From 514f77b4604b14556802dcc85721cfc570defd0775c1c9eedc7432963cdd66c3 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 4 Oct 2017 17:38:35 +0000 Subject: [PATCH] Accepting request 531029 from home:cyphar:containers - Update to umoci v0.3.1. Upstream changelog: - Fix several minor bugs in `hack/release.sh` that caused the release artefacts to not match the intended style, as well as making it more generic so other projects can use it. openSUSE/umoci#155 openSUSE/umoci#163 - A recent configuration issue caused `go vet` and `go lint` to not run as part of our CI jobs. This means that some of the information submitted as part of [CII best practices badging][cii] was not accurate. This has been corrected, and after review we concluded that only stylistic issues were discovered by static analysis. openSUSE/umoci#158 - 32-bit unit test builds were broken in a refactor in [0.3.0]. This has been fixed, and we've added tests to our CI to ensure that something like this won't go unnoticed in the future. openSUSE/umoci#157 - `umoci unpack` would not correctly preserve set{uid,gid} bits. While this would not cause issues when building an image (as we only create a manifest of the final extracted rootfs), it would cause issues for other users of `umoci`. openSUSE/umoci#166 openSUSE/umoci#169 - Updated to [v0.4.1 of `go-mtree`][gomtree-v0.4.1], which fixes several minor bugs with manifest generation. openSUSE/umoci#176 - `umoci unpack` would not handle "weird" tar archive layers previously (it would error out with DiffID errors). While this wouldn't cause issues for layers generated using Go's `archive/tar` implementation, it would cause issues for GNU gzip and other such tools. - `umoci unpack`'s mapping options (`--uid-map` and `--gid-map`) have had an interface change, to better match the [`user_namespaces(7)`][user_namespaces] interfaces. Note that this is a **breaking change**, but the workaround is to switch to the trivially different (but now more consistent) format. openSUSE/umoci#167 - `umoci unpack` used to create the bundle and rootfs with world read-and-execute permissions by default. This could potentially result in an unsafe rootfs (containing dangerous setuid binaries for instance) being accessible by an unprivileged user. This has been fixed by always setting the mode of the bundle to `0700`, which requires a user to explicitly work around this basic protection. This scenario was documented in our security documentation previously, but has now been fixed. openSUSE/umoci#181 openSUSE/umoci#182 [cii]: https://bestpractices.coreinfrastructure.org/projects/1084 [gomtree-v0.4.1]: https://github.com/vbatts/go-mtree/releases/tag/v0.4.1 [user_namespaces]: http://man7.org/linux/man-pages/man7/user_namespaces.7.html - Remove patch that has been applied upstream. - i586-0001-fix-mis-usage-of-time.Unix.patch OBS-URL: https://build.opensuse.org/request/show/531029 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/umoci?expand=0&rev=26 --- _service | 8 +- i586-0001-fix-mis-usage-of-time.Unix.patch | 209 --------------------- umoci-0.3.0.tar.xz | 3 - umoci-0.3.0.tar.xz.asc | 16 -- umoci-0.3.1.tar.xz | 3 + umoci-0.3.1.tar.xz.asc | 16 ++ umoci.changes | 45 +++++ umoci.spec | 6 +- 8 files changed, 