* [Buildroot] [git commit] package/containerd: security bump to version 1.5.11 @ 2022-04-05 17:28 Peter Korsgaard 2022-04-11 12:28 ` Marcus Hoffmann 0 siblings, 1 reply; 11+ messages in thread From: Peter Korsgaard @ 2022-04-05 17:28 UTC (permalink / raw) To: buildroot commit: https://git.buildroot.net/buildroot/commit/?id=2642edb0af08f04fb98f4cb5f88895faded4b325 branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master Fixes the following security issues: - CVE-2022-23648: containerd CRI plugin: Insecure handling of image volumes https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7 - CVE-2022-24769: Default inheritable capabilities for linux container should be empty https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/containerd/containerd.hash | 2 +- package/containerd/containerd.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/containerd/containerd.hash b/package/containerd/containerd.hash index d5aafe2e70..23dacded88 100644 --- a/package/containerd/containerd.hash +++ b/package/containerd/containerd.hash @@ -1,3 +1,3 @@ # Computed locally -sha256 40c9767af3e87f2c36adf2f563f0a8374e80b30bd2b7aa80058c85912406cef4 containerd-1.5.9.tar.gz +sha256 6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1 containerd-1.5.11.tar.gz sha256 4bbe3b885e8cd1907ab4cf9a41e862e74e24b5422297a4f2fe524e6a30ada2b4 LICENSE diff --git a/package/containerd/containerd.mk b/package/containerd/containerd.mk index 8976e12f1a..c405b75e81 100644 --- a/package/containerd/containerd.mk +++ b/package/containerd/containerd.mk @@ -4,7 +4,7 @@ # ################################################################################ -CONTAINERD_VERSION = 1.5.9 +CONTAINERD_VERSION = 1.5.11 CONTAINERD_SITE = $(call github,containerd,containerd,v$(CONTAINERD_VERSION)) CONTAINERD_LICENSE = Apache-2.0 CONTAINERD_LICENSE_FILES = LICENSE _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [Buildroot] [git commit] package/containerd: security bump to version 1.5.11 2022-04-05 17:28 [Buildroot] [git commit] package/containerd: security bump to version 1.5.11 Peter Korsgaard @ 2022-04-11 12:28 ` Marcus Hoffmann 2022-04-11 17:03 ` Arnout Vandecappelle 0 siblings, 1 reply; 11+ messages in thread From: Marcus Hoffmann @ 2022-04-11 12:28 UTC (permalink / raw) To: buildroot Hi Peter, On 05.04.22 19:28, Peter Korsgaard wrote: > commit: https://git.buildroot.net/buildroot/commit/?id=2642edb0af08f04fb98f4cb5f88895faded4b325 > branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master > > Fixes the following security issues: > > - CVE-2022-23648: containerd CRI plugin: Insecure handling of image volumes > https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7 > > - CVE-2022-24769: Default inheritable capabilities for linux container > should be empty > https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> > --- > package/containerd/containerd.hash | 2 +- > package/containerd/containerd.mk | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/package/containerd/containerd.hash b/package/containerd/containerd.hash > index d5aafe2e70..23dacded88 100644 > --- a/package/containerd/containerd.hash > +++ b/package/containerd/containerd.hash > @@ -1,3 +1,3 @@ > # Computed locally > -sha256 40c9767af3e87f2c36adf2f563f0a8374e80b30bd2b7aa80058c85912406cef4 containerd-1.5.9.tar.gz > +sha256 6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1 containerd-1.5.11.tar.gz I get a different hash for this download, both within buildroot as well as downloading the file manually from github: ERROR: containerd-1.5.11.tar.gz has wrong sha256 hash: ERROR: expected: 6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1 ERROR: got : 02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6 ERROR: Incomplete download, or man-in-the-middle (MITM) attack Did the file change in the meantime or did something else go wrong here? Should send a patch changing the hash to 02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6? > [...] Best, Marcus _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Buildroot] [git commit] package/containerd: security bump to version 1.5.11 