umoci

pool/umoci

SHA256

Fork 1

Commit Graph

Author	SHA256	Message	Date
Aleksa Sarai	514f77b460	Accepting request 531029 from home:cyphar:containers - Update to umoci v0.3.1. Upstream changelog: - Fix several minor bugs in `hack/release.sh` that caused the release artefacts to not match the intended style, as well as making it more generic so other projects can use it. openSUSE/umoci#155 openSUSE/umoci#163 - A recent configuration issue caused `go vet` and `go lint` to not run as part of our CI jobs. This means that some of the information submitted as part of [CII best practices badging][cii] was not accurate. This has been corrected, and after review we concluded that only stylistic issues were discovered by static analysis. openSUSE/umoci#158 - 32-bit unit test builds were broken in a refactor in [0.3.0]. This has been fixed, and we've added tests to our CI to ensure that something like this won't go unnoticed in the future. openSUSE/umoci#157 - `umoci unpack` would not correctly preserve set{uid,gid} bits. While this would not cause issues when building an image (as we only create a manifest of the final extracted rootfs), it would cause issues for other users of `umoci`. openSUSE/umoci#166 openSUSE/umoci#169 - Updated to [v0.4.1 of `go-mtree`][gomtree-v0.4.1], which fixes several minor bugs with manifest generation. openSUSE/umoci#176 - `umoci unpack` would not handle "weird" tar archive layers previously (it would error out with DiffID errors). While this wouldn't cause issues for layers generated using Go's `archive/tar` implementation, it would cause issues for GNU gzip and other such tools. - `umoci unpack`'s mapping options (`--uid-map` and `--gid-map`) have had an interface change, to better match the [`user_namespaces(7)`][user_namespaces] interfaces. Note that this is a breaking change, but the workaround is to switch to the trivially different (but now more consistent) format. openSUSE/umoci#167 - `umoci unpack` used to create the bundle and rootfs with world read-and-execute permissions by default. This could potentially result in an unsafe rootfs (containing dangerous setuid binaries for instance) being accessible by an unprivileged user. This has been fixed by always setting the mode of the bundle to `0700`, which requires a user to explicitly work around this basic protection. This scenario was documented in our security documentation previously, but has now been fixed. openSUSE/umoci#181 openSUSE/umoci#182 [cii]: https://bestpractices.coreinfrastructure.org/projects/1084 [gomtree-v0.4.1]: https://github.com/vbatts/go-mtree/releases/tag/v0.4.1 [user_namespaces]: http://man7.org/linux/man-pages/man7/user_namespaces.7.html - Remove patch that has been applied upstream. - i586-0001-fix-mis-usage-of-time.Unix.patch OBS-URL: https://build.opensuse.org/request/show/531029 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/umoci?expand=0&rev=26	2017-10-04 17:38:35 +00:00

Author

SHA256

Message

Date

Aleksa Sarai

514f77b460

Accepting request 531029 from home:cyphar:containers

- Update to umoci v0.3.1. Upstream changelog:
- Fix several minor bugs in `hack/release.sh` that caused the release artefacts
to not match the intended style, as well as making it more generic so other
projects can use it. openSUSE/umoci#155 openSUSE/umoci#163
- A recent configuration issue caused `go vet` and `go lint` to not run as part
of our CI jobs. This means that some of the information submitted as part of
[CII best practices badging][cii] was not accurate. This has been corrected,
and after review we concluded that only stylistic issues were discovered by
static analysis. openSUSE/umoci#158
- 32-bit unit test builds were broken in a refactor in [0.3.0]. This has been
fixed, and we've added tests to our CI to ensure that something like this
won't go unnoticed in the future. openSUSE/umoci#157
- `umoci unpack` would not correctly preserve set{uid,gid} bits. While this
would not cause issues when building an image (as we only create a manifest
of the final extracted rootfs), it would cause issues for other users of
`umoci`. openSUSE/umoci#166 openSUSE/umoci#169
- Updated to [v0.4.1 of `go-mtree`][gomtree-v0.4.1], which fixes several minor
bugs with manifest generation. openSUSE/umoci#176
- `umoci unpack` would not handle "weird" tar archive layers previously (it
would error out with DiffID errors). While this wouldn't cause issues for
layers generated using Go's `archive/tar` implementation, it would cause
issues for GNU gzip and other such tools.
- `umoci unpack`'s mapping options (`--uid-map` and `--gid-map`) have had an
interface change, to better match the [`user_namespaces(7)`][user_namespaces]
interfaces. Note that this is a **breaking change**, but the workaround is to
switch to the trivially different (but now more consistent) format.
openSUSE/umoci#167
- `umoci unpack` used to create the bundle and rootfs with world
read-and-execute permissions by default. This could potentially result in an
unsafe rootfs (containing dangerous setuid binaries for instance) being
accessible by an unprivileged user. This has been fixed by always setting the
mode of the bundle to `0700`, which requires a user to explicitly work around
this basic protection. This scenario was documented in our security
documentation previously, but has now been fixed. openSUSE/umoci#181
openSUSE/umoci#182

[cii]: https://bestpractices.coreinfrastructure.org/projects/1084
[gomtree-v0.4.1]: https://github.com/vbatts/go-mtree/releases/tag/v0.4.1
[user_namespaces]: http://man7.org/linux/man-pages/man7/user_namespaces.7.html
- Remove patch that has been applied upstream.
- i586-0001-fix-mis-usage-of-time.Unix.patch

OBS-URL: https://build.opensuse.org/request/show/531029
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/umoci?expand=0&rev=26

2017-10-04 17:38:35 +00:00

1 Commits