-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a flag to optionally build without containerd dependency #6160
Comments
Thanks for raising this, and thanks for drafting a PR. I can understand that false positive CVEs for functionality you don't even use are annoying. As per "good enough", I think what you propose is good enough; the ideal solution would be to get rid of the dependency without introducing a build flag. We could check if it is really, really needed, or if we could make do with ORAS v2 alone. (cc @carabasdaniel: Any ideas?) The problem with the build flag is that it won't have an effect on |
I agree on the "good enough" part. What's our path forward here? Should I wait for @carabasdaniel answer? Would anyone help me get the PR in "green tick" shape? |
@ashutosh-narkar is back on Monday. Let's see what he thinks; the PR looks almost good to go -- see my comment on it. Thanks again for working on this! |
Fixed in #6159. |
What is the underlying problem you're trying to solve?
Containerd frequently shows up on our security scans due to CVEs - https://osv.dev/list?page=2&q=containerd. In our case we don't use OCI download so it would be great if OPA could introduce a flag to build without containerd.
Describe the ideal solution
I can run
to build without containerd. And running
shows no containerd included.
Describe a "Good Enough" solution
Containerd is either included as a dependency or not, I don't think there is a "good enough" solution.
Additional Context
Due to the frequency of CVEs reported in containerd the maintenance cost is higher. We would love to minimise that. I have created a draft PR to show how it could be implemented.
The text was updated successfully, but these errors were encountered: