Bug 2091532

Summary: Drop golang-github-BurntSushi-toml and golang-gopkg-yaml
Product: Red Hat OpenStack Reporter: Miguel Garcia <mgarciac>
Component: distributionAssignee: Miguel Garcia <mgarciac>
Status: CLOSED ERRATA QA Contact: Lon Hohberger <lhh>
Severity: medium Docs Contact:
Priority: medium    
Version: 17.0 (Wallaby)CC: jjoyce, jschluet, mburns, mgarciac, shrjoshi
Target Milestone: betaKeywords: Triaged
Target Release: 17.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: golang-github-urfave-cli-1.20.0-7.el9ost Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2091533 (view as bug list) Environment:
Last Closed: 2022-09-21 12:21:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2091534, 2091533    

Description Miguel Garcia 2022-05-30 08:54:56 UTC 
golang-github-BurntSushi-toml and golang-gopkg-yaml were originally added as dependencies of golang-github-urfave-cli, which was added as a dependency of golang-github-vbatts-tar-split.

tar-split doesn't use the toml/yaml functionalities from urfave-cli, and those are very easily severable from the latter.

Patching toml/yaml out allows us to remove both packages, reducing our dependencies and our CVE attack surface.
Comment 3 Jon Schlueter 2022-06-30 20:33:50 UTC 
verified not in advisory or latest compose
Comment 8 errata-xmlrpc 2022-09-21 12:21:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543