Install git and git-lfs via package manager in ubi.fips.base image
The vulnerabilities against git
and git-lfs
that prompted us to install those packages manually have been downgraded from High
and Critical
to Medium
. Since we don't address Medium
CVE vulnerabilities, we can return to installing these packages via microdnf
. This change not only addresses #36051 (closed), but also cuts the pipeline runtime by ~3 hours when the prepare ubi base
job is triggered, and makes that job much less flaky since it often timed out.
This is not the end of this story though. We need to put ourselves in a better position to handle CVEs against 3rd party packages.
Fixes #36051 (closed)
More discussion in https://gitlab.slack.com/archives/C05TDR6G2RY
Edited by Axel von Bertoldi