[Buildroot] [git commit] package/containerd: security bump to version 1.5.11

[Buildroot] [git commit] package/containerd: security bump to version 1.5.11

[Peter Korsgaard]

commit: https://git.buildroot.net/buildroot/commit/?id=2642edb0af08f04fb98f4cb5f88895faded4b325
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master

Fixes the following security issues:

- CVE-2022-23648: containerd CRI plugin: Insecure handling of image volumes
  https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7

- CVE-2022-24769: Default inheritable capabilities for linux container
  should be empty
  https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/containerd/containerd.hash | 2 +-
 package/containerd/containerd.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/containerd/containerd.hash b/package/containerd/containerd.hash
index d5aafe2e70..23dacded88 100644
--- a/package/containerd/containerd.hash
+++ b/package/containerd/containerd.hash
@@ -1,3 +1,3 @@
 # Computed locally
-sha256  40c9767af3e87f2c36adf2f563f0a8374e80b30bd2b7aa80058c85912406cef4  containerd-1.5.9.tar.gz
+sha256  6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1  containerd-1.5.11.tar.gz
 sha256  4bbe3b885e8cd1907ab4cf9a41e862e74e24b5422297a4f2fe524e6a30ada2b4  LICENSE
diff --git a/package/containerd/containerd.mk b/package/containerd/containerd.mk
index 8976e12f1a..c405b75e81 100644
--- a/package/containerd/containerd.mk
+++ b/package/containerd/containerd.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-CONTAINERD_VERSION = 1.5.9
+CONTAINERD_VERSION = 1.5.11
 CONTAINERD_SITE = $(call github,containerd,containerd,v$(CONTAINERD_VERSION))
 CONTAINERD_LICENSE = Apache-2.0
 CONTAINERD_LICENSE_FILES = LICENSE
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [git commit] package/containerd: security bump to version 1.5.11

[Marcus Hoffmann]

Hi Peter,

On 05.04.22 19:28, Peter Korsgaard wrote:
> commit: https://git.buildroot.net/buildroot/commit/?id=2642edb0af08f04fb98f4cb5f88895faded4b325
> branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
> 
> Fixes the following security issues:
> 
> - CVE-2022-23648: containerd CRI plugin: Insecure handling of image volumes
>    https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7
> 
> - CVE-2022-24769: Default inheritable capabilities for linux container
>    should be empty
>    https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
>   package/containerd/containerd.hash | 2 +-
>   package/containerd/containerd.mk   | 2 +-
>   2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/package/containerd/containerd.hash b/package/containerd/containerd.hash
> index d5aafe2e70..23dacded88 100644
> --- a/package/containerd/containerd.hash
> +++ b/package/containerd/containerd.hash
> @@ -1,3 +1,3 @@
>   # Computed locally
> -sha256  40c9767af3e87f2c36adf2f563f0a8374e80b30bd2b7aa80058c85912406cef4  containerd-1.5.9.tar.gz
> +sha256  6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1  containerd-1.5.11.tar.gz

I get a different hash for this download, both within buildroot as well 
as downloading the file manually from github:

ERROR: containerd-1.5.11.tar.gz has wrong sha256 hash:
ERROR: expected: 
6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1
ERROR: got     : 
02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6
ERROR: Incomplete download, or man-in-the-middle (MITM) attack


Did the file change in the meantime or did something else go wrong here?

Should send a patch changing the hash to 
02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6?

 > [...]

Best,
Marcus
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [git commit] package/containerd: security bump to version 1.5.11

[Arnout Vandecappelle]

