Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use of a third party library maintained by a Sanctioned Entity #117553

Closed
RichardoC opened this issue Apr 24, 2023 · 11 comments
Closed

Use of a third party library maintained by a Sanctioned Entity #117553

RichardoC opened this issue Apr 24, 2023 · 11 comments
Labels
area/code-organization Issues or PRs related to kubernetes code organization kind/support Categorizes issue or PR as a support question. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. sig/architecture Categorizes an issue or PR as relevant to SIG Architecture.

Comments

@RichardoC
Copy link

What happened?

The easyjson library is maintained by Mail.ru. This is owned by VK, which is owned by Gazprom Media, and thus is subject to EU and USA Sanctions

This is a dependancy via https://github.com/go-openapi/swag which is used by the client-go library.

I suspect Kubernetes want to either fork easyjson, or migrate to a library that isn't maintained by a sanctioned entity.

I did attempt to report this via the process documented at https://kubernetes.io/security but didn't get a response for weeks.

What did you expect to happen?

Kubernetes to rely on libraries that aren't maintained by entities subject to U.S.A. and E.U. sanctions

How can we reproduce it (as minimally and precisely as possible)?

N/A

Anything else we need to know?

N/A

Kubernetes version

All modern versions, this appears in the go.mod of Kubernetes 1.15+

Cloud provider

N/A

OS version

# On Linux:
$ cat /etc/os-release
# paste output here
$ uname -a
# paste output here

# On Windows:
C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here

Install tools

Container runtime (CRI) and version (if applicable)

Related plugins (CNI, CSI, ...) and versions (if applicable)

@RichardoC RichardoC added the kind/bug Categorizes issue or PR as related to a bug. label Apr 24, 2023
@k8s-ci-robot k8s-ci-robot added needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Apr 24, 2023
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. label Apr 24, 2023
@k8s-ci-robot
Copy link
Contributor

@RichardoC: The label(s) sig/given, sig/client-go, sig/relies, sig/on, sig/this. cannot be applied, because the repository doesn't have them.

In response to this:

/sig api-machinery given client-go relies on this.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot removed the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Apr 24, 2023
@RichardoC
Copy link
Author

/sig api-machinery

Since client-go relies on this.

@dims
Copy link
Member

dims commented Apr 24, 2023

What a tangled web we weave

image

@dims
Copy link
Member

dims commented Apr 24, 2023

Also, @RichardoC please open an issue in https://github.com/cncf/foundation asking CNCF to put together a guidance for $TITLE and then we can follow that guidance in all projects. We should not be doing a one of thing just for k8s.

For example, i have one there cncf/foundation#290

@cici37
Copy link
Contributor

cici37 commented Apr 25, 2023

/sig architecture
/remove-sig api-machinery

@k8s-ci-robot k8s-ci-robot added sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. and removed sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. labels Apr 25, 2023
@BenTheElder
Copy link
Member

x-ref: mailru/easyjson#385

@BenTheElder
Copy link
Member

cncf/foundation#550 (comment)

Given CNCF guidance that this is not a problem, I don't think we'll be trying to remove this dependency, we'd have to convince all of the projects through which we transitively depend on this to also switch, which looks non-trivial in this case #117553 (comment)

We pin all dependencies and check the sources into vendor and build from those, reviewing the source code changes on dependency update PRs (more on that in the linked comment above).

If a package is unmaintained and lacking fixes, then we may attempt to remove it for that reason, but we don't appear to have any other known-issues here.

@liggitt liggitt added kind/support Categorizes issue or PR as a support question. and removed kind/bug Categorizes issue or PR as related to a bug. labels May 10, 2023
@dims
Copy link
Member

dims commented Oct 15, 2023

https://github.com/mailru/easyjson seems to be unmaintained as well ... so more reason to at least track it

@dims
Copy link
Member

dims commented Jan 4, 2024

/close

@k8s-ci-robot
Copy link
Contributor

@dims: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/code-organization Issues or PRs related to kubernetes code organization kind/support Categorizes issue or PR as a support question. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. sig/architecture Categorizes an issue or PR as relevant to SIG Architecture.
Projects
None yet
Development

No branches or pull requests

6 participants