Closes #83 (see that thread for contributor approvals/discussion)

There are workarounds for this, but I will intentionally not be describing them because this is definitely not something I can endorse in any way.  Please don't use gosu in this way.

Disallow installing gosu with setuid

Update to Alpine 3.14 and Debian Bullseye

Update build deps, esp. runc to v1.0.3

Update to runc 1.1.2

This builds `gosu` with an intentionally older version of runc *and* Go (but still new enough for `govulncheck` to work).

The chosen version of `runc` includes opencontainers/runc@262f294, which is the last change I can find to any of the functions `gosu` invokes in all released versions of runc (up to v1.1.4).

The chosen version of Go is the oldest supported by `govulncheck` but that also includes golang/go@4f45424 (because 32bit builds panic without this fix).

(This also fixes a few other minor version number anomalies.)

Add SECURITY.md that points to `govulncheck`

This fixes our `mips64le` builds.

Use QEMU and "arch-test" to avoid bad binaries in the future

See https://go-review.googlesource.com/c/vuln/+/481137 🙃

This is pulled in automatically via `gnupg`, and moved from `Recommends` to `Depends` in https://salsa.debian.org/debian/gnupg2/-/commit/99474ad900a8bcdd0e7b68f986fec0013fc01470, which has been part of `src:gnupg2` since 2.1.21-4 (and every supported version of both Debian _and_ Ubuntu have 2.2.x 😇).

Update govulncheck to the explicit new v0.1.0 release

This allows us to exclude GO-2023-1840 (aka CVE-2023-29403) from our report since we already refuse to operate when users have enabled the `setuid` bit on the binary.

Additionally, this updates our in-code check for `setuid` to also disallow `setgid`, but the impact of that configuration is lesser (so this is considered a best-effort pre-emptive mitigation -- hopefully the block on `setuid` has already discouraged users from using `gosu` in this way).

Add new "govulncheck-with-excludes.sh" wrapper script

Since Go 1.16, [Go issue 1435][1] is solved, and the stdlib syscall
implementations work on Linux.

  [1]: golang/go#1435

Signed-off-by: Bjorn Neergaard <[email protected]>

Prefer to use the latest syscall implementation, instead of the one that
was shipped with the Go compiler. As this was an indirect dependency,
this aligns all syscalls in the package to a common implementation.

Signed-off-by: Bjorn Neergaard <[email protected]>

Break the dependency on runc by using the new canonical source of the
`user` package at github.com/moby/sys.

Signed-off-by: Bjorn Neergaard <[email protected]>

setup-user: use github.com/moby/sys/user

…f bespoke script

This gives us nice provenance, etc; see https://explore.ggcr.dev/?image=tianon/gosu:1.16

This should make our "version" provenance metadata more correct

Add `-trimpath` to builds for cleaner embedded paths

Use of text/template inhibits dead code elimination, see golang/go#62024

Building with go1.22.1 via `go build -v -trimpath -ldflags '-d -w'`
results in binary size reduction from 2704725 to 1652718 bytes (-39%).

Remove use of text/template

…ings

```console
$ stat --format