Resolve Docker CVEs #815
Resolve Docker CVEs #815
Conversation
…ed on alpine 3.15 Signed-off-by: Thomas Spear <tspear@conquestcyber.com>
Signed-off-by: Thomas Spear <tspear@conquestcyber.com>
Signed-off-by: Thomas Spear <tspear@conquestcyber.com>
|
Hi, thank you for fixing the issue, it is blocking me as well. Do you plan to merge it soon? I would appreciate it :-) |
|
Hello,
I won't be able to get to this until Monday.
However, I left the checkbox which allows you to make edits enabled, so you're welcome to go ahead if you want to revert my last commit on the branch.
|
|
Hello, I've reverted my last commit as per your request and also synced master back in. Please note that this reverts the alpine image in one of the Dockerfiles back to Alpine 3.15 because there is no
|
|
Sure, I will make this change during business hours tomorrow, however I'm going to take an opportunity now to express my frustration at the way this has been handled.
This is my first contribution to this project, and I'm disheartened to have to say that it also will most likely be my last. It's incredibly unprofessional to ask me 3 separate times to adjust my pull request to patch a high severity CVE when you could've simply patched this yourself while you were upgrading the project to golang 1.19 and closed my PR without merging it. A simple "I'm sorry, your PR was closed because I've upgraded the project and patched this myself in the process," would have sufficed because the users would be able to trust that the software was again safe. Instead, they have been left vulnerable for over a week, and I'm forced to consider creating an internal private fork of this repo to patch future CVEs because my lead developer can't trust that migrate will accept a simple module update in a timely manner. I'm certain that doing so will only add complexity to our internal projects and place extra maintenance burden on myself and the rest of my small DevOps team, however I don't see much other choice given how long it's taken to get this in to upstream.
I can appreciate that you may have been trying to consider my feelings about wanting to contribute by keeping this open and allowing my contribution to continue to be included in the project; however, I'm a security-minded professional and the top priority for me is ensuring that users have access to safe, patched software. That comes over and above any feelings I may have about my contribution being included or receiving credit for it. To be clear, my feelings about my contribution being included are of practically no concern; I just simply wanted this patched ASAP and had hoped to avoid making an internal private fork to do so.
I would be elated at this point, and I think many of your users would agree with me here, if you had patched this, as mentioned above, when you were upgrading the golang version, because I wouldn't be feeling the need to make a fork, and all users would have the ability to be running a patched version of migrate already.
Additionally, as I have mentioned in a previous comment; I've left the checkbox on this pull request enabled to allow maintainers such as yourself to edit it for the very reason that it is time saving for everyone for you to edit my pull request as the maintainer, so I don't understand the logic in continuing to drag this out further by asking me to make the edits myself. Its not that I mind making edits in general; on the contrary, I enjoy the opportunity to be included further. But this is a security risk and the lack of acceptance and release so far places undue burden on everyone who needs to run secure software.
All of that said, as I mentioned, I will push another update during business hours today if you haven't made the edits yourself by then.
To anyone who does read this far, thanks for your time, and I apologize for the length of this post.
|
… stages in docker image Signed-off-by: Thomas Spear <tspear@conquestcyber.com>
|
The update is done. |
There was a problem hiding this comment.
Sure, I will make this change during business hours tomorrow, however I'm going to take an opportunity now to express my frustration at the way this has been handled.
This is my first contribution to this project, and I'm disheartened to have to say that it also will most likely be my last.
I'm sorry to hear that you're frustrated. Thanks for your contributions thus far and I hope that you re-consider contributing again in the future!
It's incredibly unprofessional to ask me 3 separate times to adjust my pull request to patch a high severity CVE when you could've simply patched this yourself while you were upgrading the project to golang 1.19 and closed my PR without merging it. A simple "I'm sorry, your PR was closed because I've upgraded the project and patched this myself in the process," would have sufficed because the users would be able to trust that the software was again safe. Instead, they have been left vulnerable for over a week, and I'm forced to consider creating an internal private fork of this repo to patch future CVEs because my lead developer can't trust that migrate will accept a simple module update in a timely manner. I'm certain that doing so will only add complexity to our internal projects and place extra maintenance burden on myself and the rest of my small DevOps team, however I don't see much other choice given how long it's taken to get this in to upstream.
I can appreciate that you may have been trying to consider my feelings about wanting to contribute by keeping this open and allowing my contribution to continue to be included in the project; however, I'm a security-minded professional and the top priority for me is ensuring that users have access to safe, patched software. That comes over and above any feelings I may have about my contribution being included or receiving credit for it. To be clear, my feelings about my contribution being included are of practically no concern; I just simply wanted this patched ASAP and had hoped to avoid making an internal private fork to do so.
The proposed changes are simple enough for me to do myself but I wanted to give you credit in the commit history and release notes. Since you've given me permission, I'll go ahead and fix any issues and push to your repo/branch to speed things up. Note, not every contributor may feel this way e.g. trade off recognition for release speed.
