-
-
v2016.147584dc0f · ·
Release 2016.14 First, this release adds GPG verification for the commit objects inside deltas. This was a vulnerability if you are fetching content over plain HTTP, and is still important if using TLS. More information is available in [the commit](https://github.com/ostreedev/ostree/pull/589/commits/d06163038ff1ca407027d08e0f3c7d04c802810d) and there is [continuing upstream discussion](https://mail.gnome.org/archives/ostree-list/2016-October/msg00002.html) of transport integrity models. Also regarding GPG, we now make it easier to [use a GPG ASCII key](https://github.com/ostreedev/ostree/pull/575/commits/9fb2d5a501660e155553d98998da87839287054c) in a remote configuration. Another major thing in this release is that we started making more use of the [GCC/Clang sanitizers](https://github.com/google/sanitizers/wiki) like `-fsanitize=address`, `-fsanitize=undefined` etc. and numerous small memory leaks were fixed in particular. Thanks to all contributors! ``` Abhay Kadam (1): Fix broken link in docs/CONTRIBUTING.md Alexander Larsson (1): commit: Fix reading xattrs from OstreeRepoFile:s Colin Walters (17): travis: Drop debian unstable since we can't fetch packages reliably pull: Add support for `http-headers` option pull: Redo logic for "scanning" lib: Define and use cleanup functions for gpgme lib: Split out helper function to create GPG context Add "gpgkeypath" option to remotes lib: Add an API to GPG verify a commit given a remote [UBSAN] deltas: Don't call memset(NULL, NULL, 0) with no xattrs [TSAN] main: Stop calling g_set_prgname() [TSAN] Rework assertions to always access refcount atomically pull: Dedup code for checking for > 0 valid results pull: Use new per-remote API for GPG verification pull: Do GPG verify commit objects when using deltas tests: Support TEST_SKIP_CLEANUP=err [ASAN] tests: Fix some memleaks in libarchive importer [ASAN] lib: Squash various leaks in library and commandline Release 2016.14 Jasper St. Pierre (3): ostree-repo: Fix parameter name ostree-repo-static-delta-processing: Don't close(-1) ostree-repo: Make the lock with a long-lasting FD Jonathan Lebon (1): .redhat-ci.yml: no longer install libubsan & clang William Manley (1): ostree commit: Fix combining trees with multiple --tree=ref arguments ``` Git-EVTag-v0-SHA512: 6756eef81978c4a9559327972b53019f9ea214ab92af266054d303770e7a60684e73fba0870fda81b5262a0ab3aae3f89d962cd346930932a3c668f081d5726a -
-
v2016.1336c89468 · ·
Release 2016.13 There is one notable feature in this release - we now support per-remote cookies, which can be used for systems like Amazon CloudFront that can be configured to require them for access. Another interesting change is the static delta generation process was tweaked to look for "similar" filenames, which for example should ensure we get dracut's "reproducible" initramfs in the delta. That aside, it's mostly smaller bugfixes here, such as memory leaks. Another good example of a bugfix is `pull: Don't do deltas with --commit-metadata-only`. Thanks to all contributors! ``` Alexander Larsson (1): Fix pruning of partial commits Colin Walters (14): docs: Link to releng-scripts tests: Skip libarchive/selinux tests if in container without SELinux tree-wide: Remove unused variables detected by CLang otutil: Note that ot_log_structured takes a printf format parse-datetime: Use labs() for long input value deploy: Suppress unused variable warning for fscreatecon cleanup Define an initializer for GVariant{Builder,Dict} libglnx: Bump to master (for -fsanitize fixes) remote-refs: Add NULL terminator to options array ci: Use -fsanitize=undefined by default repo: Don't put remote refs in the summary file pull: Don't do deltas with --commit-metadata-only deltas: Only keep one file open at a time during compilation Release 2016.13 Giuseppe Scrivano (1): static-delta: find a similar filename using what is before '.' or '-' Jonathan Lebon (3): .redhat-ci.yml: