Skip to content

umoci 0.3.1
Compare
Choose a tag to compare
@cyphar cyphar released this 05 Mar 01:21
v0.3.1
This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
887ed60
This commit was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.

  • Fix several minor bugs in hack/release.sh that caused the release artefacts
    to not match the intended style, as well as making it more generic so other
    projects can use it. openSUSE/umoci#155 openSUSE/umoci#163

  • A recent configuration issue caused go vet and go lint to not run as part
    of our CI jobs. This means that some of the information submitted as part of
    CII best practices badging was not accurate. This has been corrected,
    and after review we concluded that only stylistic issues were discovered by
    static analysis. openSUSE/umoci#158

  • 32-bit unit test builds were broken in a refactor in [0.3.0]. This has been
    fixed, and we've added tests to our CI to ensure that something like this
    won't go unnoticed in the future. openSUSE/umoci#157

  • umoci unpack would not correctly preserve set{uid,gid} bits. While this
    would not cause issues when building an image (as we only create a manifest
    of the final extracted rootfs), it would cause issues for other users of
    umoci. openSUSE/umoci#166 openSUSE/umoci#169

  • Updated to v0.4.1 of go-mtree, which fixes several minor
    bugs with manifest generation. openSUSE/umoci#176

  • umoci unpack would not handle "weird" tar archive layers previously (it
    would error out with DiffID errors). While this wouldn't cause issues for
    layers generated using Go's archive/tar implementation, it would cause
    issues for GNU gzip and other such tools. openSUSE/umoci#178
    openSUSE/umoci#179

  • umoci unpack's mapping options (--uid-map and --gid-map) have had an
    interface change, to better match the user_namespaces(7)
    interfaces. Note that this is a breaking change, but the workaround is to
    switch to the trivially different (but now more consistent) format.
    openSUSE/umoci#167

  • umoci unpack used to create the bundle and rootfs with world
    read-and-execute permissions by default. This could potentially result in an
    unsafe rootfs (containing dangerous setuid binaries for instance) being
    accessible by an unprivileged user. This has been fixed by always setting the
    mode of the bundle to 0700, which requires a user to explicitly work around
    this basic protection. This scenario was documented in our security
    documentation previously, but has now been fixed. openSUSE/umoci#181
    openSUSE/umoci#182

Thanks to all of the contributors that made this release possible:

Signed-off-by: Aleksa Sarai [email protected]

Assets 7
Loading