diff --git a/0001-makefile-fix-bad-build-flags.patch b/0001-makefile-fix-bad-build-flags.patch new file mode 100644 index 0000000..cec1704 --- /dev/null +++ b/0001-makefile-fix-bad-build-flags.patch @@ -0,0 +1,30 @@ +From ed20cebfec648920c59e0988aceeef7dfd646558 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Thu, 8 Apr 2021 18:55:40 +1000 +Subject: [PATCH] makefile: fix bad build flags + +Fix mistake in the Makefile which prevents the version field (as well as +some other build flags) from being passed to "go build". + +Fixes: 6fbd32e48b66 ("Make Makefile more portable") +Signed-off-by: Aleksa Sarai +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index d760e9289033..1fdcf650f4f9 100644 +--- a/Makefile ++++ b/Makefile +@@ -71,7 +71,7 @@ BASE_LDFLAGS := -s -w -X ${PROJECT}.gitCommit=${COMMIT} -X ${PROJECT}.version=${ + + # Specific build flags for build type. + ifeq ($(GOOS), linux) +- TEST_BUILD_FLAGS := ${BASE_FLAGS} -buildmode=pie -ldflags "${BASE_LDFLAGS} -X ${PROJECT}/pkg/testutils.binaryType=test" DYN_BUILD_FLAGS := ${BASE_FLAGS} -buildmode=pie -ldflags "${BASE_LDFLAGS}" ++ DYN_BUILD_FLAGS := ${BASE_FLAGS} -buildmode=pie -ldflags "${BASE_LDFLAGS}" + TEST_BUILD_FLAGS := ${BASE_FLAGS} -buildmode=pie -ldflags "${BASE_LDFLAGS} -X ${PROJECT}/pkg/testutils.binaryType=test" + else + DYN_BUILD_FLAGS := ${BASE_FLAGS} -ldflags "${BASE_LDFLAGS}" +-- +2.30.2 + diff --git a/umoci-0.4.6.tar.xz b/umoci-0.4.6.tar.xz deleted file mode 100644 index 7ec1b48..0000000 --- a/umoci-0.4.6.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d0b495ee61781c23ad9f0e1f431646cfd74fa10ca35f0547004c7b6cb9eb071b -size 1546000 diff --git a/umoci-0.4.6.tar.xz.asc b/umoci-0.4.6.tar.xz.asc deleted file mode 100644 index 323ede3..0000000 --- a/umoci-0.4.6.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAl7ynQoACgkQnhiqJn3b -jbRvhA/8Cy+8BejZaClgcn8gedWP70wAGDirhuJUbpxTIoBOPUxl5LK1q/K7AvqL -VKDJLXQpAuVDTivER10IC/daL04J/3aNGKE+IwaLPG0spwyR4l8xuJAmMCB04dev -tha0lrxyK6XygRYm5QHxJfSVEBfMfxY3LPeSVFDg4cIFNlr1jl3inGDPEMYftXy5 -pjNspsWgsIciUMadc+EzTiDwoY+EQjDLJP5V5kiDJQc/GoJclCIdLPYPzLsMwonv -VEWZ8M5uplZ/5GyfEjcuiH2uyYojooHltWR6fa0aNE+2+oMHhH6l+MVFxvOSjVTi -Z+8Y0SH9duJ6cTpXgFJvknGRjoB6kaMPkroLQtKjxNNuziuuRwUwobp6B6971yjE -/TUVokPMQuoWcVk2TIg59P3IYTHoeU3etp/d1WIvVPy5jBtbU+msrgwuUBZzDyls -ehuLGL+PbG3MrgwC1vJeUVQjmr49sXkneg6KtvQcIK6fGXHYH5GVlciWr9M3OaTd -cI9riQQLHm/j3CwCAd1nluf77PH6aYmkFUPJ6rymH1Hxv2yJaMi1JweNcgismPVA -PIncI+ozOllUYyB/WsTThwYIvt8k0dl1uhtVMUdUQtymgtI/tSEwANJ0T7b4j87c -0qzHQlwU0mrF3HtOZj3U+wNA0k5jRRWjKN03rcmXDx4zDXubn7s= -=q4px ------END PGP SIGNATURE----- diff --git a/umoci-0.4.7.tar.xz b/umoci-0.4.7.tar.xz new file mode 100644 index 0000000..b4abf28 --- /dev/null +++ b/umoci-0.4.7.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:693a3780937c785de8f6dd233786c1ea870bbe8ccba2f6f1e20339329394743b +size 1717012 diff --git a/umoci-0.4.7.tar.xz.asc b/umoci-0.4.7.tar.xz.asc new file mode 100644 index 0000000..66af3b1 --- /dev/null +++ b/umoci-0.4.7.tar.xz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmBq/PMPHGFzYXJhaUBz +dXNlLmRlAAoJEJ4YqiZ92420uLUQAMgUBXRyvVePDAb/g4WVwwKbFrT8xPy0gQfT +h+zj/4MTtd2iu5ypGVhca1yhtqt6AutJXOgxhIU9bY+wo7oqCV9TJRoiZZDiyhRU +FUPmYszKqpBN2TIyyK4J9kqvfi7zlrYJOi4esRkay7ZgYz4el348aBIWNkak0Ip0 +NKhoWEGf41HabB0Ep/Rhy7JHe15ZtPLG6uH3TkjilWu4GB2rEkQusAztSnvrRP3Z +9k/plJCwa04WJQW1r6kr1i5bqhTq82kP5yrzO52GbKdQWyLdESwxN8yFfWMl8Igb +LOOBYKjnk/MtKLUOFK09mbfbQpaSqG0NLzMg42kEeqF8TpyBF5+/YTdLbSalGQhx ++BDTSOd4GB6lgV8zyBOBGcmNZmV977gW4AjHOZT8i3FPD4iaH3Bnwg2R5aqbIJK5 +AI40+NQMaAk+kME0FoAJnwov6w2kdDdOpyovfQ1l878HGlg8iZ5uf9bo6XuQGpr/ +lZHy8k9xC3mGr7OWmHrhL08TQlGK7wMQW7hgXKbAC8p8SSNU2aAqwEDdNohRSiu5 +g6Xg87zpc6Z4JsfYtI513ByWHdpE0jbcpv3BvSuEHnKGVfCjRBRBSOxAq7UZ1Koa +6rbic/liobiul27LdMi022nhVA8KqClbYDoe8bOiZU2ZhcvevrK+nb89ucbSkUs4 +nlm2tviX +=Q3Fv +-----END PGP SIGNATURE----- diff --git a/umoci.changes b/umoci.changes index 5134a7a..950ce3c 100644 --- a/umoci.changes +++ b/umoci.changes @@ -1,3 +1,41 @@ +------------------------------------------------------------------- +Tue Apr 6 11:13:10 UTC 2021 - Aleksa Sarai + +- Update to umoci v0.4.7. CVE-2021-29136 bsc#1184147 + + A security flaw was found in umoci, and has been fixed in this release. If + umoci was used to unpack a malicious image (using either umoci unpack or + umoci raw unpack) that contained a symlink entry for /., umoci would apply + subsequent layers to the target of the symlink (resolved on the host + filesystem). This means that if you ran umoci as root, a malicious image + could overwrite any file on the system (assuming you didn't have any other + access control restrictions). Thanks to Robin Peraglie from Cure53 for + discovering this bug. CVE-2021-29136 + + Other changes in this release: + + * umoci now compiles on FreeBSD and appears to work, with the notable + limitation that it currently refuses to extract non-Linux images on any + platform (this will be fixed in a future release). + * Initial fuzzer implementations for oss-fuzz. + * umoci will now read all trailing data from image layers, to combat the + existence of some image generators that appear to append NUL bytes to the + end of the gzip stream (which would previously cause checksum failures + because we didn't read nor checksum the trailing junk bytes). However, + umoci will still not read past the descriptor length. + * umoci now ignores all overlayfs xattrs during unpack and repack + operations, to avoid causing issues when packing a raw overlayfs + directory. + * For details, see CHANGELOG.md in the package. +- Backport patch to fix KIWI which depends