add clang delta: return valid enum member .redhat-ci.yml: use new build key Simon McVittie (14): Force C.UTF-8 or C locale for tests Distribute test scripts even if we wouldn't run them Distribute valgrind suppressions in tarballs _ostree_kernel_args_replace_take: don't leak when replacing ot_admin_builtin_set_origin: don't leak options GVariant ostree_builtin_pull: consistently set free-function on refs_to_fetch ostree_admin_option_context_parse: explicitly clean up when exiting early ostree_sysroot_upgrader_finalize: free new_revision _ostree_sysroot_write_deployments_internal: stop leaking hash table keyfile_set_from_vardict: free the string array ostree_repo_pull_with_options: clear dirs array ot_remote_builtin_show_url: autofree context Fix some leaks of floating GVariants load_metadata_internal: don't leak GBytes Sjoerd Simons (8): Filter bootloader supplied kernel cmdline options pull: Add per-remote cookie jar remote: Add command to list cookies remote: Add commands to add and remove cookies for a remote OsreeFetcher: Treat 403 as not found trivial-httpd: Add support for checking cookies tests: Add test for the cookie jar handling Update documentation for cookie handling commands ``` Git-EVTag-v0-SHA512: 905067d8a6ba66af636a7de20baa779b661a4e4df9b13fe95b1883c1db34b700b180e854af22866cd93e51d59a24b062cfbb1ce444342076eabcdf7d05900f67 -
-
v2016.12d3f14f02 · ·
Release 2016.12 This is a smaller point release that mostly brings in some pull API enhancements for flatpak. Two other notable changes: - We now support proxies that require basic auth - We create hardlinks to symlinks (do watch out for any regressions from this) Alexander Larsson (5): pull: Support inherit-transaction pull: Support multiple specifications of --subpath Fix regression for symlinks in bare-user repos ostree_repo_read_commit_detached_metadata: Handle parent repo detached metadata: Put these in transaction Colin Walters (2): core: Do create hardlinks to symlinks for checkouts Release 2016.12 Jonathan Lebon (5): docs: amend vmlinuz & initramfs naming convention ostree-sysroot-deploy.c: delete redundant check OstreeFetcher: provide proxy credentials if needed add .redhat-ci.yml and .redhat-ci.Dockerfile .redhat-ci.yml: use projectatomic/ostree-tester Git-EVTag-v0-SHA512: 5eaafb1caf50a53e64d316ac624958b2878b849c65bbbc7aae4a2a90cf4053a3dcc134a8c4474185c12f6c9dce036acc00e2087c3027d230a5a7a6099a216e63 -
-
v2016.11a0e1344c · ·
Release 2016.11 Just a collection of smaller fixes. One thing I want to note is that 2016.10 regressed things to flip fsync back on by default for users of `ostree_repo_checkout_at` (notably rpm-ostree). This is now fixed. We also continue dropping unecessary calls to `fsync()` in favor of our global `syncfs()`. This release also fixes integration with `systemd-journal-flush.service`, ensuring that systems configured for persistent journal have it saved correctly. Colin Walters (10): pull: Do allow executing deltas when mirroring into bare{,-user} sysroot: Port some small cleanup code to fd-relative sysroot: Port origin writing code to fd-relative sysroot: Drop an fsync for origin file when writing deployments sysroot: Drop an unnecessary fsync boot: Ensure we remount /var writable before systemd does journal flush checkout: Fix fsync defaults for new API to be off for real trivial-httpd: Port mostly to fd-relative libglnx: Update to latest Release 2016.11 Dan Nicholson (1): admin: Allow running status unlocked Jonathan Lebon (3): static-delta: add some error handling ostree_sysroot_init_osname: also create /var/log docs: add mention of rpm-ostree package layering Owen W. Taylor (2): ostree-repo.c: Fix file descriptor cleanup ostree_sysroot.c: Don't close sysroot_fd twice. Simon McVittie (1): Fix spelling of "repository" Git-EVTag-v0-SHA512: fe19f9c9c5ac8971b02a5c3eb4ed199b4334c4505c02a876b094cf712fac002f1a9c3710514e9e9e575af6c91c11123ca7675c42dbce4bba3f3497af2881db3c -