Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revert "lock to go 1.20.7" #860

Merged
merged 1 commit into from
Oct 11, 2024
Merged

Revert "lock to go 1.20.7" #860

merged 1 commit into from
Oct 11, 2024

Conversation

sparrc
Copy link
Contributor

@sparrc sparrc commented Oct 7, 2024

This reverts commit 7ea28b0.

Issue #, if available:

#746

Description of changes:

This commit was originally added to pin the golang build version to 1.20.7 because of an issue in golang related to CGO: golang/go#62130 (comment)

This issue was fixed for most systems, although the issue is still open because it appears to have opened up a separate issue with MUSL-based systems (such as alpine): golang/go#68285

Since the fluent-bit container is on a glibc-based system (Amazon Linux), we should be safe to revert back to building with the latest version of golang.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@sparrc
Revert "lock to go 1.20.7"
082d390 
This reverts commit 7ea28b0.

This commit was originally added to pin the golang build version to
1.20.7 because of an issue in golang related to CGO: golang/go#62130 (comment)

This issue was fixed for most systems, although the issue is still open
because it appears to have opened up a separate issue with MUSL-based
systems (such as alpine): golang/go#68285

Since the fluent-bit container is on a glibc-based system (Amazon
Linux), we should be safe to revert back to building with the latest
version of golang.
@sparrc sparrc requested a review from a team as a code owner October 7, 2024 20:25
swapneils
swapneils approved these changes Oct 7, 2024
View reviewed changes
Copy link
Contributor

@swapneils swapneils left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Thanks for also checking the scope of the Golang-side changes.

We can publish this in the upcoming 2.32.3.

@aaithal
Copy link

aaithal commented Oct 7, 2024

thanks! i do have one question though. I see that we're using AL2 as the base image (Switching to AL2023 is topic for another day). Why would we not want to install the golang version that's packaged in AL2 repos vs doing our own "stable" determinations? What's the harm in doing something like RUN yum install -y golang? The advantage is that we don't have to figure out a CVE/patching story for golang ourselves. We have AL maintainers for that.

@sparrc
Copy link
Contributor Author

sparrc commented Oct 11, 2024

thanks! i do have one question though. I see that we're using AL2 as the base image (Switching to AL2023 is topic for another day). Why would we not want to install the golang version that's packaged in AL2 repos vs doing our own "stable" determinations? What's the harm in doing something like RUN yum install -y golang? The advantage is that we don't have to figure out a CVE/patching story for golang ourselves. We have AL maintainers for that.

I think there are two main advantages to building with the latest golang version for now:

  1. We get onto the latest version of golang with all CVE fixes as soon as possible and avoid having to wait on Amazon Linux releasing the latest CVE patches to their yum repos.
  2. We are made aware as soon as possible when the latest golang version might have some change, bug, or incompatibility with our build process.

So far we have been able to rely on the latest golang version being stable and not causing us any major issues so I don't think we currently have any strong reason to hold back on picking up the latest as soon as it's available.

@aaithal
Copy link

aaithal commented Oct 11, 2024

thanks! i do have one question though. I see that we're using AL2 as the base image (Switching to AL2023 is topic for another day). Why would we not want to install the golang version that's packaged in AL2 repos vs doing our own "stable" determinations? What's the harm in doing something like RUN yum install -y golang? The advantage is that we don't have to figure out a CVE/patching story for golang ourselves. We have AL maintainers for that.

I think there are two main advantages to building with the latest golang version for now:

  1. We get onto the latest version of golang with all CVE fixes as soon as possible and avoid having to wait on Amazon Linux releasing the latest CVE patches to their yum repos.
  2. We are made aware as soon as possible when the latest golang version might have some change, bug, or incompatibility with our build process.

So far we have been able to rely on the latest golang version being stable and not causing us any major issues so I don't think we currently have any strong reason to hold back on picking up the latest as soon as it's available.

I don't want to hold off this PR for now. But, I do think we need to revisit this. Supply chain integrity is an important aspect of security and by not relying on AL vended golang binaries, we are vulnerable to mitm attacks or attackers compromising 3rd party repos that we're depending on for our golang binaries.

If we're out of compliance because AL hasn't caught up with CVEs, we have bigger issues at that point anyway because the container image as a whole would not be considered compliant.

But as I said earlier, I don't want to hold off this PR for now. But, we need to revisit how we consume all of our dependencies more holistically.

@sparrc sparrc merged commit e780222 into mainline Oct 11, 2024
@sparrc sparrc deleted the go-upg branch October 11, 2024 16:24
This was referenced Oct 11, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aaithal aaithal aaithal approved these changes

@swapneils swapneils swapneils approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sparrc @aaithal @swapneils