2022-04-11 12:28 ` Marcus Hoffmann @ 2022-04-11 17:03 ` Arnout Vandecappelle 2022-04-11 18:33 ` Yann E. MORIN 2022-04-11 19:02 ` Peter Korsgaard 0 siblings, 2 replies; 11+ messages in thread From: Arnout Vandecappelle @ 2022-04-11 17:03 UTC (permalink / raw) To: Marcus Hoffmann, buildroot, Peter Korsgaard On 11/04/2022 14:28, Marcus Hoffmann wrote: > Hi Peter, > > On 05.04.22 19:28, Peter Korsgaard wrote: >> commit: >> https://git.buildroot.net/buildroot/commit/?id=2642edb0af08f04fb98f4cb5f88895faded4b325 >> >> branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master >> >> Fixes the following security issues: >> >> - CVE-2022-23648: containerd CRI plugin: Insecure handling of image volumes >> >> https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7 >> >> - CVE-2022-24769: Default inheritable capabilities for linux container >> should be empty >> >> https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c >> >> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> >> --- >> package/containerd/containerd.hash | 2 +- >> package/containerd/containerd.mk | 2 +- >> 2 files changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/package/containerd/containerd.hash >> b/package/containerd/containerd.hash >> index d5aafe2e70..23dacded88 100644 >> --- a/package/containerd/containerd.hash >> +++ b/package/containerd/containerd.hash >> @@ -1,3 +1,3 @@ >> # Computed locally >> -sha256 40c9767af3e87f2c36adf2f563f0a8374e80b30bd2b7aa80058c85912406cef4 >> containerd-1.5.9.tar.gz >> +sha256 6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1 >> containerd-1.5.11.tar.gz > > I get a different hash for this download, both within buildroot as well as > downloading the file manually from github: > > ERROR: containerd-1.5.11.tar.gz has wrong sha256 hash: > ERROR: expected: 6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1 > ERROR: got : 02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6 > ERROR: Incomplete download, or man-in-the-middle (MITM) attack > > > Did the file change in the meantime or did something else go wrong here? It also goes wrong in the autobuilders (this one on master, before I merged the bump to 1.6.2) [1] > Should send a patch changing the hash to > 02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6? Let's first allow Peter to check what exactly went wrong. He should have a local download with the hash he pushed so he can compare what changed. I looked at the github repo, and it says that it was tagged on March 24, i.e. before Peter did the bump to 1.5.11. So it doesn't look like they updated the tag. Regards, Arnout 1] http://autobuild.buildroot.net/results/b5d/b5dcd56490e807db9e92e3bbbd6753738132db57/build-end.log > > > [...] > > Best, > Marcus > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Buildroot] [git commit] package/containerd: security bump to version 1.5.11 2022-04-11 17:03 ` Arnout Vandecappelle @ 2022-04-11 18:33 ` Yann E. MORIN 2022-04-11 19:02 ` Peter Korsgaard 1 sibling, 0 replies; 11+ messages in thread From: Yann E. MORIN @ 2022-04-11 18:33 UTC (permalink / raw) To: Arnout Vandecappelle; +Cc: Marcus Hoffmann, buildroot Arnout, Marcus, All, On 2022-04-11 19:03 +0200, Arnout Vandecappelle spake thusly: > On 11/04/2022 14:28, Marcus Hoffmann wrote: > >On 05.04.22 19:28, Peter Korsgaard wrote: > >>commit: https://git.buildroot.net/buildroot/commit/?id=2642edb0af08f04fb98f4cb5f88895faded4b325 > >> > >>branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master > >> > >>Fixes the following security issues: > >> > >>- CVE-2022-23648: containerd CRI plugin: Insecure handling of image volumes > >>https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7 > >> > >>- CVE-2022-24769: Default inheritable capabilities for linux container > >> should be empty > >>https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c > >> > >>Signed-off-by: Peter Korsgaard <peter@korsgaard.com> > >>--- > >> package/containerd/containerd.hash | 2 +- > >> package/containerd/containerd.mk | 2 +- > >> 2 files changed, 2 insertions(+), 2 deletions(-) > >> > >>diff --git a/package/containerd/containerd.hash > >>b/package/containerd/containerd.hash > >>index d5aafe2e70..23dacded88 100644 > >>--- a/package/containerd/containerd.hash > >>+++ b/package/containerd/containerd.hash > >>@@ -1,3 +1,3 @@ > >> # Computed locally > >>-sha256 > >>40c9767af3e87f2c36adf2f563f0a8374e80b30bd2b7aa80058c85912406cef4 > >>containerd-1.5.9.tar.gz > >>+sha256 > >>6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1 > >>containerd-1.5.11.tar.gz > >I get a different hash for this download, both within buildroot as well as > >downloading the file manually from github: > >ERROR: containerd-1.5.11.tar.gz has wrong sha256 hash: > >ERROR: expected: 6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1 > >ERROR: got : 02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6 > >ERROR: Incomplete download, or man-in-the-middle (MITM) attack > >Did the file change in the meantime or did something else go wrong here? > It also goes wrong in the autobuilders (this one on master, before I merged > the bump to 1.6.2) [1] Note that golang packages are susceptible to hash changes ifone of their dependencies is chagned. For example, if a go package depends, directly or transitively, on a package foo at some-tag, but foo got re-tagged, or the repository has moved, then the vendoring will get a different content than previously. For example, docker's "distribution" repository has moved from under "docker" out to its own "distribution" namespace: https://github.com/docker/distribution now redirects to: https://github.com/distribution/distribution > >Should send a patch changing the hash to > >02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6? > Let's first allow Peter to check what exactly went wrong. He should have a > local download with the hash he pushed so he can compare what changed. > I looked at the github repo, and it says that it was tagged on March 24, > i.e. before Peter did the bump to 1.5.11. So it doesn't look like they > updated the tag. > > 1] http://autobuild.buildroot.net/results/b5d/b5dcd56490e807db9e92e3bbbd6753738132db57/build-end.log I think the error is soemhing else in this case: tar: stdout: write error Regards, Yann E. MORIN. -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------' _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Buildroot] [git commit] package/containerd: security bump to version 1.5.11 2022-04-11 17:03 ` Arnout Vandecappelle 2022-04-11 18:33 ` Yann E. MORIN @ 2022-04-11 19:02 ` Peter Korsgaard 2022-04-11 20:27 ` Arnout Vandecappelle 2022-04-11 20:34 ` Peter Korsgaard 1 sibling, 2 replies; 11+ messages in thread From: Peter Korsgaard @ 2022-04-11 19:02 UTC (permalink / raw) To: Arnout Vandecappelle; +Cc: Marcus Hoffmann, buildroot >>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes: Hi, > On 11/04/2022 14:28, Marcus Hoffmann wrote: >> Hi Peter, >> On 05.04.22 19:28, Peter Korsgaard wrote: >>> commit: >>> https://git.buildroot.net/buildroot/commit/?id=2642edb0af08f04fb98f4cb5f88895faded4b325 >>> >>> branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master >>> >>> Fixes the following security issues: >>> >>> - CVE-2022-23648: containerd CRI plugin: Insecure handling of image volumes >>> https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7 >>> >>> - CVE-2022-24769: Default inheritable capabilities for linux container >>> should be empty >>> https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c >>> >>> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> >>> --- >>> package/containerd/containerd.hash | 2 +- >>> package/containerd/containerd.mk | 2 +- >>> 2 files changed, 2 insertions(+), 2 deletions(-) >>> >>> diff --git a/package/containerd/containerd.hash >>> b/package/containerd/containerd.hash >>> index d5aafe2e70..23dacded88 100644 >>> --- a/package/containerd/containerd.hash >>> +++ b/package/containerd/containerd.hash >>> @@ -1,3 +1,3 @@ >>> # Computed locally >>> -sha256 >>> 40c9767af3e87f2c36adf2f563f0a8374e80b30bd2b7aa80058c85912406cef4 >>> containerd-1.5.9.tar.gz >>> +sha256 >>> 6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1 >>> containerd-1.5.11.tar.gz >> I get a