On 11/04/2022 14:28, Marcus Hoffmann wrote:
> Hi Peter,
> 
> On 05.04.22 19:28, Peter Korsgaard wrote:
>> commit: 
>> https://git.buildroot.net/buildroot/commit/?id=2642edb0af08f04fb98f4cb5f88895faded4b325 
>>
>> branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
>>
>> Fixes the following security issues:
>>
>> - CVE-2022-23648: containerd CRI plugin: Insecure handling of image volumes
>>    
>> https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7
>>
>> - CVE-2022-24769: Default inheritable capabilities for linux container
>>    should be empty
>>    
>> https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c
>>
>> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>> ---
>>   package/containerd/containerd.hash | 2 +-
>>   package/containerd/containerd.mk   | 2 +-
>>   2 files changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/package/containerd/containerd.hash 
>> b/package/containerd/containerd.hash
>> index d5aafe2e70..23dacded88 100644
>> --- a/package/containerd/containerd.hash
>> +++ b/package/containerd/containerd.hash
>> @@ -1,3 +1,3 @@
>>   # Computed locally
>> -sha256  40c9767af3e87f2c36adf2f563f0a8374e80b30bd2b7aa80058c85912406cef4  
>> containerd-1.5.9.tar.gz
>> +sha256  6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1  
>> containerd-1.5.11.tar.gz
> 
> I get a different hash for this download, both within buildroot as well as 
> downloading the file manually from github:
> 
> ERROR: containerd-1.5.11.tar.gz has wrong sha256 hash:
> ERROR: expected: 6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1
> ERROR: got     : 02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6
> ERROR: Incomplete download, or man-in-the-middle (MITM) attack
> 
> 
> Did the file change in the meantime or did something else go wrong here?

  It also goes wrong in the autobuilders (this one on master, before I merged 
the bump to 1.6.2) [1]

> Should send a patch changing the hash to 
> 02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6?

  Let's first allow Peter to check what exactly went wrong. He should have a 
local download with the hash he pushed so he can compare what changed.

  I looked at the github repo, and it says that it was tagged on March 24, i.e. 
before Peter did the bump to 1.5.11. So it doesn't look like they updated the tag.

  Regards,
  Arnout


1] 
http://autobuild.buildroot.net/results/b5d/b5dcd56490e807db9e92e3bbbd6753738132db57/build-end.log

> 
>  > [...]
> 
> Best,
> Marcus
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [git commit] package/containerd: security bump to version 1.5.11

[Yann E. MORIN]

Arnout, Marcus, All,

On 2022-04-11 19:03 +0200, Arnout Vandecappelle spake thusly:
> On 11/04/2022 14:28, Marcus Hoffmann wrote:
> >On 05.04.22 19:28, Peter Korsgaard wrote:
> >>commit: https://git.buildroot.net/buildroot/commit/?id=2642edb0af08f04fb98f4cb5f88895faded4b325
> >>
> >>branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
> >>
> >>Fixes the following security issues:
> >>
> >>- CVE-2022-23648: containerd CRI plugin: Insecure handling of image volumes
> >>https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7
> >>
> >>- CVE-2022-24769: Default inheritable capabilities for linux container
> >>   should be empty
> >>https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c
> >>
> >>Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> >>---
> >>  package/containerd/containerd.hash | 2 +-
> >>  package/containerd/containerd.mk   | 2 +-
> >>  2 files changed, 2 insertions(+), 2 deletions(-)
> >>
> >>diff --git a/package/containerd/containerd.hash
> >>b/package/containerd/containerd.hash
> >>index d5aafe2e70..23dacded88 100644
> >>--- a/package/containerd/containerd.hash
> >>+++ b/package/containerd/containerd.hash
> >>@@ -1,3 +1,3 @@
> >>  # Computed locally
> >>-sha256 
> >>40c9767af3e87f2c36adf2f563f0a8374e80b30bd2b7aa80058c85912406cef4
> >>containerd-1.5.9.tar.gz
> >>+sha256 
> >>6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1
> >>containerd-1.5.11.tar.gz
> >I get a different hash for this download, both within buildroot as well as
> >downloading the file manually from github:
> >ERROR: containerd-1.5.11.tar.gz has wrong sha256 hash:
> >ERROR: expected: 6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1
> >ERROR: got     : 02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6
> >ERROR: Incomplete download, or man-in-the-middle (MITM) attack
> >Did the file change in the meantime or did something else go wrong here?
>  It also goes wrong in the autobuilders (this one on master, before I merged
> the bump to 1.6.2) [1]

Note that golang packages are susceptible to hash changes ifone of their
dependencies is chagned. For example, if a go package depends, directly
or transitively, on a package foo at some-tag, but foo got re-tagged, or
the repository has moved, then the vendoring will get a different content
than previously.

