Do not install python in ubi-fips-base image (!4213) · Merge requests · GitLab.org / gitlab-runner

Axel von Bertoldi requested to merge avonbertoldi/31065/fix-cve-pip-vuln into main Jul 11, 2023

What does this MR do?

Stop installing python in runner ubi-fips-base image.

Why was this MR needed?

Currently when assembling the ubi-fips-base image, we build git from source with the --with-python flag, which requires we install python, which in turn pulls in pip.

https://gitlab.com/gitlab-org/gitlab-runner/-/issues/31065 reports CVE vulnerability PRISMA-2022-0168 against pip. This vulnerability has not been fixed upstream.

Meanwhile, it's not clear why we build git with --with-python. Installing git via the canonical package managers in alpine, debian and fedora does NOT pull in python, so I'm not sure why we need it here, and that wasn't documented AFAICT.

What's the best way to test this MR?

If the pipeline tests pass, we're probably good.

What are the relevant issue numbers?

https://gitlab.com/gitlab-org/gitlab-runner/-/issues/31065

Edited Jul 11, 2023 by Axel von Bertoldi

Do not install python in ubi-fips-base image

What does this MR do?

Why was this MR needed?

What's the best way to test this MR?

What are the relevant issue numbers?

Merge request reports