I could have easily been yelled at or shamed for closing your PR to patch the security vulnerabilities as I cannot know the preferences of a new contributor unless they're stated. As far as I'm aware, the impact of these vulnerabilities are limited since running the migrate docker image is generally used for the CLI use case and not integrated into an application/server so I didn't have a sense of urgency for fixing these issues. I also didn't get a sense of urgency in our correspondence. In the future, please indicate the potential impact and urgency for security issues. I've created a security policy that mentions this so hopefully this will be less of an issue in the future.
If you're ever blocked or have a disagreement we can't resolve, feel free to fork this repo and make any changes you'd like.
Also, keep in mind, I'm volunteering my time for this project and have other obligations, commitments, and deadlines as well. Please understand that I try my best to respond in a timely fashion but may not always be able to do so.
I would be elated at this point, and I think many of your users would agree with me here, if you had patched this, as mentioned above, when you were upgrading the golang version, because I wouldn't be feeling the need to make a fork, and all users would have the ability to be running a patched version of migrate already.
Additionally, as I have mentioned in a previous comment; I've left the checkbox on this pull request enabled to allow maintainers such as yourself to edit it for the very reason that it is time saving for everyone for you to edit my pull request as the maintainer, so I don't understand the logic in continuing to drag this out further by asking me to make the edits myself. Its not that I mind making edits in general; on the contrary, I enjoy the opportunity to be included further. But this is a security risk and the lack of acceptance and release so far places undue burden on everyone who needs to run secure software.
All of that said, as I mentioned, I will push another update during business hours today if you haven't made the edits yourself by then.
To anyone who does read this far, thanks for your time, and I apologize for the length of this post.
Thank you for your feedback. I've made some incremental improvements (e.g. added a security policy) as a result of your feedback. It'd also be nice to have GitHub issue templates for security disclosures (full and coordinated) but I don't have the bandwidth to create those right now.
| @@ -1,6 +1,6 @@ | |||
| module github.com/golang-migrate/migrate/v4 | |||
|
|
|||
| go 1.17 | |||
There was a problem hiding this comment.
Could you revert this change or use go 1.18 since that's the oldest version we support?
|
Hello, I understand completely. Thank you for your kind feedback and I hope you didn't take my message as hostile, as the intent was simply to engage with you in constructive dialog.
I consider the fact that I didn't clearly communicate the urgency as my own fault and sincerely apologize for that. Thank you also for considering that a security policy is a necessary addition in today's business environment, considering the many varied ways to use software that were not in the original design considerations. To be clear, our use of the tool is in a job container in Kubernetes, so it runs automatically immediately before each release of our application.
Based on your feedback, I will also make changes to how I structure pull requests for *all* projects I contribute to going forward, as I believe you are correct that contributors should clearly communicate the urgency of a given security risk.
I'm happy to continue contributing here based on the information you have communicated, and I look forward to working with you again the future.
Get Outlook for Android<https://aka.ms/AAb9ysg>
…________________________________
From: Dale Hui ***@***.***>
Sent: Wednesday, October 19, 2022 2:02:45 AM
To: golang-migrate/migrate ***@***.***>
Cc: Thomas Spear ***@***.***>; Author ***@***.***>
Subject: Re: [golang-migrate/migrate] Resolve Docker CVEs (PR #815)
CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Merged #815<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fgolang-migrate%2Fmigrate%2Fpull%2F815&data=05%7C01%7Ctspear%40conquestcyber.com%7Ce7457fe483454ee4ee3d08dab19fecd7%7C8c73de7821b84aa8885ecb22616eb322%7C0%7C0%7C638017597696154593%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=O%2BYN8BTIRorrQZPigp1E4eA3eZwa4oIS%2B8kzeDOY1TE%3D&reserved=0> into master.
—
Reply to this email directly, view it on GitHub<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fgolang-migrate%2Fmigrate%2Fpull%2F815%23event-7618383479&data=05%7C01%7Ctspear%40conquestcyber.com%7Ce7457fe483454ee4ee3d08dab19fecd7%7C8c73de7821b84aa8885ecb22616eb322%7C0%7C0%7C638017597696310828%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Le0tjSC2U2DYDLCebyayCSK8irvGoCGSP5P0ovBzNOQ%3D&reserved=0>, or unsubscribe<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FATRTFZYSWXNV5XZJGZ6G6X3WD6MJLANCNFSM6AAAAAAQYDQTJY&data=05%7C01%7Ctspear%40conquestcyber.com%7Ce7457fe483454ee4ee3d08dab19fecd7%7C8c73de7821b84aa8885ecb22616eb322%7C0%7C0%7C638017597696310828%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=u%2FcGe5x9XKOCYwPlNPbRY4TqnYW%2Fdms6BzbufTpvqs8%3D&reserved=0>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
Fixes #802
Signed-off-by: Thomas Spear tspear@conquestcyber.com