 a use-after-free was reported in QEMU 9pfs server. Kata container uses virtio-fs by default but supports 9pfs for speed. The 9pfs storage system was the default before Kata 2.0 (released in October 2020). In March, QEMU packaged the fix in their 6.0.0-rc0 release. In September, Kata container updated the QEMU version from 5.2.0 to 6.1.0 (for Kata 2.3.0-apha0). The release candidate and stable versions20:28
kata-irc-botlanded in November. Multiple stable versions were released with the vulnerable version. From the patch public release to Kata taking the fix, it took 7 months. @eric.ernst @bergwolf @fidencio20:28
kata-irc-bot<fidencio> So, let me make it clear that I'm speaking as a contributor and not as part of the architecture committee of the project.  I'd expect and encourage users to rely on the QEMU they have on their distros.  We provide a QEMU statically built that people can use it, but that's not even supported by QEMU developers itself. Your distro is the your safe port when relying to those packages.  We can't maintain QEMU ourselves, we sincerely20:49
kata-irc-bothave no capacity to do so.  And that's one of the few several supported hypervisors we have.20:49
kata-irc-bot<fidencio> Thankfully we have QEMU developers also involved here, and good ones by the way (hey @gkurz, hey @dgibson), but ... again, I'd be relying on the QEMU from the distro as the distro should have enough people to maintain that.20:50
kata-irc-bot<fidencio> In any case, @thomas.garnier, if you happen to figure out something that should be updated, please, open a PR, mark me there, ping me here. I can guide you through the patch submission process, we can let you know whether this will need to be backported or not, and the help would be very much appreciated.20:51
kata-irc-bot<fidencio> @thomas.garnier, @feng.wang, does this answer the question?20:52
kata-irc-bot<thomas.garnier> Ok, I will look at opening one21:04
kata-irc-bot<fidencio> As I mentioned, that's my **personal** opinion and doesn't matter how much I'd like to have that as the official one, I can't speak for the other AC members.21:04
kata-irc-bot<thomas.garnier> I understand, thanks.21:04
kata-irc-bot<fidencio> Please, CC me there and I will cc the other members of the AC21:04
kata-irc-bot<fidencio> Thanks for bringing this up, @thomas.garnier!21:07
kata-irc-bot<thomas.garnier> No problem. I opened this issue (tagged you in it): https://github.com/kata-containers/kata-containers/issues/340721:22
kata-irc-bot<fidencio> Perfect, I will try to get to that on Monday!21:22
kata-irc-bot<fidencio> Thanks a lot!21:23
kata-irc-bot<eric.ernst> Before on Intel side there were CVE scans run on all packaged artifacts. Due to licensing issues, among other things, the results of these were never published externally.  I think it’d be *very* helpful to have something like this in place, and that we scan each tarball we have on GH.21:42
kata-irc-bot<eric.ernst> Agree still w/ some of what fidencio is saying, but I think there’s certainly more that can be done too21:43

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!