on umoci having sane output from + "umoci --version". + + 0001-makefile-fix-bad-build-flags.patch + +------------------------------------------------------------------- +Thu Apr 1 05:36:50 UTC 2021 - Aleksa Sarai + +- Re-disable s390 builds. + ------------------------------------------------------------------- Wed Jun 24 00:27:44 UTC 2020 - Aleksa Sarai @@ -80,8 +118,8 @@ Thu Aug 16 03:39:22 UTC 2018 - asarai@suse.com * Add 'umoci insert' and 'umoci raw unpack'. * 'umoci unpack' correctly handles out-of-order whiteouts now. * 'umoci unpack' and 'umoci repack' make sure of a more optimised gzip - implementation now -- in some benchmarks 'umoci repack' can have a speedup - of up to 3x. + implementation now -- in some benchmarks 'umoci repack' can have a speedup + of up to 3x. * For details, see CHANGELOG.md in the package. ------------------------------------------------------------------- @@ -93,55 +131,55 @@ Wed Jun 13 13:06:39 UTC 2018 - dcassany@suse.com Sat Mar 10 08:10:42 UTC 2018 - asarai@suse.com - Update to umoci v0.4.0. Upstream changelog: - + `umoci repack` now supports `--refresh-bundle` which will update the - OCI bundle's metadata (mtree and umoci-specific manifests) after packing - the image tag. This means that the bundle can be used as a base layer for - future diffs without needing to unpack the image again. - openSUSE/umoci#196 - + Added a website, and reworked the documentation to be better structured. - You can visit the website at [`umo.ci`][umo.ci]. openSUSE/umoci#188 - + Added support for the `user.rootlesscontainers` specification, which - allows for persistent on-disk emulation of `chown(2)` inside rootless - containers. This implementation is interoperable with [@AkihiroSuda's - `PRoot` fork][as-proot-fork] (though we do not test its interoperability - at the moment) as both tools use [the same protobuf - specification][rootlesscontainers-proto]. openSUSE/umoci#227 - + `umoci unpack` now has support for opaque whiteouts (whiteouts which - remove all children of a directory in the lower layer), though `umoci - repack` does not currently have support for generating them. While this - is technically a spec requirement, through testing we've never - encountered an actual user of these whiteouts. openSUSE/umoci#224 - openSUSE/umoci#229 - + `umoci unpack` will now use some rootless tricks inside user namespaces - for operations that are known to fail (such as `mknod(2)`) while other - operations will be carried out as normal (such as `lchown(2)`). It should - be noted that the `/proc/self/uid_map` checking we do can be tricked into - not detecting user namespaces, but you would need to be trying to break - it on purpose. openSUSE/umoci#171 openSUSE/umoci#230 - * Fix a bug in our "parent directory restore" code, which is responsible - for ensuring that the mtime and other similar properties of a directory - are not modified by extraction inside said directory. The bug would - manifest as xattrs not being restored properly in certain edge-cases - (which we incidentally hit in a test-case). openSUSE/umoci#161 - openSUSE/umoci#162 - * `umoci unpack` will now "clean up" the bundle generated if an error - occurs during unpacking. Previously this didn't happen, which made - cleaning up the responsibility of the caller (which was quite difficult - if you were unprivileged). This is a breaking change, but is in the error - path so it's not critical. openSUSE/umoci#174 openSUSE/umoci#187 - * `umoci gc` now will no longer remove unknown files and directories that - aren't `flock(2)`ed, thus ensuring that any possible OCI image-spec - extensions or other users of an image being operated on will no longer - break. openSUSE/umoci#198 - * `umoci unpack --rootless` will now correctly handle regular file - unpacking when overwriting a file that `umoci` doesn't have write access - to. In addition, the semantics of pre-existing hardlinks to a clobbered - file are clarified (the hard-links will not refer to the new layer's - inode). openSUSE/umoci#222 openSUSE/umoci#223 + + `umoci repack` now supports `--refresh-bundle` which will update the + OCI bundle's metadata (mtree and umoci-specific manifests) after packing + the image tag. This means that the bundle can be used as a base layer for + future diffs without needing to unpack the image again. + openSUSE/umoci#196 + + Added a website, and reworked the documentation to be better structured. + You can visit the website at [`umo.ci`][umo.ci]. openSUSE/umoci#188 + + Added support for the `user.rootlesscontainers` specification, which + allows for persistent on-disk emulation of `chown(2)` inside rootless + containers. This implementation is interoperable with [@AkihiroSuda's + `PRoot` fork][as-proot-fork] (though we do not test its interoperability + at the moment) as both tools use [the same protobuf + specification][rootlesscontainers-proto]. openSUSE/umoci#227 + + `umoci unpack` now has support for opaque whiteouts (whiteouts which + remove all children of a directory in the lower layer), though `umoci + repack` does not currently have support for generating them. While this + is technically a spec requirement, through testing we've never + encountered an actual user of these whiteouts. openSUSE/umoci#224 + openSUSE/umoci#229 + + `umoci unpack` will now use some rootless tricks inside user namespaces + for operations that are known to fail (such as `mknod(2)`) while other + operations will be carried out as normal (such as `lchown(2)`). It should + be noted that the `/proc/self/uid_map` checking we do can be tricked into + not