Commit graph

2751 commits

Author SHA1 Message Date
Wang Yan
70db3a46d9
bump up golang version
upgrade go version to v1.18.8

Signed-off-by: Wang Yan <wangyan@vmware.com>
2023-05-09 10:59:43 +02:00
CrazyMax
db1389e043
dockerfiles: formatting
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit 0e17e54091)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-09 10:59:43 +02:00
CrazyMax
018472de2d
dockerfiles: set ALPINE_VERSION
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit b066451b40)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-09 10:59:42 +02:00
CrazyMax
19b3feb5df
Update to xx 1.1.1
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit 52a88c596b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-09 10:59:42 +02:00
CrazyMax
14bd72bcf8
Dockerfile: switch to xx
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit 87f93ede9e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-09 10:59:42 +02:00
Wang Yan
2392893bcf
bump up golang v1.17
Signed-off-by: Wang Yan <wangyan@vmware.com>
(cherry picked from commit 3f4c558dac)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-09 10:59:38 +02:00
Sebastiaan van Stijn
092a2197ff
[release/2.8] fix package name in Dockerfile
The 2.8 release is still named github.com/docker/distribution.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-09 10:53:15 +02:00
Milos Gajdos
82d6c3d007
Merge pull request #3815 from wy65701436/release/2.8-cp-3615
[release/2.8] Fix panic in inmemory driver
2023-04-17 15:58:21 +01:00
Shengjing Zhu
ad5991de09 Fix panic in inmemory driver
Signed-off-by: Shengjing Zhu <zhsj@debian.org>
2022-12-04 22:47:15 +08:00
Hayley Swimelar
dc5b207fdd
Merge pull request #3650 from thaJeztah/2.8_bump_alpine
[release/2.8 backport] Fix CVE-2022-28391 by bumping alpine from 3.14 to 3.16
2022-05-26 09:32:25 -07:00
Silvin Lubecki
38018aeb5d
Fix CVE-2022-28391 by bumping alpine from 3.15 to 3.16
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 9f2bc25b7a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-26 13:25:35 +02:00
Milos Gajdos
b5ca020cfb
Merge pull request #3605 from milosgajdos/update-release-notes
Update 2.8.1. release notes
2022-03-08 17:52:36 +00:00
Milos Gajdos
1b5f094086
Merge pull request #3604 from crazy-max/2.8-go-1.16.15
go 1.16.15
2022-03-08 17:15:10 +00:00
Milos Gajdos
96cc1fdb3c
FIx typo
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2022-03-08 17:14:24 +00:00
Milos Gajdos
e744906f09
Update 2.8.1. release notes
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2022-03-08 17:11:29 +00:00
CrazyMax
3df9fce2be
go 1.16.15
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-03-08 17:54:16 +01:00
Milos Gajdos
9a0196b801
Merge pull request #3596 from milosgajdos/fix-go-mod-v2.8.1
Prepare for v2.8.1 release
2022-03-01 11:37:47 +00:00
Milos Gajdos
6736d1881a
Prepare for v2.8.1 release
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2022-02-24 13:44:40 +00:00
Milos Gajdos
e4a447d0d7
Merge pull request #3595 from crazy-max/2.8-ci-gitref
[2.8 backport] ci: use proper git ref for versioning
2022-02-23 08:59:59 +00:00
CrazyMax
80acbdf0a2
ci: use proper git ref for versioning
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit fabf9cd4e9)
2022-02-22 22:05:10 +01:00
Milos Gajdos
dcf66392d6
Update README so the release pipeline works properly.
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2022-02-07 15:40:21 +00:00
Milos Gajdos
212b38ed22
Merge pull request #3552 from milosgajdos/v2.8.0-release
Prepare for v2.8.0 release
2022-01-21 12:46:32 +00:00
Milos Gajdos
359b97a75a
Merge pull request #3568 from crazy-max/2.8-artifacts
[2.8] Release artifacts
2022-01-21 12:11:22 +00:00
Milos Gajdos
d5d89a46a3
Make this releaes a beta release first.
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2022-01-21 11:36:41 +00:00
CrazyMax
6241e099e1
[2.8] Release artifacts
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-01-19 16:54:30 +01:00
Milos Gajdos
1840415ca8
Merge pull request #3565 from crazy-max/2.8-gha
[2.8] Release workflow
2022-01-13 16:56:37 +00:00
CrazyMax
65ca39e605
release workflow
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-01-12 16:34:14 +01:00
Milos Gajdos
1ddad0bad8
Apply suggestions from code review
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2021-12-22 09:13:32 +00:00
Milos Gajdos
3960a560bb
Prepare for v2.8.0 release
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2021-12-21 13:24:39 +00:00
Milos Gajdos
3b7b534569
Merge pull request from GHSA-qq97-vm5h-rrhg
[release/2.7] manifest: validate document type before unmarshal
2021-11-23 19:16:40 +00:00
Milos Gajdos
afe85428bb
Merge pull request #3466 from thaJeztah/2.7_update_jwt
[release/2.7] github.com/golang-jwt/jwt v3.2.2
2021-11-23 09:10:53 +00:00
Milos Gajdos
f7365390ef
Merge pull request #3535 from thaJeztah/2.7_bump_oci_specs 2021-11-18 08:34:49 +00:00
Sebastiaan van Stijn
97f6daced4
[release/2.7] vendor: github.com/opencontainers/image-spec v1.0.2
(previous version vendored was v1.0.0)

full diff: ab7389ef9f...v1.0.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-11-17 22:31:14 +01:00
Milos Gajdos
4313c14723
Merge pull request #3531 from wy65701436/fix-rand
[release/2.7]fix go check issues
2021-11-17 20:14:46 +00:00
Wang Yan
9a3ff11330 fix go check issues
G404: Replace math rand with crypto rand

