Hello community, here is the log from the commit of package singularity for openSUSE:Factory checked in at 2020-07-16 12:17:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/singularity (Old) and /work/SRC/openSUSE:Factory/.singularity.new.3592 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "singularity" Thu Jul 16 12:17:08 2020 rev:18 rq:821083 version:3.6.0 Changes: -------- --- /work/SRC/openSUSE:Factory/singularity/singularity.changes 2020-02-19 12:42:48.907887397 +0100 +++ /work/SRC/openSUSE:Factory/.singularity.new.3592/singularity.changes 2020-07-16 12:18:50.722988537 +0200 @@ -1,0 +2,85 @@ +Wed Jul 15 07:29:39 UTC 2020 - Ana Guerrero Lopez <aguerr...@suse.com> + +- New version 3.6.0. This version introduces a new signature format +for SIF images, and changes to the signing / verification code to address +the following security problems: + - CVE-2020-13845, bsc#1174150 + In Singularity 3.x versions below 3.6.0, issues allow the ECL to + be bypassed by a malicious user. + - CVE-2020-13846, bsc#1174148 + In Singularity 3.5 the --all / -a option to singularity verify + returns success even when some objects in a SIF container are not signed, + or cannot be verified. + - CVE-2020-13847, bsc#1174152 + In Singularity 3.x versions below 3.6.0, Singularity's sign and verify + commands do not sign metadata found in the global header or data object + descriptors of a SIF file, allowing an attacker to cause unexpected + behavior. A signed container may verify successfully, even when it has + been modified in ways that could be exploited to cause malicious behavior. +- New features / functionalities + - A new '--legacy-insecure' flag to verify allows verification of SIF + signatures in the old, insecure format. + - A new '-l / --logs' flag for instance list that shows the paths + to instance STDERR / STDOUT log files. + - The --json output of instance list now include paths to + STDERR / STDOUT log files. +- Changed defaults / behaviours + - New signature format (see security fixes above). + - Fixed spacing of singularity instance list to be dynamically changing + based off of input lengths instead of fixed number of spaces to account + for long instance names. +- Deprecate -a / --all option to sign/verify as new signature behavior + makes this the default. +- For more information about upstream changes, please check: + https://github.com/hpcng/singularity/blob/master/CHANGELOG.md + +------------------------------------------------------------------- +Mon May 25 12:41:38 UTC 2020 - Ana Guerrero Lopez <aguerr...@suse.com> + +- New pre-version 3.6.0 rc5 with many changes: +- New features / functionalities + - Singularity now supports the execution of minimal Docker/OCI + containers that do not contain /bin/sh, e.g. docker://hello-world. + - A new cache structure is used that is concurrency safe on a filesystem that + supports atomic rename. If you downgrade to Singularity 3.5 or older after + using 3.6 you will need to run singularity cache clean. + - A plugin system rework adds new hook points that will allow the + development of plugins that modify behavior of the runtime. An image driver + concept is introduced for plugins to support new ways of handling image and + overlay mounts. Plugins built for <=3.5 are not compatible with 3.6. + - The --bind flag can now bind directories from a SIF or ext3 image into a + container. + - The --fusemount feature to mount filesystems to a container via FUSE + drivers is now a supported feature (previously an experimental hidden flag). + - This permits users to mount e.g. sshfs and cvmfs filesystems to the + container at runtime. + - A new -c/--config flag allows an alternative singularity.conf to be + specified by the root user, or all users in an unprivileged installation. + - A new --env flag allows container environment variables to be set via the + Singularity command line. + - A new --env-file flag