detecting user namespaces, but you would need to be trying to break + it on purpose. openSUSE/umoci#171 openSUSE/umoci#230 + * Fix a bug in our "parent directory restore" code, which is responsible + for ensuring that the mtime and other similar properties of a directory + are not modified by extraction inside said directory. The bug would + manifest as xattrs not being restored properly in certain edge-cases + (which we incidentally hit in a test-case). openSUSE/umoci#161 + openSUSE/umoci#162 + * `umoci unpack` will now "clean up" the bundle generated if an error + occurs during unpacking. Previously this didn't happen, which made + cleaning up the responsibility of the caller (which was quite difficult + if you were unprivileged). This is a breaking change, but is in the error + path so it's not critical. openSUSE/umoci#174 openSUSE/umoci#187 + * `umoci gc` now will no longer remove unknown files and directories that + aren't `flock(2)`ed, thus ensuring that any possible OCI image-spec + extensions or other users of an image being operated on will no longer + break. openSUSE/umoci#198 + * `umoci unpack --rootless` will now correctly handle regular file + unpacking when overwriting a file that `umoci` doesn't have write access + to. In addition, the semantics of pre-existing hardlinks to a clobbered + file are clarified (the hard-links will not refer to the new layer's + inode). openSUSE/umoci#222 openSUSE/umoci#223 - [as-proot-fork]: https://github.com/AkihiroSuda/runrootless - [rootlesscontainers-proto]: https://rootlesscontaine.rs/proto/rootlesscontainers.proto - [umo.ci]: https://umo.ci/ + [as-proot-fork]: https://github.com/AkihiroSuda/runrootless + [rootlesscontainers-proto]: https://rootlesscontaine.rs/proto/rootlesscontainers.proto + [umo.ci]: https://umo.ci/ ------------------------------------------------------------------- Thu Feb 1 16:58:09 CET 2018 - ro@suse.de @@ -152,44 +190,44 @@ Thu Feb 1 16:58:09 CET 2018 - ro@suse.de Wed Oct 4 02:52:51 UTC 2017 - asarai@suse.com - Update to umoci v0.3.1. Upstream changelog: - - Fix several minor bugs in `hack/release.sh` that caused the release artefacts - to not match the intended style, as well as making it more generic so other - projects can use it. openSUSE/umoci#155 openSUSE/umoci#163 - - A recent configuration issue caused `go vet` and `go lint` to not run as part - of our CI jobs. This means that some of the information submitted as part of - [CII best practices badging][cii] was not accurate. This has been corrected, - and after review we concluded that only stylistic issues were discovered by - static analysis. openSUSE/umoci#158 - - 32-bit unit test builds were broken in a refactor in [0.3.0]. This has been - fixed, and we've added tests to our CI to ensure that something like this - won't go unnoticed in the future. openSUSE/umoci#157 - - `umoci unpack` would not correctly preserve set{uid,gid} bits. While this - would not cause issues when building an image (as we only create a manifest - of the final extracted rootfs), it would cause issues for other users of - `umoci`. openSUSE/umoci#166 openSUSE/umoci#169 - - Updated to [v0.4.1 of `go-mtree`][gomtree-v0.4.1], which fixes several minor - bugs with manifest generation. openSUSE/umoci#176 - - `umoci unpack` would not handle "weird" tar archive layers previously (it - would error out with DiffID errors). While this wouldn't cause issues for - layers generated using Go's `archive/tar` implementation, it would cause - issues for GNU gzip and other such tools. - - `umoci unpack`'s mapping options (`--uid-map` and `--gid-map`) have had an - interface change, to better match the [`user_namespaces(7)`][user_namespaces] - interfaces. Note that this is a **breaking change**, but the workaround is to - switch to the trivially different (but now more consistent) format. - openSUSE/umoci#167 - - `umoci unpack` used to create the bundle and rootfs with world - read-and-execute permissions by default. This could potentially result in an - unsafe rootfs (containing dangerous setuid binaries for instance) being - accessible by an unprivileged user. This has been fixed by always setting the - mode of the bundle to `0700`, which requires a user to explicitly work around - this basic protection. This scenario was documented in our security - documentation previously, but has now been fixed. openSUSE/umoci#181 - openSUSE/umoci#182 + - Fix several minor bugs in `hack/release.sh` that caused the release artefacts + to not match the intended style, as well as making it more generic so other + projects can use it. openSUSE/umoci#155 openSUSE/umoci#163 + - A recent configuration issue caused `go vet` and `go lint` to not run as part + of our CI jobs. This means that some of the information submitted as part of + [CII best practices badging][cii] was not accurate. This has been corrected, + and after review we concluded that only stylistic issues were discovered by + static analysis. openSUSE/umoci#158 + - 32-bit unit test builds were broken in a refactor in [0.3.0]. This has been + fixed, and we've added tests to our CI to ensure that something like this + won't go unnoticed in the future. openSUSE/umoci#157 + - `umoci unpack` would not correctly preserve set{uid,gid} bits. While this + would not cause issues when building an image (as we only create a manifest + of the final extracted rootfs), it would cause issues for other users of + `umoci`. openSUSE/umoci#166 openSUSE/umoci#169 + - Updated to [v0.4.1 of `go-mtree`][gomtree-v0.4.1], which fixes several minor + bugs with manifest