Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bump google/certificate-transparency-go v1.0.21 #2910

Closed
wants to merge 1 commit into from
Closed

bump google/certificate-transparency-go v1.0.21 #2910

wants to merge 1 commit into from

Conversation

thaJeztah
Copy link
Member

full diff: google/certificate-transparency-go@v1.0.20...v1.0.21

  • CTFE no longer prints certificate chains as long byte strings in messages when
    handler errors occur. This was obscuring the reason for the failure and wasn't
    particularly useful.
  • CTFE now has a global log URL path prefix flag and a configuration proto for a
    log specific path. The latter should help for various migration strategies if
    existing C++ server logs are going to be converted to run on the new code.
  • More progress has been made on log mirroring. We believe that it's now at the
    point where testing can begin.
  • The certcheck and ct_hammer utilities have received more enhancements.
  • x509 and x509util now support Subject Information Access and additional exten-
    sions for RPKI / RFC
  • scanner / fixchain and some other command line utilities now have better
    handling of non-fatal errors.

@thaJeztah
Copy link
Member Author

ping @justincormack @dani-docker @dperny PTAL

@thaJeztah thaJeztah force-pushed the bump_certificate_transparency branch from 31e6773 to f006438 Compare October 20, 2019 13:27
@codecov
Copy link

codecov bot commented Oct 20, 2019
edited
Loading

Codecov Report

Merging #2910 (b982d78) into master (6303310) will increase coverage by 0.00%.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master    #2910   +/-   ##
=======================================
  Coverage   62.29%   62.30%           
=======================================
  Files         155      155           
  Lines       24533    24533           
=======================================
+ Hits        15283    15285    +2     
+ Misses       7656     7645   -11     
- Partials     1594     1603    +9

@dani-docker
Copy link
Contributor

LGTM 👍

@SamWhited
Copy link
Member

LGTM; @thaJeztah since you just merged #2940 would it make sense to also merge this and backport it before the version of swarmkit that moby uses gets bumped? That way we can pull in the dependency updates all at once and keep customers happy since I think this dep bump fixes some potential CVEs.

@s0j
Copy link

s0j commented Apr 3, 2020

@thaJeztah Would it be possible to bump this to v1.1.0? There are a few more CVEs that have been addressed in v1.1.0: CVE-2018-16875, CVE-2018-16886.

@thaJeztah
Copy link
Member Author

I can do a quick follow-up after this one. Let me at least rebase it to have a fresh run of CI

@thaJeztah thaJeztah force-pushed the bump_certificate_transparency branch from f006438 to eb690ab Compare April 3, 2020 17:07
@thaJeztah
Copy link
Member Author

Note that any vendoring changes in this repo is only affecting CI. I'm usually bumping versions here first to make sure nothing broke in the tests in this repository, but the version that's actually used in docker engine will be the one that's vendored there

@s0j
Copy link

s0j commented Apr 3, 2020

Note that any vendoring changes in this repo is only affecting CI. I'm usually bumping versions here first to make sure nothing broke in the tests in this repository, but the version that's actually used in docker engine will be the one that's vendored there

Ok. For my understanding -- if we wanted google/certificate-transparency-ca:v1.1.0 in moby/moby, that would be a bump in moby/moby's docker/swarmkit as google/certificate-transparency-ca is a dependency of docker/swarmkit. Correct?

@dperny
Copy link
Collaborator

dperny commented Apr 3, 2020

@s0j i'm not sure how familiar you are with go's disastrously bad dependency management, but essentially, the vendored dependencies are completely separate sets for each package. in moby/moby, there is only 1 certificate-transparency version, which is used by every package that depends on it, including swarmkit. in the swarmkit repo, there is only 1 certificate-transparency, which is used to build swarmkit by itself, a situation only useful for CI purposes.

so, you bump the package here to make sure it works, and you bump the package there to actually use it. nothing vendored in this repository is present in the moby/moby repository.

i'm sure that even if that answers your question, it has created a whole host of new ones.

@thaJeztah
Copy link
Member Author

Ok. For my understanding -- if we wanted google/certificate-transparency-ca:v1.1.0 in moby/moby, that would be a bump in moby/moby's docker/swarmkit as google/certificate-transparency-ca is a dependency of docker/swarmkit. Correct?

strictly speaking, we can update the version in moby/moby without opening a PR in swarmkit first; It's mostly that I know SwarmKit uses this dependency, that I prefer to do a cycle of updating, and update it here first, then update it in moby/moby (including updating swarmkit, so that the versions "align").

It's mostly hygiene (bumping minor versions should be ok if the dependency properly follows SemVer, but unfortunately not all packages practice SemVer properly, and only "slammed" a SemVer tagging scheme on their repo to please go modules.

It's also worth noting that CVE's not always affect the code-paths we use, so even though it's good practice to keep the dependencies updated, at times updating the dependency isn't really needed (other than to comfort users that may get "itchy" if they hear about a CVE); even then, updating should be done with care, because there's always a risk of (hidden) regressions when updating code (vendoring helps there, because it makes the code changes that you're pulling in more visible).

@thaJeztah
bump google/certificate-transparency-go v1.0.21
b982d78 
full diff: google/certificate-transparency-go@v1.0.20...v1.0.21

- CTFE no longer prints certificate chains as long byte strings in messages when
  handler errors occur. This was obscuring the reason for the failure and wasn't
  particularly useful.
- CTFE now has a global log URL path prefix flag and a configuration proto for a
  log specific path. The latter should help for various migration strategies if
  existing C++ server logs are going to be converted to run on the new code.
- More progress has been made on log mirroring. We believe that it's now at the
  point where testing can begin.
- The certcheck and ct_hammer utilities have received more enhancements.
- x509 and x509util now support Subject Information Access and additional exten-
  sions for RPKI / RFC
- scanner / fixchain and some other command line utilities now have better
  handling of non-fatal errors.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah force-pushed the bump_certificate_transparency branch from eb690ab to b982d78 Compare December 3, 2021 17:27
@thaJeztah
Copy link
Member Author

Rebased, to get a fresh run of CI. @dperny ptal

@thaJeztah
Copy link
Member Author

Took some fun, but this has been done in #3097

@thaJeztah thaJeztah closed this Nov 24, 2022
@thaJeztah thaJeztah deleted the bump_certificate_transparency branch November 24, 2022 21:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@thaJeztah @dani-docker @SamWhited @s0j @dperny