Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package hauler for openSUSE:Factory checked in at 2026-06-30 15:11:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/hauler (Old) and /work/SRC/openSUSE:Factory/.hauler.new.11887 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "hauler" Tue Jun 30 15:11:37 2026 rev:20 rq:1362263 version:2.0.1 Changes: -------- --- /work/SRC/openSUSE:Factory/hauler/hauler.changes 2026-06-02 19:48:04.254997739 +0200 +++ /work/SRC/openSUSE:Factory/.hauler.new.11887/hauler.changes 2026-06-30 15:12:06.025334370 +0200 @@ -1,0 +2,29 @@ +Sun Jun 28 21:15:11 UTC 2026 - Dirk Müller <[email protected]> + +- update to 2.0.1 (bsc#1269433, CVE-2026-48702): + * bump go to 1.26.4 to squash CVE noise + * Full v2 Release notes: https://github.com/hauler- + dev/hauler/releases/tag/v2.0.0 +- update to 2.0.0: + * `v2.0.0` is a **major** release. It replaces Hauler's entire + OCI plumbing... the ORAS v1 dependency and the in-house + cosign fork with a native containerd based implementation, + drops the deprecated `v1alpha1` API, and layers on a + meaningful set of new capabilities and reliability fixes on + top of that new foundation. + * **Removed the ORAS v1 dependency** - push/pull is now driven + directly by containerd's docker resolver and `google/go- + containerregistry`, new `pkg/content/registry.go` + (`RegistryTarget`) and `pkg/content/types.go` (`Target` + interface, `IoContentWriter`) replaces what ORAS used to own. + * **Removed the hauler-maintained cosign fork** - `pkg/cosign` + is now a thin verify only wrapper around upstream + `sigstore/cosign/v3`. Images are added through a native + `s.AddImage()` path in `pkg/store` + * **Added OCI 1.1 Referrers support** - signatures, + attestations, and SBOMs are discovered both via the classic + cosign tag convention (`sha256-.sig` / `.att` / `.sbom`) and + the modern Referrers API, then correctly through the OCI + layout + +------------------------------------------------------------------- Old: ---- hauler-1.4.3.tar.gz New: ---- hauler-2.0.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ hauler.spec ++++++ --- /var/tmp/diff_new_pack.uIdGsj/_old 2026-06-30 15:12:07.261376235 +0200 +++ /var/tmp/diff_new_pack.uIdGsj/_new 2026-06-30 15:12:07.261376235 +0200 @@ -17,8 +17,8 @@ Name: hauler -Version: 1.4.3 -%global git_commit d5a56fd647cecb9256ef40daefca102723284127 +Version: 2.0.1 +%global git_commit 4f47155d6f8ccec22ba6f609f2f1f4919b02fce1 Release: 0 Summary: Airgap Swiss Army Knife License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.uIdGsj/_old 2026-06-30 15:12:07.301377589 +0200 +++ /var/tmp/diff_new_pack.uIdGsj/_new 2026-06-30 15:12:07.305377725 +0200 @@ -2,8 +2,6 @@ <service name="download_files" mode="manual"/> <service name="go_modules" mode="manual"> <param name="compression">zst</param> - <param name="replace">golang.org/x/net=golang.org/x/[email protected]</param> - <param name="replace">golang.org/x/crypto=golang.org/x/[email protected]</param> </service> </services> ++++++ hauler-1.4.3.tar.gz -> hauler-2.0.1.tar.gz ++++++ /work/SRC/openSUSE:Factory/hauler/hauler-1.4.3.tar.gz /work/SRC/openSUSE:Factory/.hauler.new.11887/hauler-2.0.1.tar.gz differ: char 12, line 1 ++++++ vendor.tar.zst ++++++ /work/SRC/openSUSE:Factory/hauler/vendor.tar.zst /work/SRC/openSUSE:Factory/.hauler.new.11887/vendor.tar.zst differ: char 7, line 1