For example, docker's "distribution" repository has moved from under
"docker" out to its own "distribution" namespace:

    https://github.com/docker/distribution
now redirects to:
    https://github.com/distribution/distribution

> >Should send a patch changing the hash to
> >02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6?
>  Let's first allow Peter to check what exactly went wrong. He should have a
> local download with the hash he pushed so he can compare what changed.
>  I looked at the github repo, and it says that it was tagged on March 24,
> i.e. before Peter did the bump to 1.5.11. So it doesn't look like they
> updated the tag.
> 
> 1] http://autobuild.buildroot.net/results/b5d/b5dcd56490e807db9e92e3bbbd6753738132db57/build-end.log

I think the error is soemhing else in this case:
    tar: stdout: write error

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [git commit] package/containerd: security bump to version 1.5.11

[Peter Korsgaard]

>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes:

Hi,

 > On 11/04/2022 14:28, Marcus Hoffmann wrote:
 >> Hi Peter,
 >> On 05.04.22 19:28, Peter Korsgaard wrote:
 >>> commit:
 >>> https://git.buildroot.net/buildroot/commit/?id=2642edb0af08f04fb98f4cb5f88895faded4b325 
 >>> 
 >>> branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
 >>> 
 >>> Fixes the following security issues:
 >>> 
 >>> - CVE-2022-23648: containerd CRI plugin: Insecure handling of image volumes
 >>> https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7
 >>> 
 >>> - CVE-2022-24769: Default inheritable capabilities for linux container
 >>>    should be empty
 >>> https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c
 >>> 
 >>> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
 >>> ---
 >>>   package/containerd/containerd.hash | 2 +-
 >>>   package/containerd/containerd.mk   | 2 +-
 >>>   2 files changed, 2 insertions(+), 2 deletions(-)
 >>> 
 >>> diff --git a/package/containerd/containerd.hash
 >>> b/package/containerd/containerd.hash
 >>> index d5aafe2e70..23dacded88 100644
 >>> --- a/package/containerd/containerd.hash
 >>> +++ b/package/containerd/containerd.hash
 >>> @@ -1,3 +1,3 @@
 >>>   # Computed locally
 >>> -sha256 
 >>> 40c9767af3e87f2c36adf2f563f0a8374e80b30bd2b7aa80058c85912406cef4
 >>> containerd-1.5.9.tar.gz
 >>> +sha256 
 >>> 6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1
 >>> containerd-1.5.11.tar.gz
 >> I get a different hash for this download, both within buildroot as
 >> well as downloading the file manually from github:
 >> ERROR: containerd-1.5.11.tar.gz has wrong sha256 hash:
 >> ERROR: expected: 6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1
 >> ERROR: got     : 02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6
 >> ERROR: Incomplete download, or man-in-the-middle (MITM) attack
 >> 
 >> Did the file change in the meantime or did something else go wrong here?

 >  It also goes wrong in the autobuilders (this one on master, before I
 >  merged the bump to 1.6.2) [1]

 >> Should send a patch changing the hash to
 >> 02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6?

 >  Let's first allow Peter to check what exactly went wrong. He should
 >  have a local download with the hash he pushed so he can compare what
 > changed.

 >  I looked at the github repo, and it says that it was tagged on March
 >  24, i.e. before Peter did the bump to 1.5.11. So it doesn't look like
 > they updated the tag.

Funky, I do indeed have the old hash here:

sha256sum ~download/containerd/containerd-1.5.11.tar.gz containerd-1.5.11.tar.gz
6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1  /var/lib/downloads/containerd/containerd-1.5.11.tar.gz
02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6  containerd-1.5.11.tar.gz

Extracting the tarballs, I see the following diff:

diff -urpN a/containerd-1.5.11/vendor/k8s.io/client-go/pkg/version/base.go b/containerd-1.5.11/vendor/k8s.io/client-go/pkg/version/base.go
--- a/containerd-1.5.11/vendor/k8s.io/client-go/pkg/version/base.go     2022-03-24 01:09:42.000000000 +0100
+++ b/containerd-1.5.11/vendor/k8s.io/client-go/pkg/version/base.go     2022-03-24 01:09:42.000000000 +0100
@@ -55,7 +55,7 @@ var (
        // NOTE: The $Format strings are replaced during 'git archive' thanks to the
        // companion .gitattributes file containing 'export-subst' in this same
        // directory.  See also https://git-scm.com/docs/gitattributes
-       gitVersion   string = "v0.0.0-master+3df54a85234"
+       gitVersion   string = "v0.0.0-master+3df54a8523"
        gitCommit    string = "3df54a852345ae127d1fa3092b95168e4a88e2f8" // sha1 from git, output of $(git rev-parse HEAD)
        gitTreeState string = ""            // state of git tree, either "clean" or "dirty"

So the gitVersion field lost a digit. No idea how this could
happen. Looking at the file in the git repo I see that this is listed
as:

	gitVersion   string = "v0.0.0-master+$Format:%H$"
	gitCommit    string = "$Format:%H$" // sha1 from git, output of $(git rev-parse HEAD)

https://github.com/containerd/containerd/blob/main/vendor/k8s.io/client-go/pkg/version/base.go

So I guess something in github is wrongly expanding this $Format?

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [git commit] package/containerd: security bump to version 1.5.11

[Arnout Vandecappelle]

On 11/04/2022 21:02, Peter Korsgaard wrote:
>>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes:
> 
> Hi,
> 
>   > On 11/04/2022 14:28, Marcus Hoffmann wrote:
>   >> Hi Peter,
>   >> On 05.04.22 19:28, Peter Korsgaard wrote:
>   >>> commit:
>   >>> https://git.buildroot.net/buildroot/commit/?id=2642edb0af08f04fb98f4cb5f88895faded4b325
>   >>>
>   >>> branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
>   >>>
>   >>> Fixes the following security issues:
>   >>>
>   >>> - CVE-2022-23648: containerd CRI plugin: Insecure handling of image volumes
>   >>> https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7
>   >>>
>   >>> - CVE-2022-24769: Default inheritable capabilities for linux container
>   >>>    should be empty
>   >>> https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c
>   >>>
>   >>> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>   >>> ---
>   >>>   package/containerd/containerd.hash | 2 +-
>   >>>   package/containerd/containerd.mk   | 2 +-
>   >>>   2 files changed, 2 insertions(+), 2 deletions(-)
>   >>>
>   >>> diff --git a/package/containerd/containerd.hash
>   >>> b/package/containerd/containerd.hash
>   >>> index d5aafe2e70..23dacded88 100644
>   >>> --- a/package/containerd/containerd.hash
>   >>> +++ b/package/containerd/containerd.hash
>   >>> @@ -1,3 +1,3 @@
>   >>>   # Computed locally
>   >>> -sha256
>   >>> 40c9767af3e87f2c36adf2f563f0a8374e80b30bd2b7aa80058c85912406cef4
>   >>> containerd-1.5.9.tar.gz
>   >>> +sha256
>   >>> 6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1
>   >>> containerd-1.5.11.tar.gz
>   >> I get a different hash for this download, both within buildroot as
>   >> well as downloading the file manually from github:
>   >> ERROR: containerd-1.5.11.tar.gz has wrong sha256 hash:
>   >> ERROR: expected: 6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1
>   >> ERROR: got     : 02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6
>   >> ERROR: Incomplete download, or man-in-the-middle (MITM) attack
>   >>
>   >> Did the file change in the meantime or did something else go wrong here?
> 
>   >  It also goes wrong in the autobuilders (this one on master, before I
>   >  merged the bump to 1.6.2) [1]
> 
>   >> Should send a patch changing the hash to
>   >> 02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6?
> 
>   >  Let's first allow Peter to check what exactly went wrong. He should
>   >  have a local download with the hash he pushed so he can compare what
>   > changed.
> 
>   >  I looked at the github repo, and it says that it was tagged on March
>   >  24, i.e. before Peter did the bump to 1.5.11. So it doesn't look like
>   > they updated the tag.
> 
> Funky, I do indeed have the old hash here:
> 
> sha256sum ~download/containerd/containerd-1.5.11.tar.gz containerd-1.5.11.tar.gz
> 6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1  /var/lib/downloads/containerd/containerd-1.5.11.tar.gz
> 02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6  containerd-1.5.11.tar.gz
> 
> Extracting the tarballs, I see the following diff:
> 
> diff -urpN a/containerd-1.5.11/vendor/k8s.io/client-go/pkg/version/base.go b/containerd-1.5.11/vendor/k8s.io/client-go/pkg/version/base.go
> --- a/containerd-1.5.11/vendor/k8s.io/client-go/pkg/version/base.go     2022-03-24 01:09:42.000000000 +0100
> +++ b/containerd-1.5.11/vendor/k8s.io/client-go/pkg/version/base.go     2022-03-24 01:09:42.000000000 +0100
> @@ -55,7 +55,7 @@ var (
>          // NOTE: The $Format strings are replaced during 'git archive' thanks to the
>          // companion .gitattributes file containing 'export-subst' in this same
>          // directory.  See also https://git-scm.com/docs/gitattributes
> -       gitVersion   string = "v0.0.0-master+3df54a85234"
> +       gitVersion   string = "v0.0.0-master+3df54a8523"
>          gitCommit    string = "3df54a852345ae127d1fa3092b95168e4a88e2f8" // sha1 from git, output of $(git rev-parse HEAD)
>          gitTreeState string = ""            // state of git tree, either "clean" or "dirty"
> 
> So the gitVersion field lost a digit. No idea how this could
> happen. Looking at the file in the git repo I see that this is listed
> as:
> 
> 	gitVersion   string = "v0.0.0-master+$Format:%H$"
> 	gitCommit    string = "$Format:%H$" // sha1 from git, output of $(git rev-parse HEAD)