generation. openSUSE/umoci#176 + - `umoci unpack` would not handle "weird" tar archive layers previously (it + would error out with DiffID errors). While this wouldn't cause issues for + layers generated using Go's `archive/tar` implementation, it would cause + issues for GNU gzip and other such tools. + - `umoci unpack`'s mapping options (`--uid-map` and `--gid-map`) have had an + interface change, to better match the [`user_namespaces(7)`][user_namespaces] + interfaces. Note that this is a **breaking change**, but the workaround is to + switch to the trivially different (but now more consistent) format. + openSUSE/umoci#167 + - `umoci unpack` used to create the bundle and rootfs with world + read-and-execute permissions by default. This could potentially result in an + unsafe rootfs (containing dangerous setuid binaries for instance) being + accessible by an unprivileged user. This has been fixed by always setting the + mode of the bundle to `0700`, which requires a user to explicitly work around + this basic protection. This scenario was documented in our security + documentation previously, but has now been fixed. openSUSE/umoci#181 + openSUSE/umoci#182 - [cii]: https://bestpractices.coreinfrastructure.org/projects/1084 - [gomtree-v0.4.1]: https://github.com/vbatts/go-mtree/releases/tag/v0.4.1 - [user_namespaces]: http://man7.org/linux/man-pages/man7/user_namespaces.7.html + [cii]: https://bestpractices.coreinfrastructure.org/projects/1084 + [gomtree-v0.4.1]: https://github.com/vbatts/go-mtree/releases/tag/v0.4.1 + [user_namespaces]: http://man7.org/linux/man-pages/man7/user_namespaces.7.html - Remove patch that has been applied upstream. - i586-0001-fix-mis-usage-of-time.Unix.patch @@ -204,51 +242,51 @@ Tue Jul 25 10:42:54 UTC 2017 - asarai@suse.com Sat Jul 22 15:57:44 UTC 2017 - asarai@suse.com - Update to umoci v0.3.0. Upstream changelog: - - `umoci` now passes all of the requirements for the [CII best practices bading - program][cii]. openSUSE/umoci#134 - - `umoci` also now has more extensive architecture, quick-start and roadmap - documentation. openSUSE/umoci#134 - - `umoci` now supports [`1.0.0` of the OCI image - specification][ispec-v1.0.0] and [`1.0.0` of the OCI runtime - specification][rspec-v1.0.0], which are the first milestone release. Note - that there are still some remaining UX issues with `--image` and other parts - of `umoci` which may be subject to change in future versions. In particular, - this update of the specification now means that images may have ambiguous - tags. `umoci` will warn you if an operation may have an ambiguous result, but - we plan to improve this functionality far more in the future. - openSUSE/umoci#133 openSUSE/umoci#142 - - `umoci` also now supports more complicated descriptor walk structures, and - also handles mutation of such structures more sanely. At the moment, this - functionality has not been used "in the wild" and `umoci` doesn't have the UX - to create such structures (yet) but these will be implemented in future - versions. openSUSE/umoci#145 - - `umoci repack` now supports `--mask-path` to ignore changes in the rootfs - that are in a child of at least one of the provided masks when generating new - layers. openSUSE/umoci#127 - - Error messages from `github.com/openSUSE/umoci/oci/cas/drivers/dir` actually - make sense now. openSUSE/umoci#121 - - `umoci unpack` now generates `config.json` blobs according to the [still - proposed][ispec-pr492] OCI image specification conversion document. - openSUSE/umoci#120 - - `umoci repack` also now automatically adding `Config.Volumes` from the image - configuration to the set of masked paths. This matches recently added - [recommendations by the spec][ispec-pr694], but is a backwards-incompatible - change because the new default is that `Config.Volumes` **will** be masked. - If you wish to retain the old semantics, use `--no-mask-volumes` (though make - sure to be aware of the reasoning behind `Config.Volume` masking). - openSUSE/umoci#127 - - `umoci` now uses [`SecureJoin`][securejoin] rather than a patched version of - `FollowSymlinkInScope`. The two implementations are roughly equivalent, but - `SecureJoin` has a nicer API and is maintained as a separate project. - - Switched to using `golang.org/x/sys/unix` over `syscall` where possible, - which makes the codebase significantly cleaner. openSUSE/umoci#141 + - `umoci` now passes all of the requirements for the [CII best practices bading + program][cii]. openSUSE/umoci#134 + - `umoci` also now has more extensive architecture, quick-start and roadmap + documentation. openSUSE/umoci#134 + - `umoci` now supports [`1.0.0` of the OCI image + specification][ispec-v1.0.0] and [`1.0.0` of the OCI runtime + specification][rspec-v1.0.0], which are the first milestone release. Note + that there are still some remaining UX issues with `--image` and other parts + of `umoci` which may be subject to change in future versions. In particular, + this update of the specification now means that images may have ambiguous + tags. `umoci` will warn you if an operation may have an ambiguous result, but + we plan to improve this functionality far more in the future. + openSUSE/umoci#133 openSUSE/umoci#142 + - `umoci` also now supports more complicated descriptor walk structures, and + also handles mutation of such structures more sanely. At the moment, this + functionality has not been used "in the wild" and `umoci` doesn't have the UX + to create such structures (yet) but these will be implemented in future + versions. openSUSE/umoci#145 + - `umoci