different hash for this download, both within buildroot as >> well as downloading the file manually from github: >> ERROR: containerd-1.5.11.tar.gz has wrong sha256 hash: >> ERROR: expected: 6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1 >> ERROR: got : 02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6 >> ERROR: Incomplete download, or man-in-the-middle (MITM) attack >> >> Did the file change in the meantime or did something else go wrong here? > It also goes wrong in the autobuilders (this one on master, before I > merged the bump to 1.6.2) [1] >> Should send a patch changing the hash to >> 02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6? > Let's first allow Peter to check what exactly went wrong. He should > have a local download with the hash he pushed so he can compare what > changed. > I looked at the github repo, and it says that it was tagged on March > 24, i.e. before Peter did the bump to 1.5.11. So it doesn't look like > they updated the tag. Funky, I do indeed have the old hash here: sha256sum ~download/containerd/containerd-1.5.11.tar.gz containerd-1.5.11.tar.gz 6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1 /var/lib/downloads/containerd/containerd-1.5.11.tar.gz 02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6 containerd-1.5.11.tar.gz Extracting the tarballs, I see the following diff: diff -urpN a/containerd-1.5.11/vendor/k8s.io/client-go/pkg/version/base.go b/containerd-1.5.11/vendor/k8s.io/client-go/pkg/version/base.go --- a/containerd-1.5.11/vendor/k8s.io/client-go/pkg/version/base.go 2022-03-24 01:09:42.000000000 +0100 +++ b/containerd-1.5.11/vendor/k8s.io/client-go/pkg/version/base.go 2022-03-24 01:09:42.000000000 +0100 @@ -55,7 +55,7 @@ var ( // NOTE: The $Format strings are replaced during 'git archive' thanks to the // companion .gitattributes file containing 'export-subst' in this same // directory. See also https://git-scm.com/docs/gitattributes - gitVersion string = "v0.0.0-master+3df54a85234" + gitVersion string = "v0.0.0-master+3df54a8523" gitCommit string = "3df54a852345ae127d1fa3092b95168e4a88e2f8" // sha1 from git, output of $(git rev-parse HEAD) gitTreeState string = "" // state of git tree, either "clean" or "dirty" So the gitVersion field lost a digit. No idea how this could happen. Looking at the file in the git repo I see that this is listed as: gitVersion string = "v0.0.0-master+$Format:%H$" gitCommit string = "$Format:%H$" // sha1 from git, output of $(git rev-parse HEAD) https://github.com/containerd/containerd/blob/main/vendor/k8s.io/client-go/pkg/version/base.go So I guess something in github is wrongly expanding this $Format? -- Bye, Peter Korsgaard _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Buildroot] [git commit] package/containerd: security bump to version 1.5.11 2022-04-11 19:02 ` Peter Korsgaard @ 2022-04-11 20:27 ` Arnout Vandecappelle 2022-04-11 20:34 ` Peter Korsgaard 1 sibling, 0 replies; 11+ messages in thread From: Arnout Vandecappelle @ 2022-04-11 20:27 UTC (permalink / raw) To: Peter Korsgaard; +Cc: Marcus Hoffmann, buildroot On 11/04/2022 21:02, Peter Korsgaard wrote: >>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes: > > Hi, > > > On 11/04/2022 14:28, Marcus Hoffmann wrote: > >> Hi Peter, > >> On 05.04.22 19:28, Peter Korsgaard wrote: > >>> commit: > >>> https://git.buildroot.net/buildroot/commit/?id=2642edb0af08f04fb98f4cb5f88895faded4b325 > >>> > >>> branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master > >>> > >>> Fixes the following security issues: > >>> > >>> - CVE-2022-23648: containerd CRI plugin: Insecure handling of image volumes > >>> https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7 > >>> > >>> - CVE-2022-24769: Default inheritable capabilities for linux container > >>> should be empty > >>> https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c > >>> > >>> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> > >>> --- > >>> package/containerd/containerd.hash | 2 +- > >>> package/containerd/containerd.mk | 2 +- > >>> 2 files changed, 2 insertions(+), 2 deletions(-) > >>> > >>> diff --git a/package/containerd/containerd.hash > >>> b/package/containerd/containerd.hash > >>> index d5aafe2e70..23dacded88 100644 > >>> --- a/package/containerd/containerd.hash > >>> +++ b/package/containerd/containerd.hash > >>> @@ -1,3 +1,3 @@ > >>> # Computed locally > >>> -sha256 > >>> 40c9767af3e87f2c36adf2f563f0a8374e80b30bd2b7aa80058c85912406cef4 > >>> containerd-1.5.9.tar.gz > >>> +sha256 > >>> 6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1 > >>> containerd-1.5.11.tar.gz > >> I get a different hash for this download, both within buildroot as > >> well as downloading the file manually from github: > >> ERROR: containerd-1.5.11.tar.gz has wrong sha256 hash: > >> ERROR: expected: 6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1 > >> ERROR: got : 02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6 > >> ERROR: Incomplete download, or man-in-the-middle (MITM) attack > >> > >> Did the file change in the meantime or did something else go wrong here? > > > It also goes wrong in the autobuilders (this one on master, before I > > merged the bump to 1.6.2) [1] > > >> Should send a patch changing the hash to > >> 02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6? > > > Let's first allow Peter to check what exactly went wrong. He should > > have a local download with the hash he pushed so he can compare what > > changed. > > > I looked at the github repo, and it says that it was tagged on March > > 24, i.e. before Peter did the bump to 1.5.11. So it doesn't look like > > they updated the tag. > > Funky, I do indeed have the old hash here: > > sha256sum ~download/containerd/containerd-1.5.11.tar.gz containerd-1.5.11.tar.gz > 6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1 /var/lib/downloads/containerd/containerd-1.5.11.tar.gz > 02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6 containerd-1.5.11.tar.gz > > Extracting the tarballs, I see the following diff: > > diff -urpN a/containerd-1.5.11/vendor/k8s.io/client-go/pkg/version/base.go b/containerd-1.5.11/vendor/k8s.io/client-go/pkg/version/base.go > --- a/containerd-1.5.11/vendor/k8s.io/client-go/pkg/version/base.go 2022-03-24 01:09:42.000000000 +0100 > +++ b/containerd-1.5.11/vendor/k8s.io/client-go/pkg/version/base.go 2022-03-24 01:09:42.000000000 +0100 > @@ -55,7 +55,7 @@ var ( > // NOTE: The $Format strings are replaced during 'git archive' thanks to the > // companion .gitattributes file containing 'export-subst' in this same > // directory. See also https://git-scm.com/docs/gitattributes > - gitVersion string = "v0.0.0-master+3df54a85234" > + gitVersion string = "v0.0.0-master+3df54a8523" > gitCommit string = "3df54a852345ae127d1fa3092b95168e4a88e2f8" // sha1 from git, output of $(git rev-parse HEAD) > gitTreeState string = "" // state of git tree, either "clean" or "dirty" > > So the gitVersion field lost a digit. No idea how this could > happen. Looking at the file in the git repo I see that this is listed > as: > > gitVersion string = "v0.0.0-master+$Format:%H$" > gitCommit string = "$Format:%H$" // sha1 from git, output of $(git rev-parse HEAD) Weird, %H should expand to the full commit hash - like on the gitCommit line... How the hell does git archive expand %H differently in one line and the other? Aah, it was changed from %h to %H in [1]. But that easily explains the issue: the length of the abbreviated commit hash depends on the state of the repo. Thus, some gc on github may have dropped a conflicting ref (somewhere else) so the length of the abbreviated hash is reduced again. There's not much we can do about this I'm afraid, other than using git download instead of tarball download. Or updating to a version that contains [1] of course. Regards, Arnout [1] https://github.com/containerd/containerd/commit/e634f04d8cdb6c2f96eea2e4e66d0e4500a46282 > > https://github.com/containerd/containerd/blob/main/vendor/k8s.io/client-go/pkg/version/base.go > > So I guess something in github is wrongly expanding this $Format? > _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Buildroot] [git commit] package/containerd: security bump to version 