69 insertions(+), 237 deletions(-) delete mode 100644 i586-0001-fix-mis-usage-of-time.Unix.patch delete mode 100644 umoci-0.3.0.tar.xz delete mode 100644 umoci-0.3.0.tar.xz.asc create mode 100644 umoci-0.3.1.tar.xz create mode 100644 umoci-0.3.1.tar.xz.asc diff --git a/_service b/_service index 710b5e7..1688f56 100644 --- a/_service +++ b/_service @@ -2,14 +2,14 @@ https github.com - openSUSE/umoci/releases/download/v0.3.0/umoci.tar.xz - umoci-0.3.0.tar.xz + openSUSE/umoci/releases/download/v0.3.1/umoci.tar.xz + umoci-0.3.1.tar.xz https github.com - openSUSE/umoci/releases/download/v0.3.0/umoci.tar.xz.asc - umoci-0.3.0.tar.xz.asc + openSUSE/umoci/releases/download/v0.3.1/umoci.tar.xz.asc + umoci-0.3.1.tar.xz.asc umoci diff --git a/i586-0001-fix-mis-usage-of-time.Unix.patch b/i586-0001-fix-mis-usage-of-time.Unix.patch deleted file mode 100644 index 89daf33..0000000 --- a/i586-0001-fix-mis-usage-of-time.Unix.patch +++ /dev/null @@ -1,209 +0,0 @@ -From 351b92da519b61cb24b5f7f71e5b9cf2c8c7bb02 Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai -Date: Mon, 24 Jul 2017 07:34:49 +1000 -Subject: [PATCH] *: fix mis-usage of unix.Stat_t.[AM]tim with time.Unix - -80f787e4853d ("*: replace syscall with unix") did not correctly replace -the usage of (*syscall.Stat_t).[AM]tim.Unix() in tests, which resulted -in 32-bit builds failing in OBS because we run those tests in a %check -section. We need to add CI testing to make sure that we don't miss stuff -like this in the future. - -Fixes: 80f787e4853d ("*: replace syscall with unix") -Signed-off-by: Aleksa Sarai ---- - pkg/system/utime_linux_test.go | 48 ++++++++++++++++++++-------------------- - pkg/unpriv/unpriv_utimes_test.go | 48 ++++++++++++++++++++-------------------- - 2 files changed, 48 insertions(+), 48 deletions(-) - -diff --git a/pkg/system/utime_linux_test.go b/pkg/system/utime_linux_test.go -index f4597020626a..719071df61b1 100644 ---- a/pkg/system/utime_linux_test.go -+++ b/pkg/system/utime_linux_test.go -@@ -57,10 +57,10 @@ func TestLutimesFile(t *testing.T) { - t.Fatal(err) - } - -- atimeOld := time.Unix(fiOld.Atim.Sec, fiOld.Atim.Nsec) -- mtimeOld := time.Unix(fiOld.Mtim.Sec, fiOld.Mtim.Nsec) -- atimeNew := time.Unix(fiNew.Atim.Sec, fiNew.Atim.Nsec) -- mtimeNew := time.Unix(fiNew.Mtim.Sec, fiNew.Mtim.Nsec) -+ atimeOld := time.Unix(fiOld.Atim.Unix()) -+ mtimeOld := time.Unix(fiOld.Mtim.Unix()) -+ atimeNew := time.Unix(fiNew.Atim.Unix()) -+ mtimeNew := time.Unix(fiNew.Mtim.Unix()) - - if atimeOld.Equal(atimeNew) { - t.Errorf("atime was not changed at all!") -@@ -106,10 +106,10 @@ func TestLutimesDirectory(t *testing.T) { - t.Fatal(err) - } - -- atimeOld := time.Unix(fiOld.Atim.Sec, fiOld.Atim.Nsec) -- mtimeOld := time.Unix(fiOld.Mtim.Sec, fiOld.Mtim.Nsec) -- atimeNew := time.Unix(fiNew.Atim.Sec, fiNew.Atim.Nsec) -- mtimeNew := time.Unix(fiNew.Mtim.Sec, fiNew.Mtim.Nsec) -+ atimeOld := time.Unix(fiOld.Atim.Unix()) -+ mtimeOld := time.Unix(fiOld.Mtim.Unix()) -+ atimeNew := time.Unix(fiNew.Atim.Unix()) -+ mtimeNew := time.Unix(fiNew.Mtim.Unix()) - - if atimeOld.Equal(atimeNew) { - t.Errorf("atime was not changed at all!") -@@ -161,10 +161,10 @@ func TestLutimesSymlink(t *testing.T) { - t.Fatal(err) - } - -- atimeOld := time.Unix(fiOld.Atim.Sec, fiOld.Atim.Nsec) -- mtimeOld := time.Unix(fiOld.Mtim.Sec, fiOld.Mtim.Nsec) -- atimeNew := time.Unix(fiNew.Atim.Sec, fiNew.Atim.Nsec) -- mtimeNew := time.Unix(fiNew.Mtim.Sec, fiNew.Mtim.Nsec) -+ atimeOld := time.Unix(fiOld.Atim.Unix()) -+ mtimeOld := time.Unix(fiOld.Mtim.Unix()) -+ atimeNew := time.Unix(fiNew.Atim.Unix()) -+ mtimeNew := time.Unix(fiNew.Mtim.Unix()) - - if atimeOld.Equal(atimeNew) { - t.Errorf("atime was not changed at all!") -@@ -180,10 +180,10 @@ func TestLutimesSymlink(t *testing.T) { - } - - // Make sure that the parent directory was unchanged. -- atimeParentOld := time.Unix(fiParentOld.Atim.Sec, fiParentOld.Atim.Nsec) -- mtimeParentOld := time.Unix(fiParentOld.Mtim.Sec, fiParentOld.Mtim.Nsec) -- atimeParentNew := time.Unix(fiParentNew.Atim.Sec, fiParentNew.Atim.Nsec) -- mtimeParentNew := time.Unix(fiParentNew.Mtim.Sec, fiParentNew.Mtim.Nsec) -+ atimeParentOld := time.Unix(fiParentOld.Atim.Unix()) -+ mtimeParentOld := time.Unix(fiParentOld.Mtim.Unix()) -+ atimeParentNew := time.Unix(fiParentNew.Atim.Unix()) -+ mtimeParentNew := time.Unix(fiParentNew.Mtim.Unix()) - - if !atimeParentOld.Equal(atimeParentNew) { - t.Errorf("parent directory atime was changed! old='%s' new='%s'", atimeParentOld, atimeParentNew) -@@ -239,10 +239,10 @@ func TestLutimesRelative(t *testing.T) { - t.Fatal(err) - } - -- atimeOld := time.Unix(fiOld.Atim.Sec, fiOld.Atim.Nsec) -- mtimeOld := time.Unix(fiOld.Mtim.Sec, fiOld.Mtim.Nsec) -- atimeNew := time.Unix(fiNew.Atim.Sec, fiNew.Atim.Nsec) -- mtimeNew := time.Unix(fiNew.Mtim.Sec, fiNew.Mtim.Nsec) -+ atimeOld := time.Unix(fiOld.Atim.Unix()) -+ mtimeOld := time.Unix(fiOld.Mtim.Unix()) -+ atimeNew := time.Unix(fiNew.Atim.Unix()) -+ mtimeNew := time.Unix(fiNew.Mtim.Unix()) - - if atimeOld.Equal(atimeNew) { - t.Errorf("atime was not changed at all!") -@@ -258,10 +258,10 @@ func TestLutimesRelative(t *testing.T) { - } - - // Make sure that the parent directory was unchanged. -- atimeParentOld := time.Unix(fiParentOld.Atim.Sec, fiParentOld.Atim.Nsec) -- mtimeParentOld := time.Unix(fiParentOld.Mtim.Sec, fiParentOld.Mtim.Nsec) -- atimeParentNew := time.Unix(fiParentNew.Atim.Sec, fiParentNew.Atim.Nsec) -- mtimeParentNew := time.Unix(fiParentNew.Mtim.Sec, fiParentNew.Mtim.Nsec) -+ atimeParentOld := time.Unix(fiParentOld.Atim.Unix()) -+ mtimeParentOld := time.Unix(fiParentOld.Mtim.Unix()) -+ atimeParentNew := time.Unix(fiParentNew.Atim.Unix()) -+ mtimeParentNew := time.Unix(fiParentNew.Mtim.Unix()) - - if !atimeParentOld.Equal(atimeParentNew) { - t.Errorf("parent directory atime was changed! old='%s' new='%s'", atimeParentOld, atimeParentNew) -diff --git a/pkg/unpriv/unpriv_utimes_test.go b/pkg/unpriv/unpriv_utimes_test.go -index 423e808a1da3..ac037e25f50f 100644 ---- a/pkg/unpriv/unpriv_utimes_test.go -+++ b/pkg/unpriv/unpriv_utimes_test.go -@@ -56,10 +56,10 @@ func TestLutimesFile(t *testing.T) { - t.Fatal(err) - } - -- atimeOld := time.Unix(fiOld.Atim.Sec, fiOld.Atim.Nsec) -- mtimeOld := time.Unix(fiOld.Mtim.Sec, fiOld.Mtim.Nsec) -- atimeNew := time.Unix(fiNew.Atim.Sec, fiNew.Atim.Nsec) -- mtimeNew := time.Unix(fiNew.Mtim.Sec, fiNew.Mtim.Nsec) -+ atimeOld := time.Unix(fiOld.Atim.Unix()) -+ mtimeOld := time.Unix(fiOld.Mtim.Unix()) -+ atimeNew := time.Unix(fiNew.Atim.Unix()) -+ mtimeNew := time.Unix(fiNew.Mtim.Unix()) - - if atimeOld.Equal(atimeNew) { - t.Errorf("atime was not changed at all!") -@@ -104,10 +104,10 @@ func TestLutimesDirectory(t *testing.T) { - t.Fatal(err) - } - -- atimeOld := time.Unix(fiOld.Atim.Sec, fiOld.Atim.Nsec) -- mtimeOld := time.Unix(fiOld.Mtim.Sec, fiOld.Mtim.Nsec) -- atimeNew := time.Unix(fiNew.Atim.Sec, fiNew.Atim.Nsec) -- mtimeNew := time.Unix(fiNew.Mtim.Sec, fiNew.Mtim.Nsec) -+ atimeOld := time.Unix(fiOld.Atim.Unix()) -+ mtimeOld := time.Unix(fiOld.Mtim.Unix()) -+ atimeNew := time.Unix(fiNew.Atim.Unix()) -+ mtimeNew := time.Unix(fiNew.Mtim.Unix()) - - if atimeOld.Equal(atimeNew) { - t.Errorf("atime was not changed at all!") -@@ -158,10 +158,10 @@ func TestLutimesSymlink(t *testing.T) { - t.Fatal(err) - } - -- atimeOld := time.Unix(fiOld.Atim.Sec, fiOld.Atim.Nsec) -- mtimeOld := time.Unix(fiOld.Mtim.Sec, fiOld.Mtim.Nsec) -- atimeNew := time.Unix(fiNew.Atim.Sec, fiNew.Atim.Nsec) -- mtimeNew := time.Unix(fiNew.Mtim.Sec, fiNew.Mtim.Nsec) -+ atimeOld := time.Unix(fiOld.Atim.Unix()) -+ mtimeOld := time.Unix(fiOld.Mtim.Unix()) -+ atimeNew := time.Unix(fiNew.Atim.Unix()) -+ mtimeNew := time.Unix(fiNew.Mtim.Unix()) - - if atimeOld.Equal(atimeNew) { - t.Errorf("atime was not changed at all!") -@@ -177,10 +177,10 @@ func TestLutimesSymlink(t *testing.T) { - } - - // Make sure that the parent directory was unchanged. -- atimeParentOld := time.Unix(fiParentOld.Atim.Sec, fiParentOld.Atim.Nsec) -- mtimeParentOld := time.Unix(fiParentOld.Mtim.Sec, fiParentOld.Mtim.Nsec) -- atimeParentNew := time.Unix(fiParentNew.Atim.Sec, fiParentNew.Atim.Nsec) -- mtimeParentNew := time.Unix(fiParentNew.Mtim.Sec, fiParentNew.Mtim.Nsec) -+ atimeParentOld := time.Unix(fiParentOld.Atim.Unix()) -+ mtimeParentOld := time.Unix(fiParentOld.Mtim.Unix()) -+ atimeParentNew := time.Unix(fiParentNew.Atim.Unix()) -+ mtimeParentNew := time.Unix(fiParentNew.Mtim.Unix()) - - if !atimeParentOld.Equal(atimeParentNew) { - t.Errorf("parent directory atime was changed! old='%s' new='%s'", atimeParentOld, atimeParentNew) -@@ -236,10 +236,10 @@ func TestLutimesRelative(t *testing.T) { - t.Fatal(err) - } - -- atimeOld := time.Unix(fiOld.Atim.Sec, fiOld.Atim.Nsec) -- mtimeOld := time.Unix(fiOld.Mtim.Sec, fiOld.Mtim.Nsec) -- atimeNew := time.Unix(fiNew.Atim.Sec, fiNew.Atim.Nsec) -- mtimeNew := time.Unix(fiNew.Mtim.Sec, fiNew.Mtim.Nsec) -+ atimeOld := time.Unix(fiOld.Atim.Unix()) -+ mtimeOld := time.Unix(fiOld.Mtim.Unix()) -+ atimeNew := time.Unix(fiNew.Atim.Unix()) -+ mtimeNew := time.Unix(fiNew.Mtim.Unix()) - - if atimeOld.Equal(atimeNew) { - t.Errorf("atime was not changed at all!") -@@ -255,10 +255,10 @@ func TestLutimesRelative(t *testing.T) { - } - - // Make sure that the parent directory was unchanged. -- atimeParentOld := time.Unix(fiParentOld.Atim.Sec, fiParentOld.Atim.Nsec) -- mtimeParentOld := time.Unix(fiParentOld.Mtim.Sec, fiParentOld.Mtim.Nsec) -- atimeParentNew := time.Unix(fiParentNew.Atim.Sec, fiParentNew.Atim.Nsec) -- mtimeParentNew := time.Unix(fiParentNew.Mtim.Sec, fiParentNew.Mtim.Nsec) -+ atimeParentOld := time.Unix(fiParentOld.Atim.Unix()) -+ mtimeParentOld := time.Unix(fiParentOld.Mtim.Unix()) -+ atimeParentNew := time.Unix(fiParentNew.Atim.Unix()) -+ mtimeParentNew := time.Unix(fiParentNew.Mtim.Unix()) - - if !atimeParentOld.Equal(atimeParentNew) { - t.Errorf("parent directory atime was changed! old='%s' new='%s'", atimeParentOld, atimeParentNew) --- -2.13.3 - diff --git a/umoci-0.3.0.tar.xz b/umoci-0.3.0.tar.xz deleted file mode 100644 index 3ad2086..0000000 --- a/umoci-0.3.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:be8a3b921ad18d16212a0693500ccd02dce7fa4ad3d897b229f43e8d9fc4062b -size 316896 diff --git a/umoci-0.3.0.tar.xz.asc b/umoci-0.3.0.tar.xz.asc deleted file mode 100644 index f63ef79..0000000 --- a/umoci-0.3.0.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAllzczoACgkQnhiqJn3b -jbRhJRAAgdV9H2ExrjDjP/VPlhu1PRhDBBIudwmBj32isqb83eLx/0o68rxhnFm2 -SyjwDy1YApfgUaEUjEUOJSIhfkO3d9NyFA4znkO/p8E6EnbFaAQ2EBov0+QuhrjY -iq3F2oM0bUsV9DYYsmDsseHc8Ti+VqJdAiv+fa8detPAmJknHBFTka58L0yCPT8m -t0hQRbFRD/9bbLt9FUOjUtdRmenJvpM7XEh7l+DPi5qVvESMtgUmpNJ7ZljGE/6l -Bd+qBr3SGNbGxwrirNRhTSlEz2uEQYfaArOr3gD42XvFa2kq25bbTuL29eF7jd39 -9ipmpnqlYmxxKh/9wOYqjkFTDwsfxgxV7Aw7m3XABm/tUNIg3taBjDmOKdWKUf60 -xxObtcFTUC8Y7KJCF2uzxJh4xO8NWVx5wKsoFyN8Wm/zlMJCdt1m7dj1o4T4aMHh -CXhjqPPyj7dmMWKk6jQ/7/o3gz2ZCUPm2ytHdFKFQX7FoFY4QnJ9UhUfSwjOlTSS -stUI8o9vHpP/pfp89OWwdo+Rc68oP00+EUk/L5CcbyMRSmtRC6owt480dYOPGuu4 -i8yj4cNQe51gJ9qSHayrELt+sfZRO7vK2ws12eNavt26DzMU5oucDgU6Aoj6S5ka -4g8VaG8GLcU8I4ORdjmXqI+Pntfa2cUsY/Hlr0ZA0dpiUdgx0LI= -=U59f ------END PGP SIGNATURE----- diff --git a/umoci-0.3.1.tar.xz b/umoci-0.3.1.tar.xz new file mode 100644 index 0000000..33224ca --- /dev/null +++ b/umoci-0.3.1.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9c92c72edeaf44b3409125e15a619f6718d9ddd29ed9539c60076b8746625440 +size 341716 diff --git a/umoci-0.3.1.tar.xz.asc b/umoci-0.3.1.tar.xz.asc new file mode 100644 index 0000000..0dcd128 --- /dev/null +++ b/umoci-0.3.1.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAlnUNXwACgkQnhiqJn3b +jbRlPBAAg/ykOVftxsHQM8YKjQqRcD2+d6csXMlI0q2zErnWAQ+G7qdoRwj2PyLW +KbnV20082eqhI5+eg+LRGjb6XKyDdx/3YzqTH8etbUi8U9VKaj1fdAH08bTa93fq +sDEo6s1DiZZfI/POG/00ugkkBsLriROAYfqgUez7YH91+bPGVpY/5CmioACWBCs+ +tNgd/dT3Db+q0ORkWjCLQLNtejJ3lFzL7gQwoQl0gv1NH6h3zxM6LcAvD9n8mm6w +ADxoCkWwvbH6qfIH7tKgbkDYxf9LTPfwijyFtBxF9jkwUOjJnURwTA6kTvwtRdjN +Dl8SKqqZGrivu4tki4JRAIOKuvRCqVryeMX98IHTTyuQENZneSK8uojYTZdV/mq0 +YrExjs1K7OZHIgdxcJfRmxpP8ypXfWeP6s4pQklTmXjWmA+IU9IbOi43phEJ6fKI +8vlItvNTTDimePvp0RRP+UnwatT7XMnp+2AioCN3cexx+//Iadtl8jcs0dTDBqe7 +gdPx7f6Qw81ZQmAoL0OBat7zBtxHnKeLsdK0xcl3RJ7RzdSPaLvOHqMmaNS356Ve +q/dq/a65b/kReQwM636JSssMEdtB2eEvJ+LNVMB/oOyfdRutOPODM67W5PVUBHAE +0XDf8HWxZNPUghQnYUIWIlwfhRHGnatOgbsi7/Rr3nVFsPaCI9w= +=VfqF +-----END PGP SIGNATURE----- diff --git a/umoci.changes b/umoci.changes index 2d7f200..8acae62 100644 --- a/umoci.changes +++ b/umoci.changes @@ -1,3 +1,48 @@ +------------------------------------------------------------------- +Wed Oct 4 02:52:51 UTC 2017 - asarai@suse.com + +- Update to umoci v0.3.1. Upstream changelog: + - Fix several minor bugs in `hack/release.sh` that caused the release artefacts + to not match the intended style, as well as making it more generic so other + projects can use it. openSUSE/umoci#155 openSUSE/umoci#163 + - A recent configuration issue caused `go vet` and `go lint` to not run as part + of