repack` now supports `--mask-path` to ignore changes in the rootfs + that are in a child of at least one of the provided masks when generating new + layers. openSUSE/umoci#127 + - Error messages from `github.com/openSUSE/umoci/oci/cas/drivers/dir` actually + make sense now. openSUSE/umoci#121 + - `umoci unpack` now generates `config.json` blobs according to the [still + proposed][ispec-pr492] OCI image specification conversion document. + openSUSE/umoci#120 + - `umoci repack` also now automatically adding `Config.Volumes` from the image + configuration to the set of masked paths. This matches recently added + [recommendations by the spec][ispec-pr694], but is a backwards-incompatible + change because the new default is that `Config.Volumes` **will** be masked. + If you wish to retain the old semantics, use `--no-mask-volumes` (though make + sure to be aware of the reasoning behind `Config.Volume` masking). + openSUSE/umoci#127 + - `umoci` now uses [`SecureJoin`][securejoin] rather than a patched version of + `FollowSymlinkInScope`. The two implementations are roughly equivalent, but + `SecureJoin` has a nicer API and is maintained as a separate project. + - Switched to using `golang.org/x/sys/unix` over `syscall` where possible, + which makes the codebase significantly cleaner. openSUSE/umoci#141 - [cii]: https://bestpractices.coreinfrastructure.org/projects/1084 - [rspec-v1.0.0]: https://github.com/opencontainers/runtime-spec/releases/tag/v1.0.0 - [ispec-v1.0.0]: https://github.com/opencontainers/image-spec/releases/tag/v1.0.0 - [ispec-pr492]: https://github.com/opencontainers/image-spec/pull/492 - [ispec-pr694]: https://github.com/opencontainers/image-spec/pull/694 - [securejoin]: https://github.com/cyphar/filepath-securejoin + [cii]: https://bestpractices.coreinfrastructure.org/projects/1084 + [rspec-v1.0.0]: https://github.com/opencontainers/runtime-spec/releases/tag/v1.0.0 + [ispec-v1.0.0]: https://github.com/opencontainers/image-spec/releases/tag/v1.0.0 + [ispec-pr492]: https://github.com/opencontainers/image-spec/pull/492 + [ispec-pr694]: https://github.com/opencontainers/image-spec/pull/694 + [securejoin]: https://github.com/cyphar/filepath-securejoin ------------------------------------------------------------------- Wed Apr 12 09:46:18 UTC 2017 - jmassaguerpla@suse.com @@ -260,76 +298,76 @@ Wed Apr 12 09:46:18 UTC 2017 - jmassaguerpla@suse.com Wed Apr 12 01:05:12 UTC 2017 - asarai@suse.com - Update to umoci v0.2.1. Upstream changelog: - * `hack/release.sh` automates the process of generating all of the published - artefacts for releases. The new script also generates signed source code - archives. openSUSE/umoci#116 - * `umoci` now outputs configurations that are compliant with [`v1.0.0-rc5` of - the OCI runtime-spec][rspec-v1.0.0-rc5]. This means that now you can use runc - v1.0.0-rc3 with `umoci` (and rootless containers should work out of the box - if you use a development build of runc). openSUSE/umoci#114 - * `umoci unpack` no longer adds a dummy linux.seccomp entry, and instead just - sets it to null. openSUSE/umoci#114 + * `hack/release.sh` automates the process of generating all of the published + artefacts for releases. The new script also generates signed source code + archives. openSUSE/umoci#116 + * `umoci` now outputs configurations that are compliant with [`v1.0.0-rc5` of + the OCI runtime-spec][rspec-v1.0.0-rc5]. This means that now you can use runc + v1.0.0-rc3 with `umoci` (and rootless containers should work out of the box + if you use a development build of runc). openSUSE/umoci#114 + * `umoci unpack` no longer adds a dummy linux.seccomp entry, and instead just + sets it to null. openSUSE/umoci#114 - [rspec-v1.0.0-rc5]: https://github.com/opencontainers/runtime-spec/releases/tag/v1.0.0-rc5 + [rspec-v1.0.0-rc5]: https://github.com/opencontainers/runtime-spec/releases/tag/v1.0.0-rc5 - Add umoci.keyring to check signed archives on check-in and submission. ------------------------------------------------------------------- Mon Apr 10 14:49:35 UTC 2017 - asarai@suse.com - Update to umoci v0.2.0. Upstream changelog: - * `umoci` now has some automated scripts for generated RPMs that are used in - openSUSE to automatically submit packages to OBS. openSUSE/umoci#101 + * `umoci` now has some automated scripts for generated RPMs that are used in + openSUSE to automatically submit packages to OBS. openSUSE/umoci#101 - * `--clear=config.{cmd,entrypoint}` is now supported. While this interface is a - bit weird (`cmd` and `entrypoint` aren't treated atomically) this makes the - UX more consistent while we come up with a better `cmd` and `entrypoint` UX. - openSUSE/umoci#107 + * `--clear=config.{cmd,entrypoint}` is now supported. While this interface is a + bit weird (`cmd` and `entrypoint` aren't treated atomically) this makes the + UX more consistent while we come up with a better `cmd` and `entrypoint` UX. + openSUSE/umoci#107 - * New subcommand: `umoci raw runtime-config`. It generates the runtime-spec - config.json for a particular image without also unpacking the root - filesystem, allowing for users of `umoci` that are regularly parsing - `config.json` without caring about the root filesystem to be more efficient. - However, a downside of this approach is that some image-spec fields - (`Config.User`) require a root filesystem in order to make sense, which is - why this command is hidden under the `umoci-raw(1)` subcommand (to make sure - only users that understand what they're doing use it). openSUSE/umoci#110 + * New subcommand: `umoci raw runtime-config`. It