1.5.11 2022-04-11 19:02 ` Peter Korsgaard 2022-04-11 20:27 ` Arnout Vandecappelle @ 2022-04-11 20:34 ` Peter Korsgaard 2022-04-12 8:28 ` Arnout Vandecappelle 1 sibling, 1 reply; 11+ messages in thread From: Peter Korsgaard @ 2022-04-11 20:34 UTC (permalink / raw) To: Arnout Vandecappelle; +Cc: Marcus Hoffmann, buildroot >>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: Hi, > @@ -55,7 +55,7 @@ var ( > // NOTE: The $Format strings are replaced during 'git archive' thanks to the > // companion .gitattributes file containing 'export-subst' in this same > // directory. See also https://git-scm.com/docs/gitattributes > - gitVersion string = "v0.0.0-master+3df54a85234" > + gitVersion string = "v0.0.0-master+3df54a8523" > gitCommit string = "3df54a852345ae127d1fa3092b95168e4a88e2f8" > // sha1 from git, output of $(git rev-parse HEAD) > gitTreeState string = "" // state of git tree, either "clean" or "dirty" > So the gitVersion field lost a digit. No idea how this could > happen. Looking at the file in the git repo I see that this is listed > as: > gitVersion string = "v0.0.0-master+$Format:%H$" > gitCommit string = "$Format:%H$" // sha1 from git, output of $(git rev-parse HEAD) > https://github.com/containerd/containerd/blob/main/vendor/k8s.io/client-go/pkg/version/base.go > So I guess something in github is wrongly expanding this $Format? The format logic itself is part of git, as the export-subst attibute has been set for base.go: https://git-scm.com/docs/gitattributes But why the two $Format:%H$ lines expand to different things and why it has changed over time is unclear to me. In any case, I've pushed a commit to 2022.02.x to adjust the hash to what Github is now serving. -- Bye, Peter Korsgaard _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Buildroot] [git commit] package/containerd: security bump to version 1.5.11 2022-04-11 20:34 ` Peter Korsgaard @ 2022-04-12 8:28 ` Arnout Vandecappelle 2022-04-12 9:26 ` Peter Korsgaard 0 siblings, 1 reply; 11+ messages in thread From: Arnout Vandecappelle @ 2022-04-12 8:28 UTC (permalink / raw) To: Peter Korsgaard; +Cc: Marcus Hoffmann, buildroot On 11/04/2022 22:34, Peter Korsgaard wrote: >>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > > Hi, > > > @@ -55,7 +55,7 @@ var ( > > // NOTE: The $Format strings are replaced during 'git archive' thanks to the > > // companion .gitattributes file containing 'export-subst' in this same > > // directory. See also https://git-scm.com/docs/gitattributes > > - gitVersion string = "v0.0.0-master+3df54a85234" > > + gitVersion string = "v0.0.0-master+3df54a8523" > > gitCommit string = "3df54a852345ae127d1fa3092b95168e4a88e2f8" > > // sha1 from git, output of $(git rev-parse HEAD) > > gitTreeState string = "" // state of git tree, either "clean" or "dirty" > > > So the gitVersion field lost a digit. No idea how this could > > happen. Looking at the file in the git repo I see that this is listed > > as: > > > gitVersion string = "v0.0.0-master+$Format:%H$" > > gitCommit string = "$Format:%H$" // sha1 from git, output of $(git rev-parse HEAD) > > > https://github.com/containerd/containerd/blob/main/vendor/k8s.io/client-go/pkg/version/base.go > > > So I guess something in github is wrongly expanding this $Format? > > The format logic itself is part of git, as the export-subst attibute has > been set for base.go: > > https://git-scm.com/docs/gitattributes > > But why the two $Format:%H$ lines expand to different things and why it > has changed over time is unclear to me. > > In any case, I've pushed a commit to 2022.02.x to adjust the hash to > what Github is now serving. As I've written in the mail that went concurrently with yours, this may change again at any time. Therefore, please make sure that you update the tarball on sources.buildroot.org so there's a fallback when the hash changes again. Regards, Arnout _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Buildroot] [git commit] package/containerd: security bump to version 1.5.11 2022-04-12 8:28 ` Arnout Vandecappelle @ 2022-04-12 9:26 ` Peter Korsgaard 2022-04-14 19:15 ` Arnout Vandecappelle 