Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package umoci for openSUSE:Factory checked in at 2025-05-26 18:31:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/umoci (Old) and /work/SRC/openSUSE:Factory/.umoci.new.2732 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "umoci" Mon May 26 18:31:42 2025 rev:21 rq:1278978 version:0.5.0 Changes: -------- --- /work/SRC/openSUSE:Factory/umoci/umoci.changes 2024-03-22 15:28:19.049918971 +0100 +++ /work/SRC/openSUSE:Factory/.umoci.new.2732/umoci.changes 2025-05-26 18:31:59.094472727 +0200 @@ -1,0 +2,27 @@ +Wed May 21 07:19:13 UTC 2025 - Aleksa Sarai <asa...@suse.com> + +- Update to umoci v0.5.0. Upstream changelog is available from + <https://github.com/opencontainers/umoci/releases/tag/v0.5.0> bsc#1243388 + + A security flaw was found in the OCI image-spec, where it is possible to + cause a blob with one media-type to be interpreted as a different media-type. + As umoci is not a registry nor does it handle signatures, this vulnerability + had no real impact on umoci but for safety we implemented the now-recommended + media-type embedding and verification. CVE-2021-41190 + + Other changes in this release: + + * Several large reworks and API-related changes to the umoci's overlayfs + support. This is only available to Go API users. + * The runtime-spec config.json generated by umoci is updated to be more + modern and work properly with modern runc versions. + * The default gzip compression blocksize has been adjusted to match Docker. + * zstd-compressed images are now fully supported. Users can explcitily + request the compression algorithm for newly-generated layers with the + --compress option. + +- Remove upstreamed patches: + - 0001-makefile-fix-bad-build-flags.patch +- Update umoci.keyring from upstream to include new signing keys. + +------------------------------------------------------------------- Old: ---- 0001-makefile-fix-bad-build-flags.patch umoci-0.4.7.tar.xz umoci-0.4.7.tar.xz.asc New: ---- umoci-0.5.0.tar.xz umoci-0.5.0.tar.xz.asc BETA DEBUG BEGIN: Old:- Remove upstreamed patches: - 0001-makefile-fix-bad-build-flags.patch - Update umoci.keyring from upstream to include new signing keys. BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ umoci.spec ++++++ --- /var/tmp/diff_new_pack.Himxu1/_old 2025-05-26 18:32:01.350567410 +0200 +++ /var/tmp/diff_new_pack.Himxu1/_new 2025-05-26 18:32:01.370568250 +0200 @@ -1,7 +1,7 @@ # # spec file for package umoci # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,7 +20,7 @@ %define project github.com/opencontainers/umoci