  Weird, %H should expand to the full commit hash - like on the gitCommit 
line... How the hell does git archive expand %H differently in one line and the 
other?

  Aah, it was changed from %h to %H in [1].

  But that easily explains the issue: the length of the abbreviated commit hash 
depends on the state of the repo. Thus, some gc on github may have dropped a 
conflicting ref (somewhere else) so the length of the abbreviated hash is 
reduced again.

  There's not much we can do about this I'm afraid, other than using git 
download instead of tarball download. Or updating to a version that contains [1] 
of course.

  Regards,
  Arnout

[1] 
https://github.com/containerd/containerd/commit/e634f04d8cdb6c2f96eea2e4e66d0e4500a46282



> 
> https://github.com/containerd/containerd/blob/main/vendor/k8s.io/client-go/pkg/version/base.go
> 
> So I guess something in github is wrongly expanding this $Format?


> 
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [git commit] package/containerd: security bump to version 1.5.11

[Peter Korsgaard]

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

Hi,

 > @@ -55,7 +55,7 @@ var (
 >         // NOTE: The $Format strings are replaced during 'git archive' thanks to the
 >         // companion .gitattributes file containing 'export-subst' in this same
 >         // directory.  See also https://git-scm.com/docs/gitattributes
 > -       gitVersion   string = "v0.0.0-master+3df54a85234"
 > +       gitVersion   string = "v0.0.0-master+3df54a8523"
 >         gitCommit string = "3df54a852345ae127d1fa3092b95168e4a88e2f8"
 > // sha1 from git, output of $(git rev-parse HEAD)
 >         gitTreeState string = ""            // state of git tree, either "clean" or "dirty"

 > So the gitVersion field lost a digit. No idea how this could
 > happen. Looking at the file in the git repo I see that this is listed
 > as:

 > 	gitVersion   string = "v0.0.0-master+$Format:%H$"
 > 	gitCommit    string = "$Format:%H$" // sha1 from git, output of $(git rev-parse HEAD)

 > https://github.com/containerd/containerd/blob/main/vendor/k8s.io/client-go/pkg/version/base.go

 > So I guess something in github is wrongly expanding this $Format?

The format logic itself is part of git, as the export-subst attibute has
been set for base.go:

https://git-scm.com/docs/gitattributes

But why the two $Format:%H$ lines expand to different things and why it
has changed over time is unclear to me.

