Skip to content

[release-1.33] Do Not Merge - revert crypto bump and use OCP crypto branch#6694

Draft
TomSweeneyRedHat wants to merge 2 commits into
containers:release-1.33from
TomSweeneyRedHat:dev/tsweeney/ocp_revert
Draft

[release-1.33] Do Not Merge - revert crypto bump and use OCP crypto branch#6694
TomSweeneyRedHat wants to merge 2 commits into
containers:release-1.33from
TomSweeneyRedHat:dev/tsweeney/ocp_revert

Conversation

@TomSweeneyRedHat
Copy link
Copy Markdown
Member

@TomSweeneyRedHat TomSweeneyRedHat commented Feb 19, 2026

This reverts 65707d0 from the release-1.33 branch and replaces golang.org/x/crypto with one that the OCP team has worked up to address CVE-2025-47913. This will keep Go at v1.22 in this branch, which is important to the OCP Builder team.

What type of PR is this?

/kind api-change
/kind bug
/kind cleanup
/kind deprecation
/kind design
/kind documentation
/kind failing-test
/kind feature
/kind flake
/kind other

What this PR does / why we need it:

How to verify it

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

None

@TomSweeneyRedHat TomSweeneyRedHat added do-not-merge/work-in-progress No New Tests Allow PR to proceed without adding regression tests labels Feb 19, 2026
@dosubot dosubot Bot added the size:M This PR changes 30-99 lines, ignoring generated files. label Feb 19, 2026
@TomSweeneyRedHat
Revert "[release-1.33] CVE-2025-49713 x/crypto"
e4c38dd 
This reverts commit 2b88f58.

Signed-off-by: Tom Sweeney <tsweeney@redhat.com>
@TomSweeneyRedHat
[release-1.33] Use crypto from OCP library
395d866 
Use the golang.org/x/crypto library from the OCP team located at:
github.com/openshift/golang-crypto v0.33.1-0.20260212164730-3e9ce6e0b8f5

To try and keep Go at a version that is usable by the OCP team.

Signed-off-by: Tom Sweeney <tsweeney@redhat.com>
nalind
nalind reviewed Feb 26, 2026
View reviewed changes
Comment thread go.mod

go 1.22.6

toolchain go1.22.12
Copy link
Copy Markdown
Member

@nalind nalind Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The toolchain line can probably be dropped. We usually try to not have one.

@TomSweeneyRedHat TomSweeneyRedHat marked this pull request as draft March 4, 2026 16:45
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 4, 2026

A friendly reminder that this PR had no activity for 30 days.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nalind nalind nalind left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

do-not-merge/work-in-progress No New Tests Allow PR to proceed without adding regression tests size:M This PR changes 30-99 lines, ignoring generated files. stale-pr

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TomSweeneyRedHat @nalind