Sync from SUSE:SLFO:Main golang-github-prometheus-prometheus revision 0cb5c2328550508334bb21f85881234c

2024-12-20 16:04:22 +01:00 · 2024-12-20 16:04:22 +01:00 · 3c6042e9c3
commit 3c6042e9c3
parent 1e89d22201
12 changed files with 909 additions and 395 deletions
--- a/0001-Do-not-force-the-pure-Go-name-resolver.patch
+++ b/0001-Do-not-force-the-pure-Go-name-resolver.patch
@ -1,4 +1,4 @@
-From de6a642d171890fb0360fed67fd7313f13ea4b37 Mon Sep 17 00:00:00 2001
+From bc9decb6a9f56a70d49e935e2a0207c20d2b2a2c Mon Sep 17 00:00:00 2001
 From: Jan Fajerski <jfajerski@suse.com>
 Date: Fri, 8 Feb 2019 09:17:06 +0100
 Subject: [PATCH] Do not force the pure Go name resolver
@ -10,16 +10,16 @@ on OS and environment variables.
 This allows, among other things, to use Prometheus to scrape mDNS targets.

 Signed-off-by: Jan Fajerski <jfajerski@suse.com>
-Signed-off-by: Johannes Kastl <kastl@b1-systems.de>
+Signed-off-by: Johannes Kastl <git@johannes-kastl.de>
 ---
- .promu.yml | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
+ .promu.yml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/.promu.yml b/.promu.yml
-index f724dc34f..ccce0d5a2 100644
+index 0aa51d6d315..06c9c579d8e 100644
 --- a/.promu.yml
 +++ b/.promu.yml
-@@ -12,13 +12,12 @@ build:
+@@ -12,12 +12,12 @@ build:
           path: ./cmd/promtool
     tags:
         all:
@ -29,11 +29,7 @@ index f724dc34f..ccce0d5a2 100644
         windows:
             - builtinassets
             - stringlabels
-    flags: -a
 +    flags: -mod=vendor -a
     ldflags: |
         -X github.com/prometheus/common/version.Version={{.Version}}
         -X github.com/prometheus/common/version.Revision={{.Revision}}
-- 
-2.40.1
-
--- a/0003-Bump-go-retryablehttp.patch
+++ b/0003-Bump-go-retryablehttp.patch
@ -0,0 +1,61 @@
+From 07cff5bee27a832e4d4902911ea0ebbea0518113 Mon Sep 17 00:00:00 2001
+From: Daniel Mellado <dmellado@redhat.com>
+Date: Tue, 25 Jun 2024 16:31:03 +0200
+Subject: [PATCH] Bump go-retryablehttp to fix basic auth creds leak
+
+This PR updates go-retryablehttp to version 0.7.7, even if it's used as
+an indirect import. Versions previous to that can didn't sanitize urls,
+discussed at HDCSEC-2024-12 [1]
+
+[1] https://discuss.hashicorp.com/t/hcsec-2024-12-go-retryablehttp-can-leak-basic-auth-credentials-to-log-files/68027
+
+Signed-off-by: Daniel Mellado <dmellado@redhat.com>
+---
+ go.mod | 4 ++--
+ go.sum | 9 ++++-----
+ 2 files changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/go.mod b/go.mod
+index 8caf80727b7..f4cf5828015 100644
+--- a/go.mod
+++ b/go.mod
+@@ -145,10 +145,10 @@ require (
+ 	github.com/hashicorp/cronexpr v1.1.2 // indirect
+ 	github.com/hashicorp/errwrap v1.1.0 // indirect
+ 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+-	github.com/hashicorp/go-hclog v1.5.0 // indirect
+	github.com/hashicorp/go-hclog v1.6.3 // indirect
+ 	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
+ 	github.com/hashicorp/go-multierror v1.1.1 // indirect
+-	github.com/hashicorp/go-retryablehttp v0.7.4 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
+ 	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
+ 	github.com/hashicorp/golang-lru v0.6.0 // indirect
+ 	github.com/hashicorp/serf v0.10.1 // indirect
+diff --git a/go.sum b/go.sum
+index 06db002f55b..956b9d89492 100644
+--- a/go.sum
+++ b/go.sum
+@@ -369,9 +369,8 @@ github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtng
+ github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
+ github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
+ github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
+-github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
+-github.com/hashicorp/go-hclog v1.5.0 h1:bI2ocEMgcVlz55Oj1xZNBsVi900c7II+fWDyV9o+13c=
+-github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
+github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
+github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
+ github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
+ github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc=
+ github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
+@@ -383,8 +382,8 @@ github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+
+ github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
+ github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
+ github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
+-github.com/hashicorp/go-retryablehttp v0.7.4 h1:ZQgVdpTdAL7WpMIwLzCfbalOcSUdkDZnpUv3/+BxzFA=
+-github.com/hashicorp/go-retryablehttp v0.7.4/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8=
+github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU=
+github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
+ github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU=
+ github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
+ github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
--- a/PACKAGING_README.md
+++ b/PACKAGING_README.md
@ -5,11 +5,5 @@ needs the assets for the web UI. These can be generated by the
 `Makefile` that is present in this package.
 To do that, you need to have `make` and `npm` installed locally.