Name: umoci -Version: 0.4.7 +Version: 0.5.0 Release: 0 Summary: Open Container Image manipulation tool License: Apache-2.0 @@ -29,10 +29,8 @@ Source0: https://github.com/opencontainers/umoci/releases/download/v%{version}/umoci.tar.xz#/%{name}-%{version}.tar.xz Source1: https://github.com/opencontainers/umoci/releases/download/v%{version}/umoci.tar.xz.asc#/%{name}-%{version}.tar.xz.asc Source2: https://umo.ci/%{name}.keyring -# OPENSUSE-FIX-UPSTREAM: Backport of <https://github.com/opencontainers/umoci/pull/369>. -Patch1: 0001-makefile-fix-bad-build-flags.patch BuildRequires: fdupes -BuildRequires: go +BuildRequires: go >= 1.23 BuildRequires: go-go-md2man ExcludeArch: s390 @@ -43,8 +41,6 @@ %prep %setup -q -# <https://github.com/opencontainers/umoci/pull/369> -%patch -P 1 -p1 %build export VERSION="$(cat ./VERSION)" @@ -55,6 +51,15 @@ # Build umoci and docs. make VERSION="$VERSION" umoci docs +# Make sure that our keyring copy is identical to upstream. +our_keyring=$(sha256sum <"%{SOURCE2}") +src_keyring=$(sha256sum <umoci.keyring) +if [ "$our_keyring" != "$src_keyring" ]; then + echo "keyring file doesn't match upstream" + diff -u "%{SOURCE2}" umoci.keyring + exit 1 +fi + %install # Install the binary. install -D -m 0755 %{name} "%{buildroot}/%{_bindir}/%{name}" ++++++ umoci-0.4.7.tar.xz -> umoci-0.5.0.tar.xz ++++++ ++++ 245387 lines of diff (skipped) ++++++ umoci.keyring ++++++ --- /var/tmp/diff_new_pack.Himxu1/_old 2025-05-26 18:32:06.038764164 +0200 +++ /var/tmp/diff_new_pack.Himxu1/_new 2025-05-26 18:32:06.074765675 +0200 @@ -3,8 +3,10 @@ uid [ultimate] Aleksa Sarai <asa...@suse.com> uid [ultimate] Aleksa Sarai <asa...@suse.de> sub rsa4096 2016-06-21 [E] [expires: 2031-06-18] + 6EF371F1DBC97BD9C9E519AA605C5E921F773EA9 -----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: github=cyphar mQINBFdpGN0BEADMEmLpnUel7OI2SM8f88i7w0iRgJd4kOvF1z673+zWCgaw9QW8 ha7wAm/+3isas9IqlvGx61i6hbO7TFwcYi472VHhs4HP8jMtWytHHkjc3O9xlMc0 @@ -68,3 +70,60 @@ =3/jE -----END PGP PUBLIC KEY BLOCK----- +pub ed25519 2019-06-21 [C] + C9C370B246B09F6DBCFC744C34401015D1D2D386 +uid [ultimate] Aleksa Sarai <cyp...@cyphar.com> +sub ed25519 2022-09-30 [S] [expires: 2030-03-25] + B64E4955B29FA3D463F2A9062897FAD2B7E9446F +sub cv25519 2022-09-30 [E] [expires: 2030-03-25] + 0C23601C4F4561640663556524325218CEA61CB8 +sub ed25519 2022-09-30 [A] [expires: 2030-03-25] + A6BBD7976DBC7617FC73737D2374658C6654AF23 + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: github=cyphar + +mDMEXQxvLxYJKwYBBAHaRw8BAQdArRQoZs9YzYtQIiPA1qdvUT8Q0wbPZyRV65Tz +QNTIZla0IEFsZWtzYSBTYXJhaSA8Y3lwaGFyQGN5cGhhci5jb20+iJAEExYIADgF +CwkIBwIGFQoJCAsCBBYCAwECHgECF4ACGwEWIQTJw3CyRrCfbbz8dEw0QBAV0dLT +hgUCZa3xwQAKCRA0QBAV0dLThpQyAQDGzjZyyWWmd6Ykg5/lymp2MLIg1f2jG6ew +AiPT4ATkBAD/RgdLDf1IQStEH7pHmQa1qvqyRq1jeEgF23KruXbbdQ64MwRdDMJS +FgkrBgEEAdpHDwEBB0B2IGusH7LuDH3hNT6JYM30S7G92FGogA6a9WQzKRlqvIh4 +BCgWCgAgFiEEycNwskawn228/HRMNEAQFdHS04YFAmM2ukUCHQEACgkQNEAQFdHS +04ZTQAEAjAT0fXVJHdRL6UMCxDYsgjG+QyH1mr7gKgbPvB8A5LgBAN4QDqCxIY3b +8+X4Ud3C9yLfkbcsdgctU3fO/jHpKVIIiO8EGBYIACAWIQTJw3CyRrCfbbz8dEw0 +QBAV0dLThgUCXQzCUgIbAgCBCRA0QBAV0dLThnYgBBkWCAAdFiEEsWZunbXxPIMS +y32KnZS5YyG50BIFAl0MwlIACgkQnZS5YyG50BLusQD/aPjX4NhlSYgzNV2x31aw +x5AxTp+18xoQDwaU123grDgA/2B73RiaTO2boRK5UETxx6awdsA51hZubxo4LyxG +SP8IW5gA/2JWrDg+7cSQrS71gHmtqvz0se+D7zmWdcnN8O3LoUZeAQDW3Pkq0cru +YVbsXiTwzenLPUJrjGBAVaoFmYqFUelFDLg4BF0MwmoSCisGAQQBl1UBBQEBB0BL +FI5mD555F7t6dovnw4DW19nkG/g/Vd5Zb/7qhMLWagMBCAeIeAQoFgoAIBYhBMnD +cLJGsJ9tvPx0TDRAEBXR0tOGBQJjNrpFAh0BAAoJEDRAEBXR0tOGgPkA/1Z69M4e +qU3ZM7czYOHKAbNHiRuAqzc6o90WBJLhgFJmAQCcKmpnnnTpbnGoXgkcRSr2y1wk +uId1oVRwfRbN9h94Doh4BBgWCAAgFiEEycNwskawn228/HRMNEAQFdHS04YFAl0M +wmoCGwwACgkQNEAQFdHS04aZWgD/d0gCCB7ytnRB9RBtns9RRrtGXOIrzzWKw+zx +za6Y2zgBANoj7CUeH0MygzZkgMrCmKPNnMxEnHJaTuYZA4yBixkIuDMEXQzCjRYJ +KwYBBAHaRw8BAQdAAiFh7AD1u/UhjVbGJkRflPhjHBKIsAuP4pkI/qjavwaIeAQo +FgoAIBYhBMnDcLJGsJ9tvPx0TDRAEBXR0tOGBQJjNrpFAh0BAAoJEDRAEBXR0tOG +AUgA/2ZDB3tCRBON1WjLBESkHZmNtplYcV03u/oshA/MVCzpAQDGusGcv/rf1ZI9 +o7lcWozXFlQDOM7eoT4avvWOVcsaD4h4BBgWCAAgFiEEycNwskawn228/HRMNEAQ +FdHS04YFAl0Mwo0CGyAACgkQNEAQFdHS04ajxQEAsZf1yDORUVYicREc/7z0U+51 +DJzeAexeJTYM+N+x13EA/0Ex+o7qQ7dZLGDn7x4LSbd39C+++suHsEaE4XwlX6cH +uDMEYza6SxYJKwYBBAHaRw8BAQdAE3s7dZQFuImQX2tWshIdGjeUKZc7rlMcrZ6+ +q25gaH2I9QQYFgoAJgIbAhYhBMnDcLJGsJ9tvPx0TDRAEBXR0tOGBQJlrfJcBQkO +EpjFAIF2IAQZFgoAHRYhBLZOSVWyn6PUY/KpBiiX+tK36URvBQJjNrpLAAoJECiX ++tK36URv2hsBALyKPjIlNTtlwC1PHZkyOPwSiu4ZveS7pWlHLHX6nJBCAP9CBDtf +UbvG3C5WljSQdiBrXKgosDbJxPwXw+tW0XukAwkQNEAQFdHS04bMkQEA9elVwA0A ++ywDw+jnifIc98XqLI+KF3Xl0A9+lMuwthMBAO00DeAEjkryFMGp62GPNHqr/r6p ++6DIeUjWgK4Sh8IMuDgEYza6YBIKKwYBBAGXVQEFAQEHQKECW5Y7nUGCka0/WcCM +OerRY95Pm2DQVL76QzvhXD8tAwEIB4h+BBgWCgAmAhsMFiEEycNwskawn228/HRM +NEAQFdHS04YFAmWt8lwFCQ4SmLAACgkQNEAQFdHS04apHgD+MIRj2kujpxtQt04D +ZB+hofBtHIEMo2tplFBYvhZ6KOMA/1q3aRv6jnWAv8woc50KitP4/+iPmfyzaBA/ +8XA5DdIKuDMEYza6bhYJKwYBBAHaRw8BAQdAgHXd0yf6MPXJZCZ3TFz8xLymyPsD +TF2SQwwqM4+nYbeIfgQYFgoAJgIbIBYhBMnDcLJGsJ9tvPx0TDRAEBXR0tOGBQJl +rfJcBQkOEpiiAAoJEDRAEBXR0tOGAUwA/jbaz04OXnV3PYC/yQUsUJsihCTqz4Ne +lxxclgJYU604APsFzpoLD0oUlfMn5Fh75ftkKPrwiHpTj4rRU6oIQu1/Bg== +=Ab7w +-----END PGP PUBLIC KEY BLOCK----- + +