Signed-off-by: Wang Yan <wangyan@vmware.com>
2021-11-16 17:46:08 +08:00
Samuel Karp
10ade61de9
manifest: validate document type before unmarshal
Signed-off-by: Samuel Karp <skarp@amazon.com>
2021-11-05 10:16:09 -07:00
Milos Gajdos
691e62e7ef
Merge pull request #3495 from thaJeztah/2.7_backport_must
[release/2.7 backport] Change should to must in v2 spec
2021-09-08 14:44:47 +01:00
Justin Cormack
19b573a6f7
Change should to must in v2 spec
We found some examples of manifests with URLs specififed that did
not provide a digest or size. This breaks the security model by allowing
the content to change, as it no longer provides a Merkle tree. This
was not intended, so explicitly disallow by tightening wording.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit 1660df4b60)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-09-08 15:24:07 +02:00
Sebastiaan van Stijn
c5679da3a1
[release/2.7] vendor: github.com/golang-jwt/jwt v3.2.1
to address CVE-2020-26160

full diff: a601269ab7...v3.2.2

3.2.1 release notes
---------------------------------------

- Import Path Change: See MIGRATION_GUIDE.md for tips on updating your code
  Changed the import path from github.com/dgrijalva/jwt-go to github.com/golang-jwt/jwt
- Fixed type confusion issue between string and []string in VerifyAudience.
  This fixes CVE-2020-26160

3.2.2 release notes
---------------------------------------

- Starting from this release, we are adopting the policy to support the most 2
  recent versions of Go currently available. By the time of this release, this
  is Go 1.15 and 1.16.
- Fixed a potential issue that could occur when the verification of exp, iat
  or nbf was not required and contained invalid contents, i.e. non-numeric/date.
  Thanks for @thaJeztah for making us aware of that and @giorgos-f3 for originally
  reporting it to the formtech fork.
- Added support for EdDSA / ED25519.
- Optimized allocations.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-10 13:05:39 +02:00
Wang Yan
61e7e20823
Merge pull request #3472 from thaJeztah/2.7_update_go116
[release/2.7] update to go1.16
2021-08-10 18:59:49 +08:00
Sebastiaan van Stijn
d836b23fc2
[release/2.7] update to go1.16
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-10 11:32:03 +02:00
Milos Gajdos
18230b7b34
Merge pull request #3384 from wy65701436/release/2.7-cp-3169
[backport release/2.7]Added flag for user configurable cipher suites
2021-03-23 15:23:04 +00:00
Milos Gajdos
51636a6711
Merge pull request #3385 from wy65701436/release/2.7-ci
enable ci for release/2.7
2021-03-23 15:22:46 +00:00
Derek McGowan
09109ab50a Fix gosimple checks
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
Signed-off-by: Wang Yan <wangyan@vmware.com>
2021-03-23 21:03:20 +08:00
Manish Tomar
89e6568e34 Remove err nil check
since type checking nil will not panic and return appropriately

Signed-off-by: Manish Tomar <manish.tomar@docker.com>
Signed-off-by: wang yan <wangyan@vmware.com>
2021-03-23 21:03:16 +08:00
Manish Tomar
3c64ff10bb Fix gometalint errors
Signed-off-by: Manish Tomar <manish.tomar@docker.com>
Signed-off-by: wang yan <wangyan@vmware.com>
2021-03-23 21:03:10 +08:00
sayboras
f807afbf85 Migrate to golangci-lint
Signed-off-by: Tam Mach <sayboras@yahoo.com>
Signed-off-by: wang yan <wangyan@vmware.com>
2021-03-23 21:02:54 +08:00
Wang Yan
9142de99fa enable ci for release/2.7
Signed-off-by: Wang Yan <wangyan@vmware.com>
2021-03-23 18:46:17 +08:00
David Luu
cc341b0110 Added flag for user configurable cipher suites
Configuration of list of cipher suites allows a user to disable use
of weak ciphers or continue to support them for legacy usage if they
so choose.

List of available cipher suites at:
https://golang.org/pkg/crypto/tls/#pkg-constants

Default cipher suites have been updated to:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_AES_128_GCM_SHA256
- TLS_CHACHA20_POLY1305_SHA256
- TLS_AES_256_GCM_SHA384

MinimumTLS has also been updated to include TLS 1.3 as an option
and now defaults to TLS 1.2 since 1.0 and 1.1 have been deprecated.

Signed-off-by: David Luu <david@davidluu.info>
2021-03-23 18:42:12 +08:00
Milos Gajdos
cc866a5bf3
Merge pull request #3370 from wy65701436/release/2.7-cp-3309
[cherry pick]close the io.ReadCloser from storage driver
2021-02-26 09:00:00 +00:00