Bug 2091533 - Drop golang-github-BurntSushi-toml and golang-gopkg-yaml
Summary: Drop golang-github-BurntSushi-toml and golang-gopkg-yaml
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: distribution
Version: 17.0 (Wallaby)
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: z3
: 16.2 (Train on RHEL 8.4)
Assignee: Miguel Garcia
QA Contact: Lon Hohberger
URL:
Whiteboard:
Depends On: 2091532
Blocks: 2091534
TreeView+ depends on / blocked
 
Reported: 2022-05-30 08:56 UTC by Miguel Garcia
Modified: 2022-06-22 16:07 UTC (History)
7 users (show)

Fixed In Version: golang-github-urfave-cli-1.20.0-6.el8ost golang-github-vbatts-tar-split-0.11.1-7.1.el8ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2091532
: 2091534 (view as bug list)
Environment:
Last Closed: 2022-06-22 16:07:20 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker OSP-15433 0 None None None 2022-05-30 09:03:57 UTC
Red Hat Product Errata RHBA-2022:4793 0 None None None 2022-06-22 16:07:54 UTC

Description Miguel Garcia 2022-05-30 08:56:57 UTC 
+++ This bug was initially created as a clone of Bug #2091532 +++

golang-github-BurntSushi-toml and golang-gopkg-yaml were originally added as dependencies of golang-github-urfave-cli, which was added as a dependency of golang-github-vbatts-tar-split.

tar-split doesn't use the toml/yaml functionalities from urfave-cli, and those are very easily severable from the latter.

Patching toml/yaml out allows us to remove both packages, reducing our dependencies and our CVE attack surface.
Comment 5 Lon Hohberger 2022-06-06 19:11:32 UTC 
golang-github-urfave-cli-1.20.0-6.el8ost, which drops the dependency on toml & BurntSushi, was used to build golang-github-vbatts-tar-split-0.11.1-7.1.el8ost, which is included in z3.
Comment 9 errata-xmlrpc 2022-06-22 16:07:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 16.2.3 (Train)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:4793
Note You need to log in before you can comment on or make changes to this bug.