Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add openbao package #30167

Open
wants to merge 21 commits into
base: main
Choose a base branch
from
Open

add openbao package #30167

wants to merge 21 commits into from
+60 −0

Conversation

wojciechka
Copy link

For new package PRs only

  • REQUIRED - The package is available under an OSI-approved or FSF-approved license
  • REQUIRED - The version of the package is still receiving security updates
  • This PR links to the upstream project's support policy (e.g. endoflife.date)

@wojciechka
Copy link
Author

wojciechka commented Oct 7, 2024
edited
Loading

For CVE, will ad an advisory at a later date

kranurag7
kranurag7 reviewed Oct 7, 2024
View reviewed changes
Copy link
Contributor

@kranurag7 kranurag7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work!! looks like we need will also a compat package for this linking binary at /bin/bao and a further linking of the same at /bin/vault.

openbao.yaml Outdated Show resolved Hide resolved
@wojciechka
Copy link
Author

Great work!! looks like we need will also a compat package for this linking binary at /bin/bao and a further linking of the same at /bin/vault.

@kranurag7 added - please review the compat package definition

@kranurag7
Copy link
Contributor

@wojciechka thanks for the work here.

We'll need the following change:
/bin/bao should link to /usr/bin/bao and /bin/vault should link to /bin/bao

@powersj
Copy link
Contributor

powersj commented Oct 7, 2024

@cipherboy FYI :)

@cipherboy
Copy link

@wojciechka @powersj Thank you both for getting this started!

  • This PR links to the upstream project's support policy (e.g. endoflife.date)

As a FYI, this will be discussed on this Thursday's OpenBao TSC call. I suspect since the community is smaller without many commercial backers, we'll likely stick to an only-latest support policy.

But once that decision is made we'll publish something officially. I think openbao/openbao#426 tracks this on our side.

cipherboy
cipherboy reviewed Oct 8, 2024
View reviewed changes
openbao.yaml Outdated Show resolved Hide resolved
@wojciechka
Copy link
Author

We'll need the following change:
/bin/bao should link to /usr/bin/bao and /bin/vault should link to /bin/bao

@kranurag7 done, PTAL

kranurag7
kranurag7 reviewed Oct 8, 2024
View reviewed changes
Copy link
Contributor

@kranurag7 kranurag7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for the work again, the symlink looks good now.

openbao.yaml Outdated Show resolved Hide resolved
ajayk
ajayk reviewed Oct 8, 2024
View reviewed changes
openbao.yaml Outdated Show resolved Hide resolved
kranurag7
kranurag7 requested changes Oct 8, 2024
View reviewed changes
Copy link
Contributor

@kranurag7 kranurag7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can consider using go/bump pipeline to fix the CVEs in here?

  - uses: go/bump
    with:
      deps: github.com/anchore/archiver/[email protected]
      replaces: github.com/mholt/archiver/v3=github.com/anchore/archiver/[email protected]

@wojciechka
Copy link
Author

we can consider using go/bump pipeline to fix the CVEs in here?

  - uses: go/bump
    with:
      deps: github.com/anchore/archiver/[email protected]
      replaces: github.com/mholt/archiver/v3=github.com/anchore/archiver/[email protected]

No, I would not do that. That is a fork, the project is aware of the issue (I emailed openbao-security list yesterday). It is also confirmed that it is a false positive in our case - it is used by debug subcommand and the package is only writing archives, the CVE talks about user-injected archives.

I believe It's better to add an advisory for this and mark it as false positive.

ajayk
ajayk previously approved these changes Oct 8, 2024
View reviewed changes
kranurag7
kranurag7 previously approved these changes Oct 8, 2024
View reviewed changes
@ajayk ajayk enabled auto-merge (squash) October 8, 2024 17:02
EyeCantCU
EyeCantCU requested changes Oct 8, 2024
View reviewed changes
openbao.yaml Outdated Show resolved Hide resolved
openbao.yaml Outdated Show resolved Hide resolved
@wojciechka wojciechka dismissed stale reviews from kranurag7 and ajayk via 38aa5a4 October 9, 2024 07:32
EyeCantCU
EyeCantCU previously approved these changes Oct 9, 2024
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cipherboy cipherboy cipherboy left review comments

@ajayk ajayk ajayk left review comments

@EyeCantCU EyeCantCU EyeCantCU left review comments

@kranurag7 kranurag7 kranurag7 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@wojciechka @kranurag7 @powersj @cipherboy @ajayk @EyeCantCU