Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package rekor for openSUSE:Factory checked in at 2025-04-14 12:58:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rekor (Old) and /work/SRC/openSUSE:Factory/.rekor.new.1907 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rekor" Mon Apr 14 12:58:11 2025 rev:26 rq:1268974 version:1.3.10 Changes: -------- --- /work/SRC/openSUSE:Factory/rekor/rekor.changes 2025-01-28 15:00:29.465313593 +0100 +++ /work/SRC/openSUSE:Factory/.rekor.new.1907/rekor.changes 2025-04-14 12:58:14.443892449 +0200 @@ -1,0 +2,20 @@ +Fri Apr 11 18:10:26 UTC 2025 - Johannes Kastl <opensuse_buildserv...@ojkastl.de> + +- Update to version 1.3.10: + * Features + - Added --client-signing-algorithms flag (#1974) + * Fixes / Misc + - emit unpopulated values when marshalling (#2438) + - pkg/api: better logs when algorithm registry rejects a key + (#2429) + - chore: improve mysql readiness checks (#2397) + - Added --client-signing-algorithms flag (#1974) + * Security fixes (over the last releases): + - CVE-2024-6104: rekor: hashicorp/go-retryablehttp: url might write sensitive information to log file (bsc#1227053) + - CVE-2023-45288: rekor: golang.org/x/net/http2: close connections when receiving too many headers (bsc#1236519) + - CVE-2025-27144: rekor: gopkg.in/go-jose/go-jose.v2,github.com/go-jose/go-jose/v4,github.com/go-jose/go-jose/v3: Go JOSE's Parsing Vulnerable to Denial of Service (bsc#1237638) + - CVE-2025-22868: rekor: golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2 (bsc#1239191) + - CVE-2025-22869: rekor: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239327) + - CVE-2025-30204: rekor: github.com/golang-jwt/jwt/v5: jwt-go allows excessive memory allocation during header parsing (bsc#1240468) + +------------------------------------------------------------------- Old: ---- rekor-1.3.9.obscpio New: ---- rekor-1.3.10.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rekor.spec ++++++ --- /var/tmp/diff_new_pack.NpqLHM/_old 2025-04-14 12:58:15.435934108 +0200 +++ /var/tmp/diff_new_pack.NpqLHM/_new 2025-04-14 12:58:15.435934108 +0200 @@ -19,7 +19,7 @@ %define apps cli server Name: rekor -Version: 1.3.9 +Version: 1.3.10 Release: 0 Summary: Supply Chain Transparency Log License: Apache-2.0 @@ -27,16 +27,27 @@ Source: %{name}-%{version}.tar.gz Source1: vendor.tar.zst Source2: rekor-zypper-verify.sh +BuildRequires: go >= 1.23.6 BuildRequires: golang-packaging BuildRequires: zstd -BuildRequires: golang(API) %description -Rekor's goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain. Rekor will enable software maintainers and build systems to record signed metadata to an immutable record. Other parties can then query said metadata to enable them to make informed decisions on trust and non-repudiation of an object's lifecycle. For more details visit the sigstore website +Rekor's goals are to provide an immutable tamper resistant ledger of metadata +generated within a software projects supply chain. Rekor will enable software +maintainers and build systems to record signed metadata to an immutable record. +Other parties can then query said metadata to enable them to make informed +decisions on trust and non-repudiation of an object's lifecycle. For more +details visit the sigstore website -The Rekor project provides a restful API based server for validation and a transparency log for storage. A CLI application is available to make and verify entries, query the transparency log for inclusion proof, integrity verification of the transparency log or retrieval of entries by either public key or artifact. +The Rekor project provides a restful API based server for validation and a +transparency log for storage. A CLI application is available to make and verify +entries, query the transparency log for inclusion proof, integrity verification +of the transparency log or retrieval of entries by either public key or +artifact. -Rekor fulfils the signature transparency role of sigstore's software signing infrastructure. However, Rekor can be run on its own and is designed to be extensible to working with different manifest schemas and PKI tooling. +Rekor fulfils the signature transparency role of sigstore's software signing +infrastructure. However, Rekor can be run on its own and is designed to be +extensible to working with different manifest schemas and PKI tooling. %prep %autosetup -p1 -a1 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.NpqLHM/_old 2025-04-14 12:58:15.467935452 +0200 +++ /var/tmp/diff_new_pack.NpqLHM/_new 2025-04-14 12:58:15.467935452 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/sigstore/rekor</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v1.3.9</param> + <param name="revision">v1.3.10</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.NpqLHM/_old 2025-04-14 12:58:15.487936292 +0200 +++ /var/tmp/diff_new_pack.NpqLHM/_new 2025-04-14 12:58:15.487936292 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/sigstore/rekor</param> - <param name="changesrevision">b67ee82b1d4bddf70d8e9dc9db54163e8928d775</param></service></servicedata> + <param name="changesrevision">4118a64b4b9c228a968b2d935a00807ca1b33aed</param></service></servicedata> (No newline at EOF) ++++++ rekor-1.3.9.obscpio -> rekor-1.3.10.obscpio ++++++ ++++ 3497 lines of diff (skipped) ++++++ rekor.obsinfo ++++++ --- /var/tmp/diff_new_pack.NpqLHM/_old 2025-04-14 12:58:15.791949058 +0200 +++ /var/tmp/diff_new_pack.NpqLHM/_new 2025-04-14 12:58:15.795949227 +0200 @@ -1,5 +1,5 @@ name: rekor -version: 1.3.9 -mtime: 1737995333 -commit: b67ee82b1d4bddf70d8e9dc9db54163e8928d775 +version: 1.3.10 +mtime: 1744388461 +commit: 4118a64b4b9c228a968b2d935a00807ca1b33aed ++++++ vendor.tar.zst ++++++ /work/SRC/openSUSE:Factory/rekor/vendor.tar.zst /work/SRC/openSUSE:Factory/.rekor.new.1907/vendor.tar.zst differ: char 7, line 1