Install git-lfs in ubi image from upstream RPM repo

Axel von Bertoldirequested to merge
avonbertoldi/git-lfs-is-bad into main

For the ubi-base image only, install git-lfs from the project's official release RPM repository. Why do we need to do this?

  1. It turns out git-lfs is subject to a lot of CVEs
  2. While the CVEs are fixed upstream in a timely manner, redhat is very slow about updating it's gitl-lfs packages.

This leaves us constantly exposed to a large number of active CVEs against git-lfs.

In general I'd rather not address this situation this way, but because of the above two points, and because git=lfs is easy to install (it has no additional dependencies beyond git, which is already installed), it is feasible to do.

NOTE to everyone: DO NOT try to use this as a precedent for dealing with other CVEs in a similar way. This a single exception.

This change reduces/trades the active CVEs in the latest (9.4-1227) registry.gitlab.com/gitlab-org/gitlab-runner/ubi-fips-base imaeg from:

  • CVE-2022-23806
  • CVE-2022-41723
  • CVE-2022-41724
  • CVE-2022-41725
  • CVE-2023-24534
  • CVE-2023-24536
  • CVE-2023-29406
  • CVE-2023-29409
  • CVE-2023-39321
  • CVE-2023-39322
  • CVE-2024-24788
  • CVE-2024-24790
  • CVE-2024-24791
  • CVE-2024-34156
  • CVE-2024-9355

To

  • CVE-2023-45288
  • CVE-2024-24789
  • CVE-2024-24790
  • CVE-2024-24791
  • CVE-2024-34155
  • CVE-2024-34156
  • CVE-2024-34158

In the image created in this MR.

An even better approach might be to build git-lfs from source using the go-fips version of Go and using CGO_ENABLED=1

Edited by Axel von Bertoldi

Merge request reports