Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package hauler for openSUSE:Factory checked 
in at 2026-06-30 15:11:37
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/hauler (Old)
 and      /work/SRC/openSUSE:Factory/.hauler.new.11887 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "hauler"

Tue Jun 30 15:11:37 2026 rev:20 rq:1362263 version:2.0.1

Changes:
--------
--- /work/SRC/openSUSE:Factory/hauler/hauler.changes    2026-06-02 
19:48:04.254997739 +0200
+++ /work/SRC/openSUSE:Factory/.hauler.new.11887/hauler.changes 2026-06-30 
15:12:06.025334370 +0200
@@ -1,0 +2,29 @@
+Sun Jun 28 21:15:11 UTC 2026 - Dirk Müller <[email protected]>
+
+- update to 2.0.1 (bsc#1269433, CVE-2026-48702):
+  * bump go to 1.26.4 to squash CVE noise
+  * Full v2 Release notes: https://github.com/hauler-
+    dev/hauler/releases/tag/v2.0.0
+- update to 2.0.0:
+  * `v2.0.0` is a **major** release. It replaces Hauler's entire
+    OCI plumbing... the ORAS v1 dependency and the in-house
+    cosign fork with a native containerd based implementation,
+    drops the deprecated `v1alpha1` API, and layers on a
+    meaningful set of new capabilities and reliability fixes on
+    top of that new foundation.
+  * **Removed the ORAS v1 dependency** - push/pull is now driven
+    directly by containerd's docker resolver and `google/go-
+    containerregistry`, new `pkg/content/registry.go`
+    (`RegistryTarget`) and `pkg/content/types.go` (`Target`
+    interface, `IoContentWriter`) replaces what ORAS used to own.
+  * **Removed the hauler-maintained cosign fork** - `pkg/cosign`
+    is now a thin verify only wrapper around upstream
+    `sigstore/cosign/v3`. Images are added through a native
+    `s.AddImage()` path in `pkg/store`
+  * **Added OCI 1.1 Referrers support** - signatures,
+    attestations, and SBOMs are discovered both via the classic
+    cosign tag convention (`sha256-.sig` / `.att` / `.sbom`) and
+    the modern Referrers API, then correctly through the OCI
+    layout
+
+-------------------------------------------------------------------

Old:
----
  hauler-1.4.3.tar.gz

New:
----
  hauler-2.0.1.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ hauler.spec ++++++
--- /var/tmp/diff_new_pack.uIdGsj/_old  2026-06-30 15:12:07.261376235 +0200
+++ /var/tmp/diff_new_pack.uIdGsj/_new  2026-06-30 15:12:07.261376235 +0200
@@ -17,8 +17,8 @@
 
 
 Name:           hauler
-Version:        1.4.3
-%global git_commit d5a56fd647cecb9256ef40daefca102723284127
+Version:        2.0.1
+%global git_commit 4f47155d6f8ccec22ba6f609f2f1f4919b02fce1
 Release:        0
 Summary:        Airgap Swiss Army Knife
 License:        Apache-2.0

++++++ _service ++++++
--- /var/tmp/diff_new_pack.uIdGsj/_old  2026-06-30 15:12:07.301377589 +0200
+++ /var/tmp/diff_new_pack.uIdGsj/_new  2026-06-30 15:12:07.305377725 +0200
@@ -2,8 +2,6 @@
   <service name="download_files" mode="manual"/>
   <service name="go_modules" mode="manual">
     <param name="compression">zst</param>
-    <param name="replace">golang.org/x/net=golang.org/x/[email protected]</param>
-    <param 
name="replace">golang.org/x/crypto=golang.org/x/[email protected]</param>
   </service>
 </services>
 

++++++ hauler-1.4.3.tar.gz -> hauler-2.0.1.tar.gz ++++++
/work/SRC/openSUSE:Factory/hauler/hauler-1.4.3.tar.gz 
/work/SRC/openSUSE:Factory/.hauler.new.11887/hauler-2.0.1.tar.gz differ: char 
12, line 1

++++++ vendor.tar.zst ++++++
/work/SRC/openSUSE:Factory/hauler/vendor.tar.zst 
/work/SRC/openSUSE:Factory/.hauler.new.11887/vendor.tar.zst differ: char 7, 
line 1

Reply via email to