-1. Change the version in the `_service` file
-2. Change the version in the spec file
-3. Run `make`
-4. Create a changelog entry
-5. Commit the changes as usual
-
 For the OBS workflow you also need `obs-service-go_modules` as well
 as `obs-service-tar_scm` and `obs-service-recompress`.
--- a/4
+++ b/4
@ -4,7 +4,7 @@
    <param name="scm">git</param>
    <param name="exclude">.git</param>
    <param name="versionformat">@PARENT_TAG@</param>
-    <param name="revision">v2.47.2</param>
+    <param name="revision">v2.53.3</param>
    <param name="versionrewrite-pattern">v(.*)</param>
    <param name="match-tag">v2*</param>
  </service>
@ -13,6 +13,6 @@
    <param name="compression">gz</param>
  </service>
  <service name="go_modules" mode="manual">
-    <param name="archive">prometheus-2.47.2.tar.gz</param>
+    <param name="archive">prometheus-2.53.3.tar.gz</param>
  </service>
 </services>
--- a/golang-github-prometheus-prometheus.changes
+++ b/golang-github-prometheus-prometheus.changes
--- a/golang-github-prometheus-prometheus.spec
+++ b/golang-github-prometheus-prometheus.spec
@ -1,7 +1,7 @@
 #
 # spec file for package golang-github-prometheus-prometheus
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 # Copyright (c) 2017 Silvio Moioli <moio@suse.com>
 #
 # All modifications and additions to the file contributed by third parties
@ -27,7 +27,7 @@
 %endif

 Name:           golang-github-prometheus-prometheus
-Version:        2.47.2
+Version:        2.53.3
 Release:        0
 Summary:        The Prometheus monitoring system and time series database
 License:        Apache-2.0
@ -47,6 +47,8 @@ Source9:        PACKAGING_README.md
 Patch1:         0001-Do-not-force-the-pure-Go-name-resolver.patch
 # Lifted from Debian's prometheus package
 Patch2:         0002-Default-settings.patch
+# https://github.com/prometheus/prometheus/pull/14373
+Patch3:         0003-Bump-go-retryablehttp.patch
 BuildRequires:  fdupes
 %if 0%{?suse_version} == 1500 && 0%{?sle_version} < 150300
 BuildRequires:  firewall-macros
@ -55,7 +57,6 @@ BuildRequires:  firewall-macros
 # with -buildmode=pie
 BuildRequires:  glibc-devel-static
 BuildRequires:  golang-github-prometheus-promu >= 0.14.0
-BuildRequires:  golang-packaging
 BuildRequires:  golang(API) >= 1.21
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %if 0%{?suse_version} >= 1500
@ -68,8 +69,6 @@ Provides:       prometheus = %{version}
 ExcludeArch:    s390
 %systemd_ordering

-%go_nostrip
-
 %description
 Prometheus's main features are:
 - a multi-dimensional data model (time series identified by metric name and key/value pairs)
@ -85,8 +84,15 @@ Prometheus's main features are:
 %autosetup -D -a2 -p1 -n prometheus-%{version}

 %build
-%goprep github.com/prometheus/prometheus
-GOPATH=%{_builddir}/go promu build -v
+%ifarch i586 s390x armv7hl armv7l armv7l:armv6l:armv5tel armv6hl
+export BUILD_CGO_FLAG="--cgo"
+%endif
+export GOFLAGS="-buildmode=pie"
+promu build -v $BUILD_CGO_FLAG
+
+%check
+./prometheus --version
+./promtool --version

 %install
 install -D -m0755 %{_builddir}/prometheus-%{version}/prometheus %{buildroot}/%{_bindir}/prometheus
@ -114,7 +120,6 @@ install -Dd -m 0750 %{buildroot}%{_localstatedir}/lib/prometheus/data
 install -Dd -m 0750 %{buildroot}%{_localstatedir}/lib/prometheus/metrics

 install -D -m0644 %{SOURCE7} %{buildroot}/%{_defaultlicensedir}/%{name}/npm_licenses.tar.bz2
-%gofilelist

 %fdupes %{buildroot}/%{_prefix}

--- a/npm_licenses.tar.bz2
+++ b/npm_licenses.tar.bz2
--- a/prometheus-2.47.2.tar.gz
+++ b/prometheus-2.47.2.tar.gz
--- a/prometheus-2.53.3.tar.gz
+++ b/prometheus-2.53.3.tar.gz
--- a/vendor.tar.gz
+++ b/vendor.tar.gz
--- a/web-ui-2.47.2.tar.gz
+++ b/web-ui-2.47.2.tar.gz
--- a/web-ui-2.53.3.tar.gz
+++ b/web-ui-2.53.3.tar.gz