Stable channel still uses Go 1.13

[ericofusco]

Description

In releases page for 2905.2.2 it says Go got updated to 1.16.7 but docker binaries are still built with Go 1.13.

Releases page for 2905.2.2 also lists a security fix from Go but it didn't actually get fixed.

Impact

go 1.13 contains several known vulnerabilities. This is also identified by vulnerability scanners which could alert or block deployments using flatcar AMIs.

Environment and steps to reproduce

1. Set-up: Flatcar Container Linux by Kinvolk 2905.2.5 (Oklo)

Expected behavior

I wonder if it's possible to update stable to compile docker binaries using go 1.17 or at least 1.16.7 as described in the release (Although there are other known vulnerabilities in go <1.17 as well).

[jepio]

Docker upstream compiles Docker 19.03 using Go 1.13, we tried to switch that to something newer but the codebase wasn't ready (flatcar-archive/coreos-overlay@9c17edd#diff-243979b5b1b74a4e373c2a99196af10507ac0108f783628b0a7ba755ff770323).

I suggest deploying beta/alpha images at this time, they contain Docker 20.10.8 built with Go 1.16, soon Go 1.17. These will be promoted to stable at some point in the future.

[ericofusco]

Thanks for the quick reply @jepio. Is there a timeline for when beta usually gets promoted to stable?

[sayanchowdhury]

The next Stable release would be a major release i.e. we would bump Beta to Stable. We are working on #523, a set of release will be done as soon as the issue is resolved.

[ericofusco]

Thanks for sharing @sayanchowdhury.

Closing this one.