Commit graph

116 commits

Author SHA1 Message Date
Eng Zer Jun
bcbf0431d1
testing: replace legacy gopkg.in/check.v1
This commit replaces the legacy `gopkg.in/check.v1` testing dependency
with `github.com/stretchr/testify`.

Closes https://github.com/distribution/distribution/issues/3884.

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2023-12-13 09:22:43 +00:00
gotgelf
0e3018f2cf Otel tracing MVP: vendor changes
Signed-off-by: gotgelf <gotgelf@gmail.com>
2023-12-11 21:18:42 +01:00
Milos Gajdos
60e7e87889
vendor: github.com/spf13/cobra v1.8.0 (#4182) 2023-12-01 12:09:15 +00:00
Milos Gajdos
6f84e87803
update: AWS Go SDK bump to the latest release
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2023-12-01 11:24:44 +00:00
Sebastiaan van Stijn
1f6afab6e0
vendor: github.com/spf13/cobra v1.8.0
updating to current version.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-01 12:05:31 +01:00
Milos Gajdos
a2613975a1
vendor: github.com/sirupsen/logrus v1.9.3 (#4179) 2023-12-01 10:51:38 +00:00
Milos Gajdos
3b58737bb6
vendor: github.com/gorilla/mux v1.8.1 (#4180) 2023-12-01 10:51:20 +00:00
Sebastiaan van Stijn
79976446f7
vendor: github.com/klauspost/compress v1.17.4
newer versions continue to include performance improvements, so it's good
to stay up-to-date.

full diff: https://github.com/klauspost/compress/compare/v1.16.5...v1.17.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-01 10:33:39 +01:00
Sebastiaan van Stijn
db187ae55c
vendor: github.com/gorilla/mux v1.8.1
full diff: https://github.com/gorilla/mux/compare/v1.8.0...v1.8.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-01 10:26:51 +01:00
Sebastiaan van Stijn
d6dd652f5a
vendor: github.com/sirupsen/logrus v1.9.3
full diff: https://github.com/sirupsen/logrus/compare/v1.8.1...v1.9.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-01 10:21:44 +01:00
dependabot[bot]
b8b390f4cd
build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1
Bumps [github.com/go-jose/go-jose/v3](https://github.com/go-jose/go-jose) from 3.0.0 to 3.0.1.
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Changelog](https://github.com/go-jose/go-jose/blob/v3/CHANGELOG.md)
- [Commits](https://github.com/go-jose/go-jose/compare/v3.0.0...v3.0.1)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-21 22:25:08 +00:00
dependabot[bot]
32316367c8
Bump google.golang.org/grpc from 1.53.0 to 1.56.3
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.53.0 to 1.56.3.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.53.0...v1.56.3)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-25 22:26:53 +00:00
Milos Gajdos
fe21f43911
feat: replace docker/libtrust with go-jose/go-jose
docker/libtrust repository has been archived for several years now.
This commit replaces all the libtrust JWT machinery with go-jose/go-jose module.
Some of the code has been adopted from libtrust and adjusted for some of
the use cases covered by the token authorization flow especially in the
tests.

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2023-10-19 15:32:59 +01:00
dependabot[bot]
758c0f9d77
Bump golang.org/x/net from 0.8.0 to 0.17.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.8.0 to 0.17.0.
- [Commits](https://github.com/golang/net/compare/v0.8.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-11 23:39:45 +00:00
Geoffrey Hausheer
2435def474 Support systemd socket-activation
Signed-off-by: Geoffrey Hausheer <rc2012@pblue.org>
2023-09-20 09:37:22 -07:00
dependabot[bot]
e4dd28b886
Bump github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4
Bumps [github.com/cyphar/filepath-securejoin](https://github.com/cyphar/filepath-securejoin) from 0.2.3 to 0.2.4.
- [Release notes](https://github.com/cyphar/filepath-securejoin/releases)
- [Commits](https://github.com/cyphar/filepath-securejoin/compare/v0.2.3...v0.2.4)

---
updated-dependencies:
- dependency-name: github.com/cyphar/filepath-securejoin
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-07 13:06:27 +00:00
Sebastiaan van Stijn
152af63ec5
deprecate reference package, migrate to github.com/distribution/reference
This integrates the new module, which was extracted from this repository
at commit b9b19409cf458dcb9e1253ff44ba75bd0620faa6;

    # install filter-repo (https://github.com/newren/git-filter-repo/blob/main/INSTALL.md)
    brew install git-filter-repo

    # create a temporary clone of docker
    cd ~/Projects
    git clone https://github.com/distribution/distribution.git reference
    cd reference

