-
Notifications
You must be signed in to change notification settings - Fork 567
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gosu carries many CVE and appears unused #401
Comments
|
I realize it isn't a real vulnerability, but it shows as a HIGH score CVE in scan tools. Millions of man hours at workplaces all around the world have been wasted at trying to document around these false positive vulnerability scans. The gosu author refuses to make a release. An alternative is to remove gosu. Is there a reason su from util-linux or busybox can't be used instead? |
Can we use su-exec to achieve the similar result? https://gist.github.com/StevenACoffman/41fee08e8782b411a4a26b9700ad7af5 |
There's an outstanding parser bug in |
Can Aren't these equivalent?
and
edit: ugh, never mind. Now I see runuser is from util-linux, but alpine/busybox do not have an equivalent. edit2: maybe even with all of the deps it is still smaller (1416kb) than gosu (2250kb) update: never mind. The semantics of runuser are not the same as gosu and rather than exec it does fork and exec. |
Would you be open to a patch which removes the unused gosu?
The text was updated successfully, but these errors were encountered: