Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There doesn't seem to be a way to use the latest docker images (without the "v1" tag) #95

Closed
evverx opened this issue Apr 22, 2022 · 4 comments

Comments

@evverx
Copy link
Contributor

evverx commented Apr 22, 2022

As mentioned in google/oss-fuzz#7206 (comment) I'm planning to unpin CFLite but looking at the action it appears for some reason it uses tags to download the docker images:

$ git grep v1 actions/
actions/build_fuzzers/action.yml:  image: 'docker://gcr.io/oss-fuzz-base/clusterfuzzlite-build-fuzzers:v1'
actions/run_fuzzers/action.yml:  image: 'docker://gcr.io/oss-fuzz-base/clusterfuzzlite-run-fuzzers:v1'

Those tags are bogus in the sense that they keep rolling forward so I wonder if it's possible to remove them to make it clear that they always point to the latest images.

The idea is to always use the "main" branch and the latest images (by analogy with CIFuzz) and avoid getting bogus Dependabot updates when/if google/oss-fuzz#7212 is implemented

@evverx
Copy link
Contributor Author

evverx commented Apr 22, 2022

On a somewhat related note, once I unpin CFLite the "security posture" of systemd is going to get worse even more. it would be great if OSS-Fuzz/CIFuzz/CFLite can somehow affect the scorecard fuzzing check (which is totally bogus as this point: ossf/scorecard#1816 (comment)).

evverx added a commit to evverx/clusterfuzzlite that referenced this issue Apr 22, 2022
CFLite can't be pinned properly so to unpin it it should be
possible to always use the latest images.

This reverts google#2

Closes google#95
@evverx evverx closed this as completed Apr 26, 2022
@jonathanmetzman
Copy link
Collaborator

As mentioned in google/oss-fuzz#7206 (comment) I'm planning to unpin CFLite but looking at the action it appears for some reason it uses tags to download the docker images:

$ git grep v1 actions/
actions/build_fuzzers/action.yml:  image: 'docker://gcr.io/oss-fuzz-base/clusterfuzzlite-build-fuzzers:v1'
actions/run_fuzzers/action.yml:  image: 'docker://gcr.io/oss-fuzz-base/clusterfuzzlite-run-fuzzers:v1'

The tags aren't exactly bogus. We're doing this in case we make breaking changes to the API in v2

@jonathanmetzman
Copy link
Collaborator

On a somewhat related note, once I unpin CFLite the "security posture" of systemd is going to get worse even more. it would be great if OSS-Fuzz/CIFuzz/CFLite can somehow affect the scorecard fuzzing check (which is totally bogus as this point: ossf/scorecard#1816 (comment)).

I'm not happy about this situation either and i've complained to scorecards but it doesn't seem like they will budge. I agree I think pinning provides little security benefit, fuzzing (for C++) provides a big security benefit, so using CFLite without pinning makes a project more secure not less and that scorecards is wrong

@evverx
Copy link
Contributor Author

evverx commented Apr 26, 2022

The tags aren't exactly bogus. We're doing this in case we make breaking changes to the API in v2

Agreed. After a lengthy discussion in #96 I switched to the tags. For that to fully work https://github.com/google/clusterfuzzlite/releases/tag/v1 would have to be bumped automatically though. (@oliverchang bumped it yesterday manually)

using CFLite without pinning makes a project more secure not less and that scorecards is wrong

I have to admit I'm not even sure what scorecard is trying to accomplish anymore with all those checks and a few new ones. I decided to just ignore it altogether.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants