On Tue, Feb 12, 2019 at 01:45:01AM +0100, Danny Milosavljevic wrote:
> Docker still contains some vendored dependencies, among those github.com/opencontainers/runc,
> in directory "vendor", and so does containerd.  It might make sense to also remove them now.

I didn't do anything regarding the vendored / bundled deps in my patches
related to CVE-2019-5736 <https://bugs.gnu.org/34446>.

Regarding Docker, the update to 18.09.2 ostensibly fixed CVE-2019-5736,
I suppose by updating the bundled copy of runc.

For containerd I didn't change the package at all.

Both Docker and containerd depend on our runc package. If they don't
actually use it but instead use their bundled copy, we should remove the
dependency and document the bundling, or work on unbundling.

Unfortunately this is complicated for us in recent versions of Go:

https://lists.gnu.org/archive/html/guix-devel/2018-11/msg00223.html