Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build: provenance and tampering checks for libgit2 #406

Merged
merged 4 commits into from
Jul 13, 2022

Conversation

pjbgf
Copy link
Member

@pjbgf pjbgf commented Jul 13, 2022

Changes:

  • Fixes github.com/emicklei/go-restful (GHSA-r48q-9g5r-8q2h).
  • Update dependencies.
  • Add provenance and tampering checks for libgit2.

Closes #404.

Paulo Gomes added 4 commits July 13, 2022 09:36
This addresses CVE-2022-1996, due to v2.16.0 including
emicklei/go-restful@9266625.

Signed-off-by: Paulo Gomes <[email protected]>
- github.com/ProtonMail/go-crypto to version 0.0.0-20220711121315-1fde58898e96.

Signed-off-by: Paulo Gomes <[email protected]>
This dependency now releases two different images, one
containing the entire dependency chain for libgit2, and
another containing just the library itself. The latter
will be later used once Managed Transport is completely
removed from source controller.

As part of this update, the image now follows a new tag
format which is semver based and starts at 0.1.0.

Signed-off-by: Paulo Gomes <[email protected]>
@pjbgf pjbgf added the area/ci CI related issues and pull requests label Jul 13, 2022
@pjbgf pjbgf merged commit d4644eb into fluxcd:main Jul 13, 2022
@pjbgf pjbgf deleted the update-deps branch July 13, 2022 10:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/ci CI related issues and pull requests
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Validate checksum before consuming golang-with-libgit2 artefacts
2 participants