    # commit taken from
    git rev-parse --verify HEAD
    b9b19409cf

    # remove all code, except for general files, 'reference/', and rename to /
    git filter-repo \
      --path .github/workflows/codeql-analysis.yml \
      --path .github/workflows/fossa.yml \
      --path .golangci.yml \
      --path distribution-logo.svg \
      --path CODE-OF-CONDUCT.md \
      --path CONTRIBUTING.md \
      --path GOVERNANCE.md \
      --path README.md \
      --path LICENSE \
      --path MAINTAINERS \
      --path-glob 'reference/*.*' \
      --path-rename reference/:

    # initialize go.mod
    go mod init github.com/distribution/reference
    go mod tidy -go=1.20

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-31 15:47:06 +02:00
Milos Gajdos
fcbc25e789
Replace redigo with redis-go
We are replacing the very outdated redigo Go module with the official
redis Go module, go-redis.

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2023-08-26 07:44:02 +01:00
David van der Spek
3e4c4ead4c
Remove bugsnag
Signed-off-by: David van der Spek <vanderspek.david@gmail.com>
2023-08-21 10:24:36 +02:00
David van der Spek
77c33cd243
remove NewRelic
Signed-off-by: David van der Spek <vanderspek.david@gmail.com>
2023-08-18 12:16:18 +02:00
Milos Gajdos
ac32466188
Merge pull request #3993 from DavidSpek/update-golang-lru
Update github.com/hashicorp/golang-lru to v2
2023-08-18 08:09:11 +01:00
David van der Spek
0f006548a1
update golang-lru to v2
Signed-off-by: David van der Spek <vanderspek.david@gmail.com>
2023-08-17 13:41:54 +02:00
David van der Spek
9d862f0982
fix(deps): update module github.com/aws/aws-sdk-go to v1.44.325
Signed-off-by: David van der Spek <vanderspek.david@gmail.com>
2023-08-17 12:02:28 +02:00
Milos Gajdos
3f1859af26
Remove oss storage driver and alicdn storage driver middleware
This commit removes `oss` storage driver from distribution as well as
`alicdn` storage middleware which only works with the `oss` driver.

There are several reasons for it:
* no real-life expertise among the maintainers
* oss is compatible with S3 API operations required by S3 storage driver

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2023-08-16 08:39:20 +01:00
Milos Gajdos
c6b9944ab1
Remove SWIFT storage driver
This commit removes swift storage driver from distribution.
There are several reasons for it:
* no real life expertise among the maintainers
* swift is compatible with S3 API operations required by S3 storage driver

This will also remove depedencies that are also hard to keep up with.

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2023-08-15 09:14:11 +01:00
Laura Brehm
afe5a2a9b7 Support ztsd compression as Content-Encoding
Co-authored-by: Nicolas De Loof <nicolas.deloof@gmail.com>
Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
2023-06-01 14:06:25 +01:00
Flavian Missi
817dd286c1 vendor: update gcs driver dependencies files
Signed-off-by: Flavian Missi <fmissi@redhat.com>
2023-05-31 09:28:43 +02:00
Flavian Missi
7caf058a65
bump azure sdk
v1.3.0 of azidentity introduces support to workload identity.

Signed-off-by: Flavian Missi <fmissi@redhat.com>
2023-05-22 09:05:35 +02:00
AdamKorcz
e2a43ec8d3
Fuzzing: Move over two fuzzers from cncf-fuzzing
Signed-off-by: AdamKorcz <adam@adalogics.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-02 23:03:57 +02:00
Kirat Singh
ba4a6bbe02 Update Azure SDK and support additional authentication schemes
Microsoft has updated the golang Azure SDK significantly.  Update the
azure storage driver to use the new SDK.  Add support for client
secret and MSI authentication schemes in addition to shared key
authentication.

Implement rootDirectory support for the azure storage driver to mirror
the S3 driver.

Signed-off-by: Kirat Singh <kirat.singh@beacon.io>

Co-authored-by: Cory Snider <corhere@gmail.com>
2023-04-25 17:23:20 +00:00
dependabot[bot]
9594fbcfeb
build(deps): bump golang.org/x/net from 0.4.0 to 0.7.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.4.0 to 0.7.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.4.0...v0.7.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-17 22:42:11 +00:00
Sebastiaan van Stijn
345be95498
vendor: golang.org/x/net v0.4.0
golang.org/x/net contains a fix for CVE-2022-41717, which was addressed
in stdlib in go1.19.4 and go1.18.9;

> net/http: limit canonical header cache by bytes, not entries
>
> An attacker can cause excessive memory growth in a Go server accepting
> HTTP/2 requests.
>
> HTTP/2 server connections contain a cache of HTTP header keys sent by
> the client. While the total number of entries in this cache is capped,
> an attacker sending very large keys can cause the server to allocate
> approximately 64 MiB per open connection.
>
> This issue is also fixed in golang.org/x/net/http2 v0.4.0,
> for users manually configuring HTTP/2.

full diff: https://github.com/golang/net/compare/v0.2.0...v0.4.0

other dependency updates (due to (circular) dependencies):

- golang.org/x/sys v0.3.0: https://github.com/golang/sys/compare/3c1f35247d10...v0.3.0
- golang.org/x/text v0.5.0: https://github.com/golang/text/compare/v0.3.7...v0.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-08 10:39:04 +01:00
Wang Yan
9d38ed78d2
Merge pull request #3764 from thaJeztah/bump_cobra
go.mod: github.com/spf13/cobra v1.6.1
2022-11-09 11:19:22 +08:00
Sebastiaan van Stijn
7b651a9692
digestset: deprecate package in favor of go-digest/digestset
This package was only used for the deprecated "shortid" syntax. Now that
support for this syntax was removed, we can also remove this package.

This patch deprecates and removes the package, adding temporary aliases pointing
to the new location to ease migration from docker/distribution to the new
distribution/distribution/v3. We should remove those aliases in a future update.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-08 23:17:10 +01:00
Sebastiaan van Stijn
b1285c33a8
go.mod: github.com/spf13/cobra v1.6.1
We were using v1.0.0 of Cobra as newer versions added spf13/viper as dependency,
which came with many indirect dependencies. Cobra v1.6.0 and up no longer depend
on viper, so we can now safely upgrade to the latest version.

full diff: https://github.com/spf13/cobra/compare/v1.0.0...v1.6.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-02 19:48:45 +01:00
Milos Gajdos
c47a966fde
Merge pull request #3727 from thaJeztah/bump_x_net
vendor: golang.org/x/net v0.0.0-20220906165146-f3363e06e74c
2022-10-21 10:26:57 +01:00
Aaron Lehmann
e36cb0a5d8 registry/storage/cache/memory: Use LRU cache to bound cache size
Instead of letting the cache grow without bound, use a LRU to impose a
size limit.

The limit is configurable through a new `blobdescriptorsize` config key.

Signed-off-by: Aaron Lehmann <alehmann@netflix.com>
2022-09-07 07:20:06 -07:00
Sebastiaan van Stijn
f9dee9dc90
vendor: golang.org/x/net v0.0.0-20220906165146-f3363e06e74c
Update to the latest version that contains a fix for CVE-2022-27664;
f3363e06e7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-06 23:09:44 +02:00
Sebastiaan van Stijn
ec47096efc
vendor: github.com/prometheus/client_golang v1.12.1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-05 18:43:00 +02:00
Sebastiaan van Stijn
6e8dd268a8
update to go 1.18 (continue testing against 1.17)
Go 1.16 reached end of life, so update to the current version of Go, but also
run CI on the previous version (which is still supported).

We should probably also decide wether or not we want the Dockerfiles to pin to
a specific minor version; this makes the releases more deterministic.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-05 10:36:28 +02:00
Trevor Wood
decc64eb5c
go.mod: github.com/aws/aws-sdk-go v1.43.16
Signed-off-by: Trevor Wood <Trevor.G.Wood@gmail.com>
2022-03-10 20:27:01 -05:00
Sebastiaan van Stijn
4f1c1e4268
go.mod: github.com/Azure/go-autorest/autorest v0.11.24
Update the indirect dependency to remove the transitional github.com/form3tech-oss/jwt-go
dependency from the dependency graph.

