Skip to content
v2016.14
default avatar
walters@verbum.org
7584dc0f · Release 2016.14 ·
Unverified 
Release 2016.14

First, this release adds GPG verification for the commit objects
inside deltas.  This was a vulnerability if you are fetching content
over plain HTTP, and is still important if using TLS.  More
information is available in [the commit](https://github.com/ostreedev/ostree/pull/589/commits/d06163038ff1ca407027d08e0f3c7d04c802810d)
and there is [continuing upstream discussion](https://mail.gnome.org/archives/ostree-list/2016-October/msg00002.html)
of transport integrity models.

Also regarding GPG, we now make it easier to [use a GPG ASCII key](https://github.com/ostreedev/ostree/pull/575/commits/9fb2d5a501660e155553d98998da87839287054c)
in a remote configuration.

Another major thing in this release is that we started making more use
of the [GCC/Clang sanitizers](https://github.com/google/sanitizers/wiki) like
`-fsanitize=address`, `-fsanitize=undefined` etc. and numerous small
memory leaks were fixed in particular.

Thanks to all contributors!

```
Abhay Kadam (1):
      Fix broken link in docs/CONTRIBUTING.md

Alexander Larsson (1):
      commit: Fix reading xattrs from OstreeRepoFile:s

Colin Walters (17):
      travis: Drop debian unstable since we can't fetch packages reliably
      pull: Add support for `http-headers` option
      pull: Redo logic for "scanning"
      lib: Define and use cleanup functions for gpgme
      lib: Split out helper function to create GPG context
      Add "gpgkeypath" option to remotes
      lib: Add an API to GPG verify a commit given a remote
      [UBSAN] deltas: Don't call memset(NULL, NULL, 0) with no xattrs
      [TSAN] main: Stop calling g_set_prgname()
      [TSAN] Rework assertions to always access refcount atomically
      pull: Dedup code for checking for > 0 valid results
      pull: Use new per-remote API for GPG verification
      pull: Do GPG verify commit objects when using deltas
      tests: Support TEST_SKIP_CLEANUP=err
      [ASAN] tests: Fix some memleaks in libarchive importer
      [ASAN] lib: Squash various leaks in library and commandline
      Release 2016.14

Jasper St. Pierre (3):
      ostree-repo: Fix parameter name
      ostree-repo-static-delta-processing: Don't close(-1)
      ostree-repo: Make the lock with a long-lasting FD

Jonathan Lebon (1):
      .redhat-ci.yml: no longer install libubsan & clang

William Manley (1):
      ostree commit: Fix combining trees with multiple --tree=ref arguments
```

Git-EVTag-v0-SHA512: 6756eef81978c4a9559327972b53019f9ea214ab92af266054d303770e7a60684e73fba0870fda81b5262a0ab3aae3f89d962cd346930932a3c668f081d5726a