Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apko for openSUSE:Factory checked in at 2023-10-31 20:25:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apko (Old) and /work/SRC/openSUSE:Factory/.apko.new.17445 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apko" Tue Oct 31 20:25:18 2023 rev:2 rq:1121302 version:0.11.2 Changes: -------- --- /work/SRC/openSUSE:Factory/apko/apko.changes 2023-10-27 22:29:08.233591874 +0200 +++ /work/SRC/openSUSE:Factory/.apko.new.17445/apko.changes 2023-10-31 20:25:29.713489283 +0100 @@ -1,0 +2,9 @@ +Mon Oct 30 19:10:59 UTC 2023 - [email protected] + +- Update to version 0.11.2: + * Update NEWS.md for v0.11.2 + * Bump go-apk to fix solver + * build(deps): bump github/codeql-action from 2.22.4 to 2.22.5 + * build(deps): bump sigs.k8s.io/release-utils from 0.7.5 to 0.7.6 + +------------------------------------------------------------------- Old: ---- apko-0.11.1.obscpio New: ---- apko-0.11.2.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apko.spec ++++++ --- /var/tmp/diff_new_pack.SyGD51/_old 2023-10-31 20:25:30.705525722 +0100 +++ /var/tmp/diff_new_pack.SyGD51/_new 2023-10-31 20:25:30.709525869 +0100 @@ -19,7 +19,7 @@ %define __arch_install_post export NO_BRP_STRIP_DEBUG=true Name: apko -Version: 0.11.1 +Version: 0.11.2 Release: 0 Summary: Build OCI images from APK packages directly without Dockerfile License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.SyGD51/_old 2023-10-31 20:25:30.737526897 +0100 +++ /var/tmp/diff_new_pack.SyGD51/_new 2023-10-31 20:25:30.741527044 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/chainguard-dev/apko</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v0.11.1</param> + <param name="revision">v0.11.2</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">enable</param> <param name="versionrewrite-pattern">v(.*)</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.SyGD51/_old 2023-10-31 20:25:30.765527926 +0100 +++ /var/tmp/diff_new_pack.SyGD51/_new 2023-10-31 20:25:30.765527926 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/chainguard-dev/apko</param> - <param name="changesrevision">a2b17f6490d2b49eb3133d606c68e2a8fe6b3a6c</param></service></servicedata> + <param name="changesrevision">5b1493b5844d3cbfc505d024d64d56611e97861a</param></service></servicedata> (No newline at EOF) ++++++ apko-0.11.1.obscpio -> apko-0.11.2.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-0.11.1/.github/workflows/codeql.yaml new/apko-0.11.2/.github/workflows/codeql.yaml --- old/apko-0.11.1/.github/workflows/codeql.yaml 2023-10-27 00:06:13.000000000 +0200 +++ new/apko-0.11.2/.github/workflows/codeql.yaml 2023-10-30 19:51:37.000000000 +0100 @@ -21,7 +21,7 @@ check-latest: true - name: Initialize CodeQL - uses: github/codeql-action/init@49abf0ba24d0b7953cb586944e918a0b92074c80 + uses: github/codeql-action/init@74483a38d39275f33fcff5f35b679b5ca4a26a99 with: languages: go @@ -29,4 +29,4 @@ run: make apko - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@49abf0ba24d0b7953cb586944e918a0b92074c80 + uses: github/codeql-action/analyze@74483a38d39275f33fcff5f35b679b5ca4a26a99 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-0.11.1/NEWS.md new/apko-0.11.2/NEWS.md --- old/apko-0.11.1/NEWS.md 2023-10-27 00:06:13.000000000 +0200 +++ new/apko-0.11.2/NEWS.md 2023-10-30 19:51:37.000000000 +0100 @@ -1,3 +1,7 @@ +# Changes from 0.11.1 to 0.11.2 + +* Fix a bug in version selection. + # Changes from 0.11.0 to 0.11.1 * Add JSON tags to ImageConfiguration types: https://github.com/chainguard-dev/apko/pull/933 