Refresh ci-debian-buster container image used for build

[planetf1]

Followon from open-quantum-safe/liboqs#1702

The openquantumsafe/ci-debian-custer-amd64:latest image is used as part of our ci process

When working on the above PR I noticed we weren't pinning the version spec of this image (though the tooling did not detect this).

I inspected the image with a scan on quay.io

This is used for testing/verification, rather than supplying images for consumers, but it looks as if it could do with being updated - any images/sw used for tests could be compromised to hide an injected vulnerability.

The current image has quite old java (1.11.0), and also older versions of qemu and other tools. See list

[planetf1]

@baentsch thanks for the pointer to the ci repo in the PR.

I think the observation here is that we could/should update the CI image, so could we transfer this issue over to https://github.com/open-quantum-safe/ci-containers

In terms of open-quantum-safe/tsc#5 I think ensuring efficiency is important, but we should review the base & additional dependencies 'periodically' (tools like dependabot can help, and be scheduled to run, for example, monthly - and sites like quay.io can help with (free) image scans)

[baentsch]

so could we transfer this issue over

That was the first thing I tried, but I guess some LF-permissioning manipulations made this impossible for me.

we should review the base & additional dependencies 'periodically'

Makes sense. Feel free to go ahead implementing a PR in the sub-project to do this automatically.

[planetf1]

Makes sense. Feel free to go ahead implementing a PR in the sub-project to do this automatically.

Can you assign to me and see what I can do.

[dstebila]

Looks like I have permission to transfer the issue to ci-containers, which I can do if you want. Or we can leave it here to ensure Michael's permissions get resolved.

[baentsch]

Please go ahead, Douglas. I don't need more permissions -- very much to the contrary.

[baentsch]

Can you assign to me and see what I can do.

Are you saying you don't even have permission to assign this to yourself? Sounds not quite right either.

[dstebila]

Okay, I've moved this to the ci-containers repository and assigned to @planetf1

[ryjones]

Please go ahead, Douglas. I don't need more permissions -- very much to the contrary.

This is confusing. You have write access to both repos, so you should have permission to transfer the issue.

As far as assigning issues, @planetf1 isn't a member of the org with any permissions, and may need added.

[baentsch]

This is confusing. You have write access to both repos

Thanks for taking a look. I tried again and realized a UI "feature" I wasn't aware of: As there are too many repos I can transfer to, only some are displayed in the "transfer pop-up". If I manually type in a non-displayed target repo to the search box, it becomes visible and the transfer would/should succeed. Sorry for making you look into this.

[baentsch]

This is to question whether it's really sensible to put work into Buster: It's running out of support this June. Suggest to rather put effort into moving to Bookworm (if at all -- Debian is none of the OQS supported platforms)...

[planetf1]

@baentsch agree with bookworm, but thanks for the pointer. It doesn't even appear in Tier 3 of your list. We do refer to debian in various places in our build etc so it may be preferable to retain