search

tianon / gosu

Simple Go-based setuid+setgid+setgroups+exec
Apache License 2.0
4.68k stars 312 forks source link

update Alpine and Golang #102

Closed PascalBourdier closed 2 years ago

PascalBourdier commented 2 years ago

use Go 1.17 and Alpine 3.15

tianon commented 2 years ago

I agree with making these updates, but similar to https://github.com/tianon/gosu/pull/101#issuecomment-1062122614 (see also #98), I want to make sure I'm not merging this with a false expectation -- I do not plan to make a new release with these updates unless there's a more compelling reason to do so than "my security scanner says it's vulnerable" (because the scan result itself is an overzealous scanner -- ultimately the vulnerability is a false positive).

tianon commented 2 years ago

Would you also be willing to update hub/Dockerfile.alpine? :pray:

(I'm happy to take over from here if you'd prefer!)

PascalBourdier commented 2 years ago

Would you also be willing to update hub/Dockerfile.alpine? 🙏

(I'm happy to take over from here if you'd prefer!)

I fixed it

tianon commented 2 years ago

Thanks!

slakwa commented 2 years ago

@tianon I have a question about this change. Shouldn't also the version of gosu be updated from 1.14 to 1.15 for other tools using this library to be able to get this change?

tianon commented 2 years ago

See https://github.com/tianon/gosu/issues/104 -- I do not plan to rebuild/release a new version of gosu for vulnerability reports that do not actually apply to the released binaries (or the corresponding source code).

This PR was merged because it's generally a good idea to keep up-to-date, and I want to make sure that if/when there is a new release of gosu, it's built on the latest appropriate versions.