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-0.11.1/go.mod new/apko-0.11.2/go.mod --- old/apko-0.11.1/go.mod 2023-10-27 00:06:13.000000000 +0200 +++ new/apko-0.11.2/go.mod 2023-10-30 19:51:37.000000000 +0100 @@ -4,7 +4,7 @@ require ( github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20220920003936-cd2dbcbbab49 - github.com/chainguard-dev/go-apk v0.0.0-20231026173255-29e1987fa2ba + github.com/chainguard-dev/go-apk v0.0.0-20231030174812-a5114d436c7a github.com/chrismellard/docker-credential-acr-env v0.0.0-20220327082430-c57b701bfc08 github.com/dominodatalab/os-release v0.0.0-20190522011736-bcdb4a3e3c2f github.com/go-git/go-git/v5 v5.10.0 @@ -29,7 +29,7 @@ golang.org/x/term v0.13.0 gopkg.in/yaml.v3 v3.0.1 k8s.io/apimachinery v0.28.3 - sigs.k8s.io/release-utils v0.7.5 + sigs.k8s.io/release-utils v0.7.6 ) require ( diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-0.11.1/go.sum new/apko-0.11.2/go.sum --- old/apko-0.11.1/go.sum 2023-10-27 00:06:13.000000000 +0200 +++ new/apko-0.11.2/go.sum 2023-10-30 19:51:37.000000000 +0100 @@ -104,8 +104,8 @@ github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/chainguard-dev/go-apk v0.0.0-20231026173255-29e1987fa2ba h1:Lyhwc8omodIHzY4p5TzY6Pfut+26f9OEsPwoL2nWrmo= -github.com/chainguard-dev/go-apk v0.0.0-20231026173255-29e1987fa2ba/go.mod h1:LHiVwyOFfuMy/j+HPkAqow7c/+frfMBqaEkKChgG3HA= +github.com/chainguard-dev/go-apk v0.0.0-20231030174812-a5114d436c7a h1:f3m/NBTfmlLkwJ65s/4352OfuwQI/5cKWGT/MSgdwAw= +github.com/chainguard-dev/go-apk v0.0.0-20231030174812-a5114d436c7a/go.mod h1:LHiVwyOFfuMy/j+HPkAqow7c/+frfMBqaEkKChgG3HA= github.com/chrismellard/docker-credential-acr-env v0.0.0-20220327082430-c57b701bfc08 h1:9Qh4lJ/KMr5iS1zfZ8I97+3MDpiKjl+0lZVUNBhdvRs= github.com/chrismellard/docker-credential-acr-env v0.0.0-20220327082430-c57b701bfc08/go.mod h1:MAuu1uDJNOS3T3ui0qmKdPUwm59+bO19BbTph2wZafE= github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs= @@ -604,5 +604,5 @@ gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= k8s.io/apimachinery v0.28.3 h1:B1wYx8txOaCQG0HmYF6nbpU8dg6HvA06x5tEffvOe7A= k8s.io/apimachinery v0.28.3/go.mod h1:uQTKmIqs+rAYaq+DFaoD2X7pcjLOqbQX2AOiO0nIpb8= -sigs.k8s.io/release-utils v0.7.5 h1:0DYUWILqT0rirJ+8Vrp+Fr8jG8Q32ejFnulkahOvEao= -sigs.k8s.io/release-utils v0.7.5/go.mod h1:GZGWmbINwsLGKsoZKTeWUGp4F+Rbwhq4XDtJ45N+dLw= +sigs.k8s.io/release-utils v0.7.6 h1:mQxQRAIulbyz6y7eOCzklAelcpYjBj8MMGFcxNnyqto= +sigs.k8s.io/release-utils v0.7.6/go.mod h1:GZGWmbINwsLGKsoZKTeWUGp4F+Rbwhq4XDtJ45N+dLw= ++++++ apko.obsinfo ++++++ --- /var/tmp/diff_new_pack.SyGD51/_old 2023-10-31 20:25:30.997536447 +0100 +++ /var/tmp/diff_new_pack.SyGD51/_new 2023-10-31 20:25:31.001536594 +0100 @@ -1,5 +1,5 @@ name: apko -version: 0.11.1 -mtime: 1698357973 -commit: a2b17f6490d2b49eb3133d606c68e2a8fe6b3a6c +version: 0.11.2 +mtime: 1698691897 +commit: 5b1493b5844d3cbfc505d024d64d56611e97861a ++++++ vendor.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/github.com/chainguard-dev/go-apk/pkg/apk/repo.go new/vendor/github.com/chainguard-dev/go-apk/pkg/apk/repo.go --- old/vendor/github.com/chainguard-dev/go-apk/pkg/apk/repo.go 2023-10-27 06:54:43.000000000 +0200 +++ new/vendor/github.com/chainguard-dev/go-apk/pkg/apk/repo.go 2023-10-30 20:11:09.000000000 +0100 @@ -678,7 +678,8 @@ } jVersion, err := p.parseVersion(jVersionStr) if err != nil { - return false + // If j fails to parse, prefer i. + return true } versions := compareVersions(iVersion, jVersion) if versions != equal { @@ -692,7 +693,8 @@ } jVersion, err := p.parseVersion(pkgs[j].Version) if err != nil { - return false + // If j fails to parse, prefer i. + return true } versions := compareVersions(iVersion, jVersion) if versions != equal { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/github.com/chainguard-dev/go-apk/pkg/fs/apkfs.go new/vendor/github.com/chainguard-dev/go-apk/pkg/fs/apkfs.go --- old/vendor/github.com/chainguard-dev/go-apk/pkg/fs/apkfs.go 2023-10-27 06:54:43.000000000 +0200 +++ new/vendor/github.com/chainguard-dev/go-apk/pkg/fs/apkfs.go 2023-10-30 20:11:09.000000000 +0100 @@ -61,7 +61,15 @@ tr := tar.NewReader(gzipStream) return file, tr, nil } - +func correctMode(mode fs.FileMode, header *tar.Header) fs.FileMode { + switch header.Typeflag { + case tar.TypeSymlink: + mode |= fs.ModeSymlink + case tar.TypeDir: + mode |= fs.ModeDir + } + return mode +} func NewAPKFS(ctx context.Context, archive string, apkfsType APKFSType) (*APKFS, error) { result := APKFS{archive, make(map[string]*apkFSFile), ctx, nil, apkfsType} @@ -101,7 +109,8 @@ } else if err != nil { return nil, err } - currentEntry := apkFSFile{mode: fs.FileMode(header.Mode), name: "/" + header.Name, + + currentEntry := apkFSFile{mode: correctMode(fs.FileMode(header.Mode), header), name: "/" + header.Name, uid: header.Uid, gid: header.Gid, size: uint64(header.Size), modTime: header.ModTime, createTime: header.ChangeTime, @@ -283,12 +292,6 @@ return a.file.mode } func (a *apkFSFileInfo) Type() fs.FileMode { - if a.IsDir() { - return fs.ModeDir - } - if a.file.linkTarget != "" { - return fs.ModeSymlink - } return a.Mode() } func (a *apkFSFileInfo) Info() (fs.FileInfo, error) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/modules.txt new/vendor/modules.txt --- old/vendor/modules.txt 2023-10-27 06:54:45.000000000 +0200 +++ new/vendor/modules.txt 2023-10-30 20:11:10.000000000 +0100 @@ -176,7 +176,7 @@ github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cache github.com/awslabs/amazon-ecr-credential-helper/ecr-login/config github.com/awslabs/amazon-ecr-credential-helper/ecr-login/version -# github.com/chainguard-dev/go-apk v0.0.0-20231026173255-29e1987fa2ba +# github.com/chainguard-dev/go-apk v0.0.0-20231030174812-a5114d436c7a ## explicit; go 1.20 github.com/chainguard-dev/go-apk/internal/tarfs github.com/chainguard-dev/go-apk/pkg/apk @@ -781,7 +781,7 @@ # k8s.io/apimachinery v0.28.3 ## explicit; go 1.20 k8s.io/apimachinery/pkg/util/sets -# sigs.k8s.io/release-utils v0.7.5 +# sigs.k8s.io/release-utils v0.7.6 ## explicit; go 1.20 sigs.k8s.io/release-utils/command sigs.k8s.io/release-utils/hash diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/sigs.k8s.io/release-utils/command/command.go new/vendor/sigs.k8s.io/release-utils/command/command.go --- old/vendor/sigs.k8s.io/release-utils/command/command.go 2023-10-27 06:54:45.000000000 +0200 +++ new/vendor/sigs.k8s.io/release-utils/command/command.go 2023-10-30 20:11:10.000000000 +0100 @@ -58,7 +58,7 @@ } // Stream combines standard output and error -type Stream struct { +type Stream struct { //nolint: errname stdOut string stdErr string } @@ -195,7 +195,7 @@ // RunSuccess starts the command and waits for it to finish. It returns an // error if the command execution was not successful. func (c *Command) RunSuccess() error { - _, err := c.RunSuccessOutput() // nolint: errcheck + _, err := c.RunSuccessOutput() //nolint: errcheck return err } @@ -242,7 +242,7 @@ // an error if the command execution was not successful. This method does not // print the output of the command during its execution. func (c *Command) RunSilentSuccess() error { - _, err := c.RunSilentSuccessOutput() // nolint: