-
Story
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
Future Sustainability
-
False
-
-
False
-
None
-
None
-
None
-
None
openshift/library-go relies on multiple packages from github.com/distribution/distribution.
A v3 version of distribution is on the works, and it makes some internal, some are rewritten or removed, meaning library-go is no longer able to import it.
As a result, library-go cannot update its distribution version until it drops/aligns dependency of the following packages:
- distribution/distribution/v3/registry/client
- distribution/distribution/v3/registry/client/auth
- distribution/distribution/v3/registry/client/auth/challenge
- distribution/distribution/v3/registry/client/transport
- distribution/distribution/v3/manifest/schema1 (there is now schema2)
- distribution/distribution/v3/reference (can be replaced with distribution/reference repo)
This is important because updating distribution might necessary to for example fix a CVE. Since many openshift packages import library-go, the impact a CVE in one of the imported distribution packages could be huge.
Here's a break down of what's imported where:
pkg/image/registryclient/credentials.go 7: "github.com/distribution/distribution/v3/registry/client/auth" pkg/image/registryclient/client_mirrored.go 14: "github.com/distribution/distribution/v3/registry/client" 15: "github.com/distribution/distribution/v3/registry/client/auth" 20: distributionreference "github.com/distribution/distribution/v3/reference" pkg/image/registryclient/client.go 21: "github.com/distribution/distribution/v3/manifest/schema1" 22: "github.com/distribution/distribution/v3/reference" 24: registryclient "github.com/distribution/distribution/v3/registry/client" 25: "github.com/distribution/distribution/v3/registry/client/auth" 26: "github.com/distribution/distribution/v3/registry/client/auth/challenge" 27: "github.com/distribution/distribution/v3/registry/client/transport" pkg/image/registryclient/client_test.go 24: "github.com/distribution/distribution/v3/reference" 26: registryclient "github.com/distribution/distribution/v3/registry/client" 27: "github.com/distribution/distribution/v3/registry/client/auth"
The most complex use of registry/client packages is in pkg/image/registryclient/client.go. Other uses of registry client are simple type references and could be easily dropped by bringing these types into library-go if required.
The initial effort should focus on pkg/image/registryclient/client.go - we need to identify what options exist in github.com/containers to replace the functionality required by pkg/image/registryclient/client.go.
- is depended on by
-
-
- In Progress
-
- links to
