-
Notifications
You must be signed in to change notification settings - Fork 39.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use of a third party library maintained by a Sanctioned Entity #117553
Comments
This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@RichardoC: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/sig api-machinery Since client-go relies on this. |
Also, @RichardoC please open an issue in https://github.com/cncf/foundation asking CNCF to put together a guidance for $TITLE and then we can follow that guidance in all projects. We should not be doing a one of thing just for k8s. For example, i have one there cncf/foundation#290 |
/sig architecture |
x-ref: mailru/easyjson#385 |
Given CNCF guidance that this is not a problem, I don't think we'll be trying to remove this dependency, we'd have to convince all of the projects through which we transitively depend on this to also switch, which looks non-trivial in this case #117553 (comment) We pin all dependencies and check the sources into vendor and build from those, reviewing the source code changes on dependency update PRs (more on that in the linked comment above). If a package is unmaintained and lacking fixes, then we may attempt to remove it for that reason, but we don't appear to have any other known-issues here. |
https://github.com/mailru/easyjson seems to be unmaintained as well ... so more reason to at least track it |
/close |
@dims: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What happened?
The easyjson library is maintained by Mail.ru. This is owned by VK, which is owned by Gazprom Media, and thus is subject to EU and USA Sanctions
This is a dependancy via https://github.com/go-openapi/swag which is used by the client-go library.
I suspect Kubernetes want to either fork easyjson, or migrate to a library that isn't maintained by a sanctioned entity.
I did attempt to report this via the process documented at https://kubernetes.io/security but didn't get a response for weeks.
What did you expect to happen?
Kubernetes to rely on libraries that aren't maintained by entities subject to U.S.A. and E.U. sanctions
How can we reproduce it (as minimally and precisely as possible)?
N/A
Anything else we need to know?
N/A
Kubernetes version
All modern versions, this appears in the go.mod of Kubernetes 1.15+
Cloud provider
N/A
OS version
Install tools
Container runtime (CRI) and version (if applicable)
Related plugins (CNI, CSI, ...) and versions (if applicable)
The text was updated successfully, but these errors were encountered: