-
Notifications
You must be signed in to change notification settings - Fork 228
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add openbao package #30167
base: main
Are you sure you want to change the base?
add openbao package #30167
Conversation
Signed-off-by: Wojciech Kocjan <[email protected]>
Signed-off-by: Wojciech Kocjan <[email protected]>
For CVE, will ad an advisory at a later date |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work!! looks like we need will also a compat package for this linking binary at /bin/bao and a further linking of the same at /bin/vault.
@kranurag7 added - please review the compat package definition |
@wojciechka thanks for the work here. We'll need the following change: |
@cipherboy FYI :) |
@wojciechka @powersj Thank you both for getting this started!
As a FYI, this will be discussed on this Thursday's OpenBao TSC call. I suspect since the community is smaller without many commercial backers, we'll likely stick to an only-latest support policy. But once that decision is made we'll publish something officially. I think openbao/openbao#426 tracks this on our side. |
@kranurag7 done, PTAL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for the work again, the symlink looks good now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we can consider using go/bump pipeline to fix the CVEs in here?
- uses: go/bump
with:
deps: github.com/anchore/archiver/[email protected]
replaces: github.com/mholt/archiver/v3=github.com/anchore/archiver/[email protected]
No, I would not do that. That is a fork, the project is aware of the issue (I emailed openbao-security list yesterday). It is also confirmed that it is a false positive in our case - it is used by debug subcommand and the package is only writing archives, the CVE talks about user-injected archives. I believe It's better to add an advisory for this and mark it as false positive. |
For new package PRs only
endoflife.date
)