github.com/opencontainers/runc not being updated

[mtrmac]

Currently go.mod contains

replace github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.1-0.20220617142545-8b9452f75cbc

This is from the main branch, while releases come from a divergent release-1.1 branch.

And the commit reference in replace hasn’t changed since 2022-06-13 .

I think that’s risky; compare https://github.com/containers/podman/pull/18110 fixing security vulnerabilities (luckily, AFAICS, not impacting the Podman codebase right now, but that can change by using one more subpackage, without us noticing.)

I think either we should revert back to using released versions (maybe that’s possible after https://github.com/containers/podman/pull/19101 ?), or Podman needs some process to keep updating the runc replace directive to keep up with upstream fixes. I don’t know nearly enough about runc to suggest which one is preferable.

[mheon]

The commit that added the replace was https://github.com/containers/podman/commit/2792e598c7ce1198ec8464a3119504123ae8397c which, AFAIK, did so to expose functionality that had not yet landed in a release (cgroups package changes). I think we should be safe to remove the override given this. If things continue to build afterwards, all should be well.

[rhatdan]

I agree, remove this if possible.

[giuseppe]

it builds fine, opened a PR: https://github.com/containers/podman/pull/19817

[github-actions[bot]]

A friendly reminder that this issue had no activity for 30 days.