our CI jobs. This means that some of the information submitted as part of + [CII best practices badging][cii] was not accurate. This has been corrected, + and after review we concluded that only stylistic issues were discovered by + static analysis. openSUSE/umoci#158 + - 32-bit unit test builds were broken in a refactor in [0.3.0]. This has been + fixed, and we've added tests to our CI to ensure that something like this + won't go unnoticed in the future. openSUSE/umoci#157 + - `umoci unpack` would not correctly preserve set{uid,gid} bits. While this + would not cause issues when building an image (as we only create a manifest + of the final extracted rootfs), it would cause issues for other users of + `umoci`. openSUSE/umoci#166 openSUSE/umoci#169 + - Updated to [v0.4.1 of `go-mtree`][gomtree-v0.4.1], which fixes several minor + bugs with manifest generation. openSUSE/umoci#176 + - `umoci unpack` would not handle "weird" tar archive layers previously (it + would error out with DiffID errors). While this wouldn't cause issues for + layers generated using Go's `archive/tar` implementation, it would cause + issues for GNU gzip and other such tools. + - `umoci unpack`'s mapping options (`--uid-map` and `--gid-map`) have had an + interface change, to better match the [`user_namespaces(7)`][user_namespaces] + interfaces. Note that this is a **breaking change**, but the workaround is to + switch to the trivially different (but now more consistent) format. + openSUSE/umoci#167 + - `umoci unpack` used to create the bundle and rootfs with world + read-and-execute permissions by default. This could potentially result in an + unsafe rootfs (containing dangerous setuid binaries for instance) being + accessible by an unprivileged user. This has been fixed by always setting the + mode of the bundle to `0700`, which requires a user to explicitly work around + this basic protection. This scenario was documented in our security + documentation previously, but has now been fixed. openSUSE/umoci#181 + openSUSE/umoci#182 + + [cii]: https://bestpractices.coreinfrastructure.org/projects/1084 + [gomtree-v0.4.1]: https://github.com/vbatts/go-mtree/releases/tag/v0.4.1 + [user_namespaces]: http://man7.org/linux/man-pages/man7/user_namespaces.7.html +- Remove patch that has been applied upstream. + - i586-0001-fix-mis-usage-of-time.Unix.patch + ------------------------------------------------------------------- Tue Jul 25 10:42:54 UTC 2017 - asarai@suse.com diff --git a/umoci.spec b/umoci.spec index f34ba07..6241bf0 100644 --- a/umoci.spec +++ b/umoci.spec @@ -24,7 +24,7 @@ %define project github.com/openSUSE/umoci Name: umoci -Version: 0.3.0 +Version: 0.3.1 Release: 0 Summary: Open Container Image manipulation tool License: Apache-2.0 @@ -33,8 +33,6 @@ Url: https://github.com/openSUSE/umoci Source0: %{name}-%{version}.tar.xz Source1: %{name}-%{version}.tar.xz.asc Source2: %{name}.keyring -# PATCH-FIX-UPSTREAM: Backport of https://github.com/openSUSE/umoci/pull/157. -Patch100: i586-0001-fix-mis-usage-of-time.Unix.patch BuildRequires: fdupes BuildRequires: go >= 1.6 BuildRequires: go-go-md2man @@ -50,8 +48,6 @@ provided by the OCI. %prep %setup -q -# https://github.com/openSUSE/umoci/pull/157 -%patch100 -p1 %build