errcheck + _, err := c.RunSilentSuccessOutput() //nolint: errcheck return err } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/sigs.k8s.io/release-utils/command/global.go new/vendor/sigs.k8s.io/release-utils/command/global.go --- old/vendor/sigs.k8s.io/release-utils/command/global.go 2023-10-27 06:54:45.000000000 +0200 +++ new/vendor/sigs.k8s.io/release-utils/command/global.go 2023-10-30 20:11:10.000000000 +0100 @@ -26,7 +26,7 @@ // SetGlobalVerbose sets the global command verbosity to the specified value func SetGlobalVerbose(to bool) { - var i int32 = 0 + var i int32 if to { i = 1 } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/sigs.k8s.io/release-utils/hash/hash.go new/vendor/sigs.k8s.io/release-utils/hash/hash.go --- old/vendor/sigs.k8s.io/release-utils/hash/hash.go 2023-10-27 06:54:45.000000000 +0200 +++ new/vendor/sigs.k8s.io/release-utils/hash/hash.go 2023-10-30 20:11:10.000000000 +0100 @@ -17,7 +17,7 @@ package hash import ( - "crypto/sha1" + "crypto/sha1" //nolint: gosec "crypto/sha256" "crypto/sha512" "encoding/hex" @@ -41,8 +41,9 @@ } // SHA1ForFile returns the hex-encoded sha1 hash for the provided filename. +// TODO: check if we can remove this function func SHA1ForFile(filename string) (string, error) { - return ForFile(filename, sha1.New()) + return ForFile(filename, sha1.New()) //nolint: gosec } // ForFile returns the hex-encoded hash for the provided filename and hasher. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/sigs.k8s.io/release-utils/tar/tar.go new/vendor/sigs.k8s.io/release-utils/tar/tar.go --- old/vendor/sigs.k8s.io/release-utils/tar/tar.go 2023-10-27 06:54:45.000000000 +0200 +++ new/vendor/sigs.k8s.io/release-utils/tar/tar.go 2023-10-30 20:11:10.000000000 +0100 @@ -141,13 +141,19 @@ func(reader *tar.Reader, header *tar.Header) (stop bool, err error) { switch header.Typeflag { case tar.TypeDir: - targetDir := filepath.Join(destinationPath, header.Name) + targetDir, err := SanitizeArchivePath(destinationPath, header.Name) + if err != nil { + return false, fmt.Errorf("SanitizeArchivePath: %w", err) + } logrus.Tracef("Creating directory %s", targetDir) if err := os.MkdirAll(targetDir, os.FileMode(0o755)); err != nil { return false, fmt.Errorf("create target directory: %w", err) } case tar.TypeSymlink: - targetFile := filepath.Join(destinationPath, header.Name) + targetFile, err := SanitizeArchivePath(destinationPath, header.Name) + if err != nil { + return false, fmt.Errorf("SanitizeArchivePath: %w", err) + } logrus.Tracef( "Creating symlink %s -> %s", header.Linkname, targetFile, ) @@ -161,8 +167,11 @@ } // tar.TypeRegA has been deprecated since Go 1.11 // should we just remove? - case tar.TypeReg, tar.TypeRegA: //nolint: staticcheck - targetFile := filepath.Join(destinationPath, header.Name) + case tar.TypeReg: + targetFile, err := SanitizeArchivePath(destinationPath, header.Name) + if err != nil { + return false, fmt.Errorf("SanitizeArchivePath: %w", err) + } logrus.Tracef("Creating file %s", targetFile) if err := os.MkdirAll( @@ -196,6 +205,17 @@ ) } +// Sanitize archive file pathing from "G305: Zip Slip vulnerability" +// https://security.snyk.io/research/zip-slip-vulnerability +func SanitizeArchivePath(d, t string) (v string, err error) { + v = filepath.Join(d, t) + if strings.HasPrefix(v, filepath.Clean(d)) { + return v, nil + } + + return "", fmt.Errorf("%s: %s", "content filepath is tainted", t) +} + // ReadFileFromGzippedTar opens a tarball and reads contents of a file inside. func ReadFileFromGzippedTar( tarPath, filePath string,