Updates:

- github.com/Azure/go-autorest/autorest v0.11.24: https://github.com/Azure/go-autorest/compare/autorest/v0.11.20...autorest/v0.11.24
- github.com/Azure/go-autorest/autorest/adal v0.9.18: https://github.com/Azure/go-autorest/compare/autorest/adal/v0.9.15...autorest/adal/v0.9.18
- github.com/golang-jwt/jwt v4.2.0: https://github.com/golang-jwt/jwt/compare/v4.0.0...v4.2.0
- golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3: 32db794688...e495a2d5b3

Before this:

    go mod graph | grep 'jwt'
    github.com/Azure/go-autorest/autorest/adal@v0.9.15 github.com/golang-jwt/jwt/v4@v4.0.0
    github.com/Azure/go-autorest/autorest/adal@v0.9.13 github.com/form3tech-oss/jwt-go@v3.2.2+incompatible

After this:

    go mod graph | grep 'jwt'
    github.com/Azure/go-autorest/autorest@v0.11.24 github.com/golang-jwt/jwt/v4@v4.2.0
    github.com/Azure/go-autorest/autorest/adal@v0.9.18 github.com/golang-jwt/jwt/v4@v4.0.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-28 18:02:58 +01:00
Sebastiaan van Stijn
79ead619be
go.mod: spf13/cobra v1.0.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-26 16:59:40 +01:00
Sebastiaan van Stijn
f9c1b86feb
go.mod: add replace rule to prevent unwanted updateds of grpc and jwt-go
This replace rule is to prevent unwanted updates of grpc and jwt-go. When updating
spf13/cobra, we noticed that google.golang.org/grpc got updated.

Doing a search to find which modules (note here that `go mod graph` only looks
at dependencies from a `go modules` perspective, and not all the (current version)
of our dependencies use go modules).

And I found that the only _modules_ depending on it are `github.com/spf13/viper`
and `github.com/grpc-ecosystem/grpc-gateway`:

```bash
$ go mod graph | grep ' google.golang.org/grpc'
github.com/spf13/viper@v1.4.0 google.golang.org/grpc@v1.21.0
github.com/grpc-ecosystem/grpc-gateway@v1.9.0 google.golang.org/grpc@v1.19.0
```

Of those, `github.com/grpc-ecosystem/grpc-gateway` is a dependency of
`github.com/spf13/viper`:

```bash
$ go mod graph | grep ' github.com/grpc-ecosystem/grpc-gateway'
github.com/spf13/viper@v1.4.0 github.com/grpc-ecosystem/grpc-gateway@v1.9.0
```

So looking at that one, it's a dependency of cobra:

```bash
$ go mod graph | grep ' github.com/spf13/viper@v1.4.0'
github.com/spf13/cobra@v1.0.0 github.com/spf13/viper@v1.4.0
```

Ironically, while both `github.com/spf13/viper` and `github.com/grpc-ecosystem/grpc-gateway`,
depend on `google.golang.org/grpc` and (through their `go.mod`) are responsible
for `go mod` to update the dependency version of grpc, none of them are used:

```bash
cat vendor/modules.txt | grep github.com/spf13/viper
cat vendor/modules.txt | grep github.com/grpc-ecosystem/grpc-gateway
```

Unfortunately, `go modules` looks at `go.mod` to determine the *minimum version*
required; _even if the parts of the modules specifying it in the `go.mod` are unused_.

This patch adds a `replace` rule in go.mod to prevent updating grpc based on
other dependencies that _declare_ `google.golang.org/grpc` as a dependency,
but are not used and, hence, should not influence the minumum version.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-26 16:59:38 +01:00
Adam Kaplan
81a2d171ee Update aws-sdk to 1.42.27
Upgrade the aws golang SDK to 1.42.27 to add the new options for
configuring S3 dualstack endpoints.

Signed-off-by: Adam Kaplan <adam.kaplan@redhat.com>
2022-01-04 17:19:05 -05:00
Sebastiaan van Stijn
6fbba6a99b
go.mod: github.com/opencontainers/image-spec v1.0.2
- Bring mediaType out of reserved status
- specs-go: adding mediaType to the index and manifest structures

full diff: https://github.com/opencontainers/image-spec/compare/v1.0.1...v1.0.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-11-17 22:25:16 +01:00
Wang Yan
3f4c558dac bump up golang v1.17
Signed-off-by: Wang Yan <wangyan@vmware.com>
2021-10-27 15:51:30 +08:00
David Justice
3e68d47da6
chore: update azure go-autorest dependencies
Signed-off-by: David Justice <david@devigned.com>
2021-08-25 13:43:18 -04:00
Sebastiaan van Stijn
226ad1e639
go.mod: update logrus to v1.8.1
Newer versions contain fixes for recent Go versions, and this removes
the dependency on github.com/konsorten/go-windows-terminal-sequences

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-22 14:36:56 +02:00
Sebastiaan van Stijn
06c8d441f8
go.mod: gopkg.in/yaml.v2 v2.4.0
This updates the package to a version to include the security fixes in v2.2.3.

Version 2.3.0 was known introduce a breaking change for some users, so using
the latest (v2.4.0)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-22 14:31:11 +02:00