Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider removing any packages from Noble that are not in Ubuntu's "Main" repository #328

Open
Tracked by #892
cunnie opened this issue Mar 4, 2024 · 6 comments

Comments

@cunnie
Copy link
Member

cunnie commented Mar 4, 2024

Given that Ubuntu's policy is to only provide "Best effort" updates to packages outside of the "Main" repository we should consider removing as many as possible from the Noble stemcell so that we don't end up with unpatched CVEs late in the stemcell lifecycle[1]. See this article on Ubuntu's ESM for more context.

Currently on Jammy the packages not in the "Main" repository are:

clang
clang-14
dnsutils
grub2
ifupdown
libclang-common-14-dev
libclang-cpp14
libclang1-14
libobjc-11-dev:amd64
libobjc4:amd64
linux-modules-6.5.0-21-genericlinux-modules-extra-6.5.0-21-genericllvm-14-linker-tools
module-assistant
resolvconf
rng-tools-debian
runit
scsitools
sysuser-helper
traceroute

[1] The traceroute package, in the "Universe" repository, has a reported CVE which is not patched even though Jammy is still within its LTS support window.

@max-soe
Copy link

max-soe commented Mar 6, 2024

I like the idea to cleanup the stemcell a little bit. If we invest in such a feature, we should maybe also think about removing packages that we don't need for bosh/cf-deployment universe...
For example:

  • eject ( cd-rom support)
  • ubuntu-advantage-tools ( we will not enable ubuntu pro in the community stemcells )

@rkoster rkoster added this to the 24.04 wishlist milestone Mar 6, 2024
@ramonskie
Copy link
Contributor

ifupdown is going to be the biggest change

@beyhan beyhan moved this from Inbox to Pending Review | Discussion in Foundational Infrastructure Working Group Mar 7, 2024
@rkoster
Copy link
Contributor

rkoster commented Mar 13, 2024

eject is used by the agent: https://github.com/cloudfoundry/bosh-agent/blob/main/platform/cdrom/linux_cdrom.go
vSphere userdata gets injected via a cdrom...

@ramonskie
Copy link
Contributor

resolvconf is already be replaced with systemd-resolved
runit (which is used to start the agent can be migrated to use systemd)
don't know why grub 2 is in this list..
all the the clang and libs are all dependencies. so i don't think these can be removed.

@ramonskie
Copy link
Contributor

as we move to iptables we could also remove this.
but we can only remove this if the bosh-agent is also moving from its nats iptable rules to nftables

@beyhan
Copy link
Member

beyhan commented Apr 26, 2024

@ramonskie what do you mean with this? Did you forget to add the link?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Pending Review | Discussion
Development

No branches or pull requests

5 participants