Fedora Account System
Red Hat Associate
Red Hat Customer
Latest upstream release: 2.3 Current version/release in rawhide: 2.2.1-3.fc27 URL: http://singularity.lbl.gov/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/10920/
Latest upstream release: 2.3.1 Current version/release in rawhide: 2.2.1-3.fc27 URL: http://singularity.lbl.gov/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/10920/
Release 2.3.1 contains a major security fix. It is very important for the EU and international projects that uses singularity to get this release on board ASAP
Hi Abdulrahman, To the best of my knowledge, 2.3.1 contains major security fixes for issues introduced by 2.3.0. I'm not aware of any known security issues with 2.2.1 (the current releases). That said, 2.3.x contains useful new features and I'd like to see this in rawhide and/or EPEL7. I've emailed the maintainers a few times to ask if I could get commit access to help maintain this package, but I've not gotten any responses. Brian
Latest upstream release: 2.3.2 Current version/release in rawhide: 2.2.1-5.fc27 URL: http://singularity.lbl.gov/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/10920/
We can start the non-responsive maintainer process I think: https://fedoraproject.org/wiki/Policy_for_nonresponsive_package_maintainers
(In reply to Dave Love from https://bugzilla.redhat.com/show_bug.cgi?id=1496495#c3 ) > I don't think it should just be pushed out as-is, and I haven't had a chance > to go through the current version for at least the issues I found previously. What are the issues you are concerned about? The split into singularity and singularity-runtime packages was not yet done in the upstream singularity 2.3.x, but I submitted a pull request that has been merged, so it will be in singularity-2.4. Meanwhile the Open Science Grid re-did the split for 2.3.1 and 2.3.2. The source rpm for OSG singularity-2.3.2 is at http://repo.grid.iu.edu/osg/3.4/el6/testing/source/SRPMS/singularity-2.3.2-0.1.1.osg34.el6.src.rpm and is scheduled to be released October 10. > Why is a new version so important? I'd assume it would be mostly relevant > for EPEL, not Fedora, and it probably wouldn't satisfy the EPEL update > policy. The importance of this new version is discussed above in this ticket. In what way would it not satisfy the EPEL update policy?
(In reply to Brian Bockelman from comment #3) > Hi Abdulrahman, > > To the best of my knowledge, 2.3.1 contains major security fixes for issues > introduced by 2.3.0. I'm not aware of any known security issues with 2.2.1 > (the current releases). > > That said, 2.3.x contains useful new features and I'd like to see this in > rawhide and/or EPEL7. > > I've emailed the maintainers a few times to ask if I could get commit access > to help maintain this package, but I've not gotten any responses. > > Brian Hi Brain, I've been in contact with the author and he claims that 'you' are not responsive to his messages. Anyways, I really fail to see the logic behind you insisting to keep an old version of the package while acknowledging that the new versions contain useful new features. Why not making life easy for people? If you want to help fixing bugs and making the package better, why does the maintainer "have" to give you commit rights? You can always submit pull requests. As the leader of the containers work package in PRACE (http://www.prace-ri.eu/), I say: Yes! keeping singularity up to date is important for HPC in Europe. Abdulrahman
Hi Abdulrahman, Are you perhaps mixing up the packaging process with the upstream contribution process? There is no such thing as pull requests in the Fedora packaging workflow; pull requests are part of the GitHub workflow. For contributing to Singularity itself, I can indeed submit features via pull requests. However, in the Fedora / EPEL packaging guidelines, I can't offer much more than an informed opinion. Steve Traylen, Brian Van Klaveren from SLAC, and I have offered to contribute as maintainers, which would allow us to help push out Fedora updates. I also would like an updated version of Singularity. My prior comment was that the new version requested allow access to new capabilities and bugfixes; it does not contain security fixes for the release currently shipped by Fedora / EPEL. It's a very important distinction, but doesn't indicate that I favor sticking with 2.3.x. Anyhow, the policy Dave Love is referring to is here: https://fedoraproject.org/wiki/EPEL_incompatible_upgrades_policy At least within the OSG support, we have slightly different workarounds for bugs in 2.2.x versus 2.3.x, but I haven't hit any compatibility problems with the core workflows in singularity 2.2.x. The EPEL updates page says that major changes to the user experience are to be avoided but I'd argue: a) The workflows existing in 2.2.x are relatively unchanged in 2.3.x (I'm sure one can find exceptions, of course...). b) Given the majority of the user community is not on 2.2.x -- and upstream Singularity project hasn't done further releases of 2.2.x, then an update is unavoidable. Even though the update policy gives security updates as examples of why one might make a big version jump within EPEL, it doesn't say that's the only reason. Now, in the other ticket, Dave Love does point out that there are a number of patches (19) currently applied to the Fedora build which are not currently in upstream releases. It is real work to determine which are still relevant, which need to be upstreamed, and which can be simply dropped. It seems that there was a prior issue with licensing of the Fedora patches (which explicitly list a different license than upstream's); it seems that upstream has changed their default license to plain BSD without the additional NOTICE statement. Hopefully that will clear up one roadblock. Brian
It appears that the package maintainer did not follow Fedora packaging patch guidelines https://fedoraproject.org/wiki/Packaging:Guidelines#Patch_Guidelines because the 19 patches http://pkgs.fedoraproject.org/cgit/rpms/singularity.git/tree/ do not refer to upstream bug reports. I also sent an email to the maintainer pointing him to this ticket in case he was not getting notifications. Perhaps it was premature to stop the non-responsive maintainer process. Dave
(In reply to Dave Dykstra from comment #6) > (In reply to Dave Love from > https://bugzilla.redhat.com/show_bug.cgi?id=1496495#c3 > ) > > I don't think it should just be pushed out as-is, and I haven't had a chance > > to go through the current version for at least the issues I found previously. > > What are the issues you are concerned about? Security, primarily, like bad use of /tmp and failure to check return values in a setuid program. > The importance of this new version is discussed above in this ticket. In > what way would it not satisfy the EPEL update policy? Well, does it, or doesn't it fix a security issue in the current packages?
(In reply to Abdulrahman Azab from comment #7) > As the leader of the containers work package in PRACE > (http://www.prace-ri.eu/), I say: Yes! keeping singularity up to date is > important for HPC in Europe. > > Abdulrahman If you want to use packages which are more up-to-date than EPEL, you can use a copr repository, or similar. (This package started in one, with a lot of HPC-related ones.)
(In reply to Brian Bockelman from comment #8) > I also would like an updated version of Singularity. My prior comment was > that the new version requested allow access to new capabilities and > bugfixes; it does not contain security fixes for the release currently > shipped by Fedora / EPEL. It's a very important distinction, but doesn't > indicate that I favor sticking with 2.3.x. > > Anyhow, the policy Dave Love is referring to is here: > > https://fedoraproject.org/wiki/EPEL_incompatible_upgrades_policy > > At least within the OSG support, we have slightly different workarounds for > bugs in 2.2.x versus 2.3.x, but I haven't hit any compatibility problems > with the core workflows in singularity 2.2.x. OK, but since the previous update broke containers I had, and it seems quite unstable, it seemed to need care. > The EPEL updates page says that major changes to the user experience are to > be avoided but I'd argue: > a) The workflows existing in 2.2.x are relatively unchanged in 2.3.x (I'm > sure one can find exceptions, of course...). > b) Given the majority of the user community is not on 2.2.x -- and upstream > Singularity project hasn't done further releases of 2.2.x, then an update is > unavoidable. [EPEL doesn't necessarily reflect what people are using widely. In some cases it can't, because the necessary dependencies aren't there or allowed.] > Even though the update policy gives security updates as examples of why one > might make a big version jump within EPEL, it doesn't say that's the only > reason. > > Now, in the other ticket, Dave Love does point out that there are a number > of patches (19) currently applied to the Fedora build which are not > currently in upstream releases. It is real work to determine which are > still relevant, which need to be upstreamed, and which can be simply > dropped. It seems that there was a prior issue with licensing of the Fedora > patches (which explicitly list a different license than upstream's); it > seems that upstream has changed their default license to plain BSD without > the additional NOTICE statement. Hopefully that will clear up one roadblock. > > Brian The problem wasn't the licence, it was Berkeley people insisting that contributing BSD-licensed code lost your (or your employer's) copyright. I advertised a repo with changes under BSD, and it seems some of that has now been taken, but without change logs to say so. (I've merged the majority of the changes I'd made, but haven't done enough auditing of the result yet, and that now seems to have been superseded.) I'm not averse to updates, or assistance, but I don't want to blithely add potential security issues, in particular. As I was assured that a classic strncpy bug in a setuid program was correct, caution is in order.
I'm not quite sure I'm parsing your comment right about BSD licensing. I don't know the full history of that discussion - but I'd certainly agree with your statement that the *license* (BSD) in this case is distinct from *copyright* (yours / your employer's, for your code). Anyone is welcome to have a differing opinion, but opinions and legal matters are distinct... Regardless, it seems a bit of a distraction. The upstream weirdness in the LICENSE file is there no more and I don't recall signing any CCA. With respect to bugs / patches -- I think the best way forward is to follow the patch guidelines and make sure we can provide a mapping between patches and an open bug in the upstream tracker. That will help ease migrations to future versions, provide transparency about where the patches came from, and hopefully make future upstream releases better. I didn't look through all 19, so I didn't get to the strncpy bug you reference - but I do agree that the /tmp handling is incorrect. How would you like to divvy up the patch review work in order to work toward a new release?
Latest upstream release: 2.4 Current version/release in rawhide: 2.2.1-5.fc27 URL: http://singularity.lbl.gov/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/10920/
Latest upstream release: 2.4.5 Current version/release in rawhide: 2.2.1-6.fc28 URL: http://singularityware.github.io/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/10920/
Latest upstream release: 2.5.0-rc1 Current version/release in rawhide: 2.2.1-6.fc28 URL: http://singularityware.github.io/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/10920/
singularity-2.4.6 is also released, and it includes a high severity security fix for a problem that affects all versions of singularity, including the 2.2.1 still current in EPEL. This has to be addressed ASAP. The problem only affects the overlay feature, so it affects operating systems that support OverlayFS. In 2.2.1 the feature was disabled by default, but if a system administrator enables it, the bug can be exploited to gain elevated privileges.
I've been partly out of commission, and am not going to be able to finish the work I was doing on the code any time soon. I've put bbockelm on it in pagure and will look at handing it over. [I think it was a mistake to put it in Fedora because of instability and programming issues in security-sensitive code. The EPEL rules don't seem to allow the sort of changes its had.]
singularity-2.5.0 is now released with another 5 high & medium priority security fixes. loveshack, please complete the transfer to bbockelm.
Latest upstream release: 2.5.0 Current version/release in rawhide: 2.2.1-6.fc28 URL: http://singularityware.github.io/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/10920/
Latest upstream release: 2.5.1 Current version/release in rawhide: 2.2.1-6.fc28 URL: http://singularityware.github.io/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/10920/
Hi - Apologies for the delayed comment; it's proposal-writing season locally and I got a bit swamped. Within Pagure, it appears that I am listed as having "ticket" permission. In order to help push out updated versions of Singularity, it need "commit access". Dave Love, if you're wanting to hand things over, I think you may need to add me to the "admin access" level. Thanks!
Hi, I wanted to ping this ticket again -- @loveshack, can you please upgrade my permissions in the package database from "ticket" to "admin" (see https://src.fedoraproject.org/rpms/singularity). With that, I can happily handle Dave Dykstra's pull request and finally close out this ticket. Many Thanks, Brian
The PR to upgrade to 2.5.1 has now been merged.
I have now submitted 4 more PRs for the 4 branches: el6 (https://src.fedoraproject.org/rpms/singularity/pull-request/3), epel7 (https://src.fedoraproject.org/rpms/singularity/pull-request/4), f27 (https://src.fedoraproject.org/rpms/singularity/pull-request/5), and f28 (https://src.fedoraproject.org/rpms/singularity/pull-request/6).
singularity-2.5.1-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-e14afdfcb2
singularity-2.5.1-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-029b32bcf4
singularity-2.5.1-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-02051f8300
singularity-2.5.1-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-da87b1e643
singularity-2.5.1-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-02051f8300
singularity-2.5.1-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-e14afdfcb2
singularity-2.5.1-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-029b32bcf4
singularity-2.5.1-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-da87b1e643
singularity-2.5.1-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
singularity-2.5.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
singularity-2.5.1-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
singularity-2.5.1-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.