Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build: provenance and tampering checks for libgit2 #406

Merged
merged 4 commits into from
Jul 13, 2022
Merged

build: provenance and tampering checks for libgit2 #406

merged 4 commits into from
Jul 13, 2022

Conversation

pjbgf
Copy link
Member

@pjbgf pjbgf commented Jul 13, 2022

Changes:

  • Fixes github.com/emicklei/go-restful (GHSA-r48q-9g5r-8q2h).
  • Update dependencies.
  • Add provenance and tampering checks for libgit2.

Closes #404.

Paulo Gomes added 4 commits July 13, 2022 09:36
Fix github.com/emicklei/go-restful (CVE-2022-1996)
1aeb0d1 
This addresses CVE-2022-1996, due to v2.16.0 including
emicklei/go-restful@9266625.

Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
Update dependencies
0da32c1 
- github.com/ProtonMail/go-crypto to version 0.0.0-20220711121315-1fde58898e96.

Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
Update to golang-with-libgit2-all image
2fa5294 
This dependency now releases two different images, one
containing the entire dependency chain for libgit2, and
another containing just the library itself. The latter
will be later used once Managed Transport is completely
removed from source controller.

As part of this update, the image now follows a new tag
format which is semver based and starts at 0.1.0.

Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
build: provenance and tampering checks for libgit2
dea883e 
Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
@pjbgf pjbgf added the area/ci CI related issues and pull requests label Jul 13, 2022
@pjbgf pjbgf merged commit d4644eb into fluxcd:main Jul 13, 2022
@pjbgf pjbgf deleted the update-deps branch July 13, 2022 10:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stefanprodan stefanprodan stefanprodan approved these changes

Assignees
No one assigned
Labels
area/ci CI related issues and pull requests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Validate checksum before consuming golang-with-libgit2 artefacts
2 participants
@pjbgf @stefanprodan