In any case, I've pushed a commit to 2022.02.x to adjust the hash to
what Github is now serving.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [git commit] package/containerd: security bump to version 1.5.11

[Arnout Vandecappelle]

On 11/04/2022 22:34, Peter Korsgaard wrote:
>>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> 
> Hi,
> 
>   > @@ -55,7 +55,7 @@ var (
>   >         // NOTE: The $Format strings are replaced during 'git archive' thanks to the
>   >         // companion .gitattributes file containing 'export-subst' in this same
>   >         // directory.  See also https://git-scm.com/docs/gitattributes
>   > -       gitVersion   string = "v0.0.0-master+3df54a85234"
>   > +       gitVersion   string = "v0.0.0-master+3df54a8523"
>   >         gitCommit string = "3df54a852345ae127d1fa3092b95168e4a88e2f8"
>   > // sha1 from git, output of $(git rev-parse HEAD)
>   >         gitTreeState string = ""            // state of git tree, either "clean" or "dirty"
> 
>   > So the gitVersion field lost a digit. No idea how this could
>   > happen. Looking at the file in the git repo I see that this is listed
>   > as:
> 
>   > 	gitVersion   string = "v0.0.0-master+$Format:%H$"
>   > 	gitCommit    string = "$Format:%H$" // sha1 from git, output of $(git rev-parse HEAD)
> 
>   > https://github.com/containerd/containerd/blob/main/vendor/k8s.io/client-go/pkg/version/base.go
> 
>   > So I guess something in github is wrongly expanding this $Format?
> 
> The format logic itself is part of git, as the export-subst attibute has
> been set for base.go:
> 
> https://git-scm.com/docs/gitattributes
> 
> But why the two $Format:%H$ lines expand to different things and why it
> has changed over time is unclear to me.
> 
> In any case, I've pushed a commit to 2022.02.x to adjust the hash to
> what Github is now serving.

  As I've written in the mail that went concurrently with yours, this may change 
again at any time. Therefore, please make sure that you update the tarball on 
sources.buildroot.org so there's a fallback when the hash changes again.

  Regards,
  Arnout
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [git commit] package/containerd: security bump to version 1.5.11

[Peter Korsgaard]

>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes:

Hi,

 >> In any case, I've pushed a commit to 2022.02.x to adjust the hash to
 >> what Github is now serving.

 >  As I've written in the mail that went concurrently with yours, this
 >  may change again at any time. Therefore, please make sure that you
 > update the tarball on sources.buildroot.org so there's a fallback when
 > the hash changes again.

It should happen automatically now that the hash matches, but I have
triggered a manual sync for containerd and cleared the negative cache
in cloudflare.

On a related note, the go/rust vendoring stuff isn't great for the
source mirror, where we basically run make foo-source for all packages -
And which now builds an internal toolchain and host-go / host-rust
before doing the download :/ I guess I'll need to rework the mirroring
logic a bit.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [git commit] package/containerd: security bump to version 1.5.11

[Arnout Vandecappelle]

On 12/04/2022 11:26, Peter Korsgaard wrote:
>>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes:
> 
> Hi,
> 
>   >> In any case, I've pushed a commit to 2022.02.x to adjust the hash to
>   >> what Github is now serving.
> 
>   >  As I've written in the mail that went concurrently with yours, this
>   >  may change again at any time. Therefore, please make sure that you
>   > update the tarball on sources.buildroot.org so there's a fallback when
>   > the hash changes again.
> 
> It should happen automatically now that the hash matches, but I have
> triggered a manual sync for containerd and cleared the negative cache
> in cloudflare.
> 
> On a related note, the go/rust vendoring stuff isn't great for the
> source mirror, where we basically run make foo-source for all packages -
> And which now builds an internal toolchain and host-go / host-rust
> before doing the download :/ I guess I'll need to rework the mirroring
> logic a bit.

  Just don't delete the output directory?

  Regards,
  Arnout

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [git commit] package/containerd: security bump to version 1.5.11

[Peter Korsgaard]

>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes:

Hi,

 >> On a related note, the go/rust vendoring stuff isn't great for the
 >> source mirror, where we basically run make foo-source for all packages -
 >> And which now builds an internal toolchain and host-go / host-rust
 >> before doing the download :/ I guess I'll need to rework the mirroring
 >> logic a bit.

 >  Just don't delete the output directory?

That could kind of work if I used a per-branch output directory and
cleaned it up one in a while to not have odd behaviour when the
(dependences of) host-go / host-rust changes yeah.

I'll give it a try.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot