Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build: provenance and tampering checks for libgit2 #823

Merged
merged 4 commits into from
Jul 13, 2022
Merged

build: provenance and tampering checks for libgit2 #823

merged 4 commits into from
Jul 13, 2022

Conversation

pjbgf
Copy link
Member

@pjbgf pjbgf commented Jul 8, 2022

Closes #820.

Paulo Gomes added 2 commits July 7, 2022 17:23
Update dependencies
0633c57 
- cloud.google.com/go/storage to version 1.23.0.
- github.com/ProtonMail/go-crypto to version 0.0.0-20220623141421-5afb4c282135.
- github.com/distribution/distribution/v3 to version 3.0.0-20220702071910-8857a1948739.
- github.com/minio/minio-go/v7 to version 7.0.31.
- golang.org/x/crypto to version 0.0.0-20220622213112-05595931fe9d.
- golang.org/x/net to version 0.0.0-20220706163947-c90051bbdb60.
- google.golang.org/api to version 0.86.0.

Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
Update to golang-with-libgit2-all image
02f5b94 
This dependency now releases two different images, one
containing the entire dependency chain for libgit2, and
another containing just the library itself. The latter
will be later used once Managed Transport is completely
removed from source controller.

As part of this update, the image now follows a new tag
format which is semver based and starts at 0.1.0.

Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
@pjbgf pjbgf added the area/ci CI related issues and pull requests label Jul 8, 2022
@pjbgf pjbgf marked this pull request as draft July 8, 2022 16:50
@pjbgf
Copy link
Member Author

pjbgf commented Jul 8, 2022

Depends on the new v0.1.1 which will be created after fluxcd/golang-with-libgit2#30 is merged.

Fix github.com/emicklei/go-restful (CVE-2022-1996)
73ce792 
This addresses CVE-2022-1996, due to v2.16.0 including
emicklei/go-restful@9266625.

Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
@pjbgf pjbgf force-pushed the update-deps branch 2 times, most recently from a9af24c to 9d8a011 Compare July 13, 2022 09:04
build: provenance and tampering checks for libgit2
afd02d3 
Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
@pjbgf pjbgf marked this pull request as ready for review July 13, 2022 09:22
@pjbgf pjbgf merged commit 7b4ba69 into fluxcd:main Jul 13, 2022
@pjbgf pjbgf deleted the update-deps branch July 13, 2022 10:11
@pjbgf pjbgf added this to the GA milestone Jul 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stefanprodan stefanprodan stefanprodan approved these changes

Assignees
No one assigned
Labels
area/ci CI related issues and pull requests
Projects
Maintainers' Focus
Status: Done
Milestone
Helm GA
Development

Successfully merging this pull request may close these issues.

Validate checksum before consuming golang-with-libgit2 artefacts
2 participants
@pjbgf @stefanprodan