allows container environment variables to be set from + a specified file. + - A new --days flag for cache clean allows removal of items older than a + specified number of days. Replaces the --name flag which is not generally + useful as the cache entries are stored by hash, not a friendly name. +- Changed defaults / behaviours + - Environment variables prefixed with SINGULARITYENV_ always take + precedence over variables without SINGULARITYENV_ prefix. + - The %post build section inherits environment variables from the base image. + - %files from ... will now follow symlinks for sources that are directly + specified, or directly resolved from a glob pattern. It will not follow + symlinks found through directory traversal. This mirrors Docker multi-stage + COPY behaviour. + - Restored the CWD mount behaviour of v2, implying that CWD path is not recreated + inside container and any symlinks in the CWD path are not resolved anymore to + determine the destination path inside container. + - The %test build section is executed the same manner as singularity test image. + --fusemount with the container: default directive will foreground the FUSE + process. Use container-daemon: for previous behavior. +- Removed --name flag for cache clean; replaced with --days. +- And many bug fixes. +- Update URL, github repository has moved. +- Update patch: + * build-position-independent-binaries.patch + +------------------------------------------------------------------- Old: ---- singularity-3.5.3.tar.gz New: ---- singularity-3.6.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ singularity.spec ++++++ --- /var/tmp/diff_new_pack.TYeb6E/_old 2020-07-16 12:18:54.074991927 +0200 +++ /var/tmp/diff_new_pack.TYeb6E/_new 2020-07-16 12:18:54.074991927 +0200 @@ -23,11 +23,11 @@ License: BSD-3-Clause-LBNL Group: Productivity/Clustering/Computing Name: singularity -Version: 3.5.3 +Version: 3.6.0 Release: 0 # https://spdx.org/licenses/BSD-3-Clause-LBNL.html -URL: https://www.sylabs.io/singularity/ -Source0: https://github.com/sylabs/singularity/releases/download/v%{version}/singularity-%{version}.tar.gz +URL: https://github.com/hpcng/singularity +Source0: https://github.com/hpcng/singularity/releases/download/v%{version}/singularity-%{version}.tar.gz Source1: README.SUSE Source5: %{name}-rpmlintrc Patch0: build-position-independent-binaries.patch ++++++ build-position-independent-binaries.patch ++++++ --- /var/tmp/diff_new_pack.TYeb6E/_old 2020-07-16 12:18:54.114991968 +0200 +++ /var/tmp/diff_new_pack.TYeb6E/_new 2020-07-16 12:18:54.114991968 +0200 @@ -1,5 +1,5 @@ Subject: build position independent binaries -Date: 2019.12.13 +Date: 2020.05.26 --- src/github.com/sylabs/singularity/mlocal/frags/go_common_opts.mk | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) @@ -8,11 +8,11 @@ --- a/src/github.com/sylabs/singularity/mlocal/frags/go_common_opts.mk +++ b/src/github.com/sylabs/singularity/mlocal/frags/go_common_opts.mk @@ -3,7 +3,7 @@ - GO_TAGS := containers_image_openpgp sylog imgbuild_engine oci_engine singularity_engine fakeroot_engine + GO_TAGS := containers_image_openpgp sylog oci_engine singularity_engine fakeroot_engine GO_TAGS_SUID := containers_image_openpgp sylog singularity_engine fakeroot_engine GO_LDFLAGS := -GO_BUILDMODE := -buildmode=default +GO_BUILDMODE := -buildmode=pie - GO_GCFLAGS := - GO_ASMFLAGS := + GO_GCFLAGS := -gcflags=github.com/sylabs/singularity/...="-trimpath $(SOURCEDIR)=>github.com/sylabs/singularity@v0.0.0" + GO_ASMFLAGS := -asmflags=github.com/sylabs/singularity/...="-trimpath $(SOURCEDIR)=>github.com/sylabs/singularity@v0.0.0" GO_MODFLAGS := $(if $(wildcard $(SOURCEDIR)/vendor/modules.txt),-mod=vendor,-mod=readonly) ++++++ singularity-3.5.3.tar.gz -> singularity-3.6.0.tar.gz ++++++ /work/SRC/openSUSE:Factory/singularity/singularity-3.5.3.tar.gz /work/SRC/openSUSE:Factory/.singularity.new.3592/singularity-3.6.0.tar.gz differ: char 13, line 1