[pull] master from tianon:master #2
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![pull[bot]](https://avatars.githubusercontent.com/in/12910?s=60&v=4){kind=small}
Closes #83 (see that thread for contributor approvals/discussion)
There are workarounds for this, but I will intentionally not be describing them because this is definitely not something I can endorse in any way. Please don't use gosu in this way.
Disallow installing gosu with setuid
Update to Alpine 3.14 and Debian Bullseye
Update build deps, esp. runc to v1.0.3
Update to runc 1.1.2
This builds `gosu` with an intentionally older version of runc *and* Go (but still new enough for `govulncheck` to work). The chosen version of `runc` includes opencontainers/runc@262f294, which is the last change I can find to any of the functions `gosu` invokes in all released versions of runc (up to v1.1.4). The chosen version of Go is the oldest supported by `govulncheck` but that also includes golang/go@4f45424 (because 32bit builds panic without this fix). (This also fixes a few other minor version number anomalies.)
Add SECURITY.md that points to `govulncheck`
This fixes our `mips64le` builds.
This should make our "version" provenance metadata more correct
Add `-trimpath` to builds for cleaner embedded paths
Use of text/template inhibits dead code elimination, see golang/go#62024 Building with go1.22.1 via `go build -v -trimpath -ldflags '-d -w'` results in binary size reduction from 2704725 to 1652718 bytes (-39%).
Remove use of text/template
…ings ```console $ stat --format '% 11n %s' gosu-before gosu-after gosu-before 1495254 gosu-after 1478001 ```
Ditch `fmt`, `log`, `path/filepath`, and `strings` for ~17KB more savings
This allows us to drop the mips64le upstream patch we've been applying (fixed in Go 1.20.0) and the GO-2023-1840 / CVE-2023-29403 govulncheck exclusion (which still doesn't apply, but was fixed in Go in 1.20.5 and thus we no longer need to ignore). Also: - update the tests to Debian Bookworm and Alpine 3.19 - update `SECURITY.md` to make our Go version update policy explicit and written down (including the parallel to how Linux distributions handle similar situations)
…ount more bytes)
Update to Go 1.20.5
Thanks to `rpm --query --queryformat='%{ARCH}' rpm`, I feel good about documenting this "officially" again. 🚀
Add an "RPM-based" section back to `INSTALL.md`
Fix govulncheck wrapper + run govulncheck on latest release periodically too
Update broken Dockerfile.test link
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )