Do not install python in ubi-fips-base image
What does this MR do?
Stop installing python in runner ubi-fips-base
image.
Why was this MR needed?
Currently when assembling the ubi-fips-base
image, we build git from source with the --with-python
flag, which requires we install python, which in turn pulls in pip
.
https://gitlab.com/gitlab-org/gitlab-runner/-/issues/31065 reports CVE vulnerability PRISMA-2022-0168 against pip
. This vulnerability has not been fixed upstream.
Meanwhile, it's not clear why we build git with --with-python
. Installing git via the canonical package managers in alpine, debian and fedora does NOT pull in python, so I'm not sure why we need it here, and that wasn't documented AFAICT.
What's the best way to test this MR?
If the pipeline tests pass, we're probably good.
What are the relevant issue numbers?
Edited by Axel von Bertoldi