On Thu, Jun 9, 2022 at 6:55 PM Stewart Smith via devel <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > Maxwell G via devel <devel@xxxxxxxxxxxxxxxxxxxxxxx> writes: > > Hi everyone, > > > > I have been de-facto maintaining containerd in Fedora as a member of the go- > > sig for a little while now, as the previous maintainer no longer has time to > > do. In addition to the Fedora branches, this package also exists on EPEL 7. > > That branch has not been maintained for a while and has unpatched CVEs. I am > > not interested in maintaining it myself, so unless someone steps up to > > maintain it and fix the vulnerabilities, I will retire the package from EPEL 7 > > in a week from today, on June 15th. > > Specifically on this, I'd love to say that someone at Amazon could help > here, especially considering we're not too distant from CentOS 7 for a > bunch of Amazon Linux 2. Unfortunately I don't think we can given the > likely packaging differences, the containerd version differences, and > that we don't have infinite time and given a choice between EPEL7 work > and jumping into modern Fedora packaging to enhance both Fedora and our > Amazon Linux 2022 efforts, I'd pick the latter. Backporting potent tools to RHEL 7 or CentOS 7 is often awkward. I've run into it fullblast with Samba, and contmeporary releases of awscli and ansible. The obsolete python is a problem, as is Amazon's decision to use python 3.7 instead of python 3.6, making EPEL profounly incompatible with it, and along with Red Hat's decision to package python 3.6 as python3" and Amazon's decision to package python 3.7 as python 3. Been there, done that, have the scar tissue. The default of "python" as "python2.7" on CentOS 7 is now burdensome. > > Additionally, I would appreciate co-maintainers to help with the Fedora > > branches of containerd, its unbundled go dependencies, and moby-engine > > (bundled go package). Long term, I'm not sure I'll have the time or the > > interest to maintain these packages. Note that on EPEL 7, containerd bundles > > its dependencies; moby-engine is not packaged there. > > This is 100% somewhere that Amazon Linux can step in and help with. We > have a continued interest in the containerd ecosystem working in Fedora > like distros (namely Amazon Linux), and the bundled/not-bundled split > existing in some working bconds is certainly in our interest (we're > likely to continue to bundle dependencies for the forseeable future). I have repeatedly sent Amazon pointers to my tools for bundling awscli for python 3, helped with an Amazon Linux 2 port of Samba a few years ago, and *gave* them the tools to build a contemporary version of mock on Amazon Linux 2. The silence was deafening. I'm afraid I was told not to distract our sales engineer with these sorts of concerns, and never actually got to the engineers who could or should to the actual work. I found it disappointing. > I'm going to go chat to some of the people internally who'd be doing the > bulk of the work I'm just signing them up for, but would love to sync up > on what our respective pain points are at some point soon. If it's for server rather than local tools, you may simply wish to discard RHEL 7 support of Fedora published tools. The dependency chain can get quite painful. I was informed on the ansible bug list, for example, that such packaging integration is not the developers' task. It's the operating system distributor's problem. ansible.com was a spinoff of Red Hat, and since Red Hat later purchased the company, it seems much like calling the support line and getting steered back to the same person you reached on your first, second, and third call. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