generates the runtime-spec + config.json for a particular image without also unpacking the root + filesystem, allowing for users of `umoci` that are regularly parsing + `config.json` without caring about the root filesystem to be more efficient. + However, a downside of this approach is that some image-spec fields + (`Config.User`) require a root filesystem in order to make sense, which is + why this command is hidden under the `umoci-raw(1)` subcommand (to make sure + only users that understand what they're doing use it). openSUSE/umoci#110 - * `umoci`'s `oci/cas` and `oci/config` libraries have been massively refactored - and rewritten, to allow for third-parties to use the OCI libraries. The plan - is for these to eventually become part of an OCI project. openSUSE/umoci#90 + * `umoci`'s `oci/cas` and `oci/config` libraries have been massively refactored + and rewritten, to allow for third-parties to use the OCI libraries. The plan + is for these to eventually become part of an OCI project. openSUSE/umoci#90 - * The `oci/cas` interface has been modifed to switch from `*ispec.Descriptor` - to `ispec.Descriptor`. This is a breaking, but fairly insignificant, change. - openSUSE/umoci#89 + * The `oci/cas` interface has been modifed to switch from `*ispec.Descriptor` + to `ispec.Descriptor`. This is a breaking, but fairly insignificant, change. + openSUSE/umoci#89 - * `umoci` now uses an updated version of `go-mtree`, which has a complete - rewrite of `Vis` and `Unvis`. The rewrite ensures that unicode handling is - handled in a far more consistent and sane way. openSUSE/umoci#88 + * `umoci` now uses an updated version of `go-mtree`, which has a complete + rewrite of `Vis` and `Unvis`. The rewrite ensures that unicode handling is + handled in a far more consistent and sane way. openSUSE/umoci#88 - * `umoci` used to set `process.user.additionalGids` to the "normal value" when - unpacking an image in rootless mode, causing issues when trying to actually - run said bundle with runC. openSUSE/umoci#109 + * `umoci` used to set `process.user.additionalGids` to the "normal value" when + unpacking an image in rootless mode, causing issues when trying to actually + run said bundle with runC. openSUSE/umoci#109 ------------------------------------------------------------------- Fri Feb 10 18:03:27 UTC 2017 - asarai@suse.com - Update to umoci v0.1.0. Upstream changelog: - * `CHANGELOG.md` has now been added. openSUSE/umoci#76 + * `CHANGELOG.md` has now been added. openSUSE/umoci#76 - * `umoci` now supports `v1.0.0-rc4` images, which has made fairly minimal - changes to the schema (mainly related to `mediaType`s). While this change - **is** backwards compatible (several fields were removed from the schema, but - the specification allows for "additional fields"), tools using older versions - of the specification may fail to operate on newer OCI images. There was no UX - change associated with this update. + * `umoci` now supports `v1.0.0-rc4` images, which has made fairly minimal + changes to the schema (mainly related to `mediaType`s). While this change + **is** backwards compatible (several fields were removed from the schema, but + the specification allows for "additional fields"), tools using older versions + of the specification may fail to operate on newer OCI images. There was no UX + change associated with this update. - * `umoci tag` would fail to clobber existing tags, which was in contrast to how - the rest of the tag clobbering commands operated. This has been fixed and is - now consistent with the other commands. openSUSE/umoci#78 + * `umoci tag` would fail to clobber existing tags, which was in contrast to how + the rest of the tag clobbering commands operated. This has been fixed and is + now consistent with the other commands. openSUSE/umoci#78 - * `umoci repack` now can correctly handle unicode-encoded filenames, allowing - the creation of containers that have oddly named files. This required fixes - to go-mtree (where the issue was). openSUSE/umoci#80 + * `umoci repack` now can correctly handle unicode-encoded filenames, allowing + the creation of containers that have oddly named files. This required fixes + to go-mtree (where the issue was). openSUSE/umoci#80 ------------------------------------------------------------------- Tue Feb 7 22:25:56 UTC 2017 - jengelh@inai.de @@ -344,30 +382,30 @@ Mon Feb 6 17:06:05 UTC 2017 - asarai@suse.com - Switch upstream channel to openSUSE's GitHub (where the project has been moved). - Update to umoci v0.0.0. Upstream changelog: - This is the first beta release of umoci, and it includes very few - changes from v0.0.0-rc3. However, at this point the UX is effectively - stable and umoci is properly tested. The (small) list of changes in this - release from -rc3 is: + This is the first beta release of umoci, and it includes very few + changes from v0.0.0-rc3. However, at this point the UX is effectively + stable and umoci is properly tested. The (small) list of changes in this + release from -rc3 is: - * Static compilation now works properly. openSUSE/umoci#64 + * Static compilation now works properly. openSUSE/umoci#64 - * 32-bit builds have been fixed, and now umoci works on 32-bit - architectures. openSUSE/umoci#70 + * 32-bit builds have been fixed, and now umoci works on 32-bit + architectures. openSUSE/umoci#70 - * The unit tests can now be run inside the %check section of an rpmbuild - script, allowing for proper testing of packages when they are built on - openSUSE (and Fedora). openSUSE/umoci#65 + * The unit tests can now be run inside