0 siblings, 1 reply; 11+ messages in thread From: Peter Korsgaard @ 2022-04-12 9:26 UTC (permalink / raw) To: Arnout Vandecappelle; +Cc: Marcus Hoffmann, buildroot >>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes: Hi, >> In any case, I've pushed a commit to 2022.02.x to adjust the hash to >> what Github is now serving. > As I've written in the mail that went concurrently with yours, this > may change again at any time. Therefore, please make sure that you > update the tarball on sources.buildroot.org so there's a fallback when > the hash changes again. It should happen automatically now that the hash matches, but I have triggered a manual sync for containerd and cleared the negative cache in cloudflare. On a related note, the go/rust vendoring stuff isn't great for the source mirror, where we basically run make foo-source for all packages - And which now builds an internal toolchain and host-go / host-rust before doing the download :/ I guess I'll need to rework the mirroring logic a bit. -- Bye, Peter Korsgaard _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Buildroot] [git commit] package/containerd: security bump to version 1.5.11 2022-04-12 9:26 ` Peter Korsgaard @ 2022-04-14 19:15 ` Arnout Vandecappelle 2022-04-14 20:06 ` Peter Korsgaard 0 siblings, 1 reply; 11+ messages in thread From: Arnout Vandecappelle @ 2022-04-14 19:15 UTC (permalink / raw) To: Peter Korsgaard, Yann E. MORIN; +Cc: buildroot On 12/04/2022 11:26, Peter Korsgaard wrote: >>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes: > > Hi, > > >> In any case, I've pushed a commit to 2022.02.x to adjust the hash to > >> what Github is now serving. > > > As I've written in the mail that went concurrently with yours, this > > may change again at any time. Therefore, please make sure that you > > update the tarball on sources.buildroot.org so there's a fallback when > > the hash changes again. > > It should happen automatically now that the hash matches, but I have > triggered a manual sync for containerd and cleared the negative cache > in cloudflare. > > On a related note, the go/rust vendoring stuff isn't great for the > source mirror, where we basically run make foo-source for all packages - > And which now builds an internal toolchain and host-go / host-rust > before doing the download :/ I guess I'll need to rework the mirroring > logic a bit. Just don't delete the output directory? Regards, Arnout _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Buildroot] [git commit] package/containerd: security bump to version 1.5.11 2022-04-14 19:15 ` Arnout Vandecappelle @ 2022-04-14 20:06 ` Peter Korsgaard 0 siblings, 0 replies; 11+ messages in thread From: Peter Korsgaard @ 2022-04-14 20:06 UTC (permalink / raw) To: Arnout Vandecappelle; +Cc: Yann E. MORIN, buildroot >>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes: Hi, >> On a related note, the go/rust vendoring stuff isn't great for the >> source mirror, where we basically run make foo-source for all packages - >> And which now builds an internal toolchain and host-go / host-rust >> before doing the download :/ I guess I'll need to rework the mirroring >> logic a bit. > Just don't delete the output directory? That could kind of work if I used a per-branch output directory and cleaned it up one in a while to not have odd behaviour when the (dependences of) host-go / host-rust changes yeah. I'll give it a try. -- Bye, Peter Korsgaard _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2022-04-14 20:07 UTC | newest] Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-04-05 17:28 [Buildroot] [git commit] package/containerd: security bump to version 1.5.11 Peter Korsgaard 2022-04-11 12:28 ` Marcus Hoffmann 2022-04-11 17:03 ` Arnout Vandecappelle 2022-04-11 18:33 ` Yann E. MORIN 2022-04-11 19:02 ` Peter Korsgaard 2022-04-11 20:27 ` Arnout Vandecappelle 2022-04-11 20:34 ` Peter Korsgaard 2022-04-12 8:28 ` Arnout Vandecappelle 2022-04-12 9:26 ` Peter Korsgaard 2022-04-14 19:15 ` Arnout Vandecappelle 2022-04-14 20:06 ` Peter Korsgaard
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.