the %check section of an rpmbuild + script, allowing for proper testing of packages when they are built on + openSUSE (and Fedora). openSUSE/umoci#65 - * Unit tests have been massively expanded, as have the integration - tests. In addition, full coverage profiles (both unit and integration) - are generated to fully understand how much of the code is properly - tested. Currently it is at ~80%. openSUSE/umoci#68 openSUSE/umoci#69 + * Unit tests have been massively expanded, as have the integration + tests. In addition, full coverage profiles (both unit and integration) + are generated to fully understand how much of the code is properly + tested. Currently it is at ~80%. openSUSE/umoci#68 openSUSE/umoci#69 - * The logging output has been cleaned up to be much better for end-users - to read. It's also a lot less chatty now. openSUSE/umoci#73 + * The logging output has been cleaned up to be much better for end-users + to read. It's also a lot less chatty now. openSUSE/umoci#73 - * This project has now been moved to become an openSUSE project. - openSUSE/umoci#75 + * This project has now been moved to become an openSUSE project. + openSUSE/umoci#75 ------------------------------------------------------------------- Fri Dec 30 14:56:38 UTC 2016 - asarai@suse.com @@ -388,41 +426,41 @@ Tue Dec 20 08:10:00 UTC 2016 - asarai@suse.com Mon Dec 19 12:57:31 UTC 2016 - asarai@suse.com - Update to umoci 0.0.0~rc3. Upstream changelog: - umoci has now gone a large amount of cleanup, and included the addition - of a few previously missing features. The main thing blocking a full - release is that manifest lists are still unsupported, and there are some - upstream PRs that define some of umoci's operations that need to be - merged before umoci can be considered a compliant implementation. In - addition, the logging library needs to be swapped (and the amount of - output reduced). + umoci has now gone a large amount of cleanup, and included the addition + of a few previously missing features. The main thing blocking a full + release is that manifest lists are still unsupported, and there are some + upstream PRs that define some of umoci's operations that need to be + merged before umoci can be considered a compliant implementation. In + addition, the logging library needs to be swapped (and the amount of + output reduced). - Here's a short list of features added: + Here's a short list of features added: - * xattr support for both packing and unpacking was added, in particular - this code also handles the issue of security.selinux. More policy - decisions need to be added, but those are being discussed upstream. - cyphar/umoci#52 cyphar/umoci#49 + * xattr support for both packing and unpacking was added, in particular + this code also handles the issue of security.selinux. More policy + decisions need to be added, but those are being discussed upstream. + cyphar/umoci#52 cyphar/umoci#49 - * Ensure that environment variables have no duplicates. This ensures - that umoci won't duplicate environment variables in either Config.Env - or the extracted process.env. cyphar/umoci#30 + * Ensure that environment variables have no duplicates. This ensures + that umoci won't duplicate environment variables in either Config.Env + or the extracted process.env. cyphar/umoci#30 - * Add support for read-only CAS operations with a read-only filesystem. - Previously, attempting to open an OCI image on a read-only filesystem - would fail miserably, now you can do read-only operations without - issue. cyphar/umoci#47 + * Add support for read-only CAS operations with a read-only filesystem. + Previously, attempting to open an OCI image on a read-only filesystem + would fail miserably, now you can do read-only operations without + issue. cyphar/umoci#47 - * Garbage collection now also garbage collects old tmpdirs, and other - garbage from inside an image layout. cyphar/umoci#17 + * Garbage collection now also garbage collects old tmpdirs, and other + garbage from inside an image layout. cyphar/umoci#17 - * Output a helpful comment about --rootless if you're getting EPERMs. + * Output a helpful comment about --rootless if you're getting EPERMs. - * Enable stack traces from an error if the --debug flag was applied to - umoci. This is a feature that hopefully will be added to pkg/errors - upstream. + * Enable stack traces from an error if the --debug flag was applied to + umoci. This is a feature that hopefully will be added to pkg/errors + upstream. - * Cleanups to vendoring of go-mtree so that it's much more - upstream-friendly. + * Cleanups to vendoring of go-mtree so that it's much more + upstream-friendly. ------------------------------------------------------------------- Tue Dec 13 09:20:10 UTC 2016 - asarai@suse.com @@ -435,60 +473,60 @@ Tue Dec 13 09:20:10 UTC 2016 - asarai@suse.com Sun Dec 11 13:42:08 UTC 2016 - asarai@suse.com - Update to umoci 0.0.0-rc2. Upstream changelog: - umoci now has a stable UX, as well as proper documentation for the UX in - the form of generated man pages. Here's the full list of cool features: + umoci now has a stable UX, as well as proper documentation for the UX in + the form of generated man pages. Here's the full list of cool features: - * umoci v0.0.0-rc2 has support for rootless unpacking and repacking! - cyphar/umoci#26 + * umoci v0.0.0-rc2 has support for rootless unpacking and repacking! + cyphar/umoci#26 - * It also has support for regular UID and GID mapping! cyphar/umoci#26 + * It also has support for regular UID and GID mapping! cyphar/umoci#26 - * Symlinks and other similarly tricky unpacking problems have been - resolved. All symlink path components are resolved inside the root - filesystem of the container during unpacking. cyphar/umoci#27 + * Symlinks and other similarly tricky unpacking problems have been + resolved. All symlink path components are resolved inside the root + filesystem of the container during unpacking. cyphar/umoci#27 - * Tag modification commands (such as umoci-tag(1), umoci-rm(1), - umoci-ls(1)) have been implemented. cyphar/umoci#6 cyphar/umoci#40 + * Tag modification commands (such as umoci-tag(1), umoci-rm(1), + umoci-ls(1)) have been implemented. cyphar/umoci#6 cyphar/umoci#40 - * umoci-stat(1) has been implemented. Currently it only outputs history - information, but this will change in the future. It has stable JSON - output. cyphar/umoci#38 + * umoci-stat(1) has been implemented. Currently it only outputs history + information, but this will change in the future. It has stable JSON + output. cyphar/umoci#38 - * umoci-init(1) and umoci-new(1) have been implemented, allowing for the - creation of entirely new images from scratch. cyphar/umoci#5 - cyphar/umoci#42 + * umoci-init(1) and umoci-new(1) have been implemented, allowing for the + creation of entirely new images from scratch. cyphar/umoci#5 + cyphar/umoci#42 - * umoci-repack(1) and umoci-config(1) now automatically generate history - entries (since the history is actually used by tooling like skopeo). In - addition, the history mutation from umoci-config(1) has been removed - because it was just unsafe. In order for users to be able to configure - history entries' values, --history.* flags have been introduced. - cyphar/umoci# + * umoci-repack(1) and umoci-config(1) now automatically generate history + entries (since the history is actually used by tooling like skopeo). In + addition, the history mutation from umoci-config(1) has been removed + because it was just unsafe. In order for users to be able to configure + history entries' values, --history.* flags have been introduced. + cyphar/umoci# - * umoci-unpack(1) now saves all of the important argument metadata - provided to it inside the generated bundle. These saved arguments are - loaded by umoci-repack(1) to make the workflow much more sane. + * umoci-unpack(1) now saves all of the important argument metadata + provided to it inside the generated bundle. These saved arguments are + loaded by umoci-repack(1) to make the workflow much more sane. - * --image and --from arguments have been combined into skopeo-style - [:] arguments to --image. cyphar/umoci#39 + * --image and --from arguments have been combined into skopeo-style + [:] arguments to --image. cyphar/umoci#39 - * Errors encountered during generation of a delta layer now are - correctly propagated. cyphar/umoci#33 + * Errors encountered during generation of a delta layer now are + correctly propagated. cyphar/umoci#33 - * Hardlinks are now correctly unpacked as bone-fide hardlinks. - cyphar/umoci#25 + * Hardlinks are now correctly unpacked as bone-fide hardlinks. + cyphar/umoci#25 - * Support for unpacking and configuring annotations (which is a - v1.0.0-rc3 feature of the OCI image specification). There's still some - work to be done upstream in making the unpacking procedure specified - but this is as good as you're going to get for a while. - cyphar/umoci#43 + * Support for unpacking and configuring annotations (which is a + v1.0.0-rc3 feature of the OCI image specification). There's still some + work to be done upstream in making the unpacking procedure specified + but this is as good as you're going to get for a while. + cyphar/umoci#43 - * umoci has full integration and unit testing. cyphar/umoci#12 + * umoci has full integration and unit testing. cyphar/umoci#12 - * umoci now has validation integration tests to ensure that at every - stage of a test we could stop and still have a completely valid OCI - image and that every extracted bundle is a valid OCI runtime bundle. + * umoci now has validation integration tests to ensure that at every + stage of a test we could stop and still have a completely valid OCI + image and that every extracted bundle is a valid OCI runtime bundle. ------------------------------------------------------------------- Sun Dec 11 12:43:30 UTC 2016 - asarai@suse.com diff --git a/umoci.spec b/umoci.spec index 712909c..b43c755 100644 --- a/umoci.spec +++ b/umoci.spec @@ -1,7 +1,7 @@ # # spec file for package umoci # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,7 +20,7 @@ %define project github.com/opencontainers/umoci Name: umoci -Version: 0.4.6 +Version: 0.4.7 Release: 0 Summary: Open Container Image manipulation tool License: Apache-2.0 @@ -29,11 +29,14 @@ URL: https://umo.ci Source0: https://github.com/opencontainers/umoci/releases/download/v%{version}/umoci.tar.xz#/%{name}-%{version}.tar.xz Source1: https://github.com/opencontainers/umoci/releases/download/v%{version}/umoci.tar.xz.asc#/%{name}-%{version}.tar.xz.asc Source2: https://umo.ci/%{name}.keyring +# OPENSUSE-FIX-UPSTREAM: Backport of . +Patch1: 0001-makefile-fix-bad-build-flags.patch BuildRequires: fdupes +BuildRequires: go-go-md2man # Due to a limitation in openSUSE's Go packaging we cannot have a BuildRequires # for 'golang(API) >= 1.13' here, so just require 1.13 exactly. bsc#1172608 -BuildRequires: go-go-md2man BuildRequires: go1.14 +ExcludeArch: s390 %description umoci modifies Open Container images. umoci is a manipulation tool for OCI @@ -42,6 +45,8 @@ provided by the OCI. %prep %setup -q +# +%patch1 -p1 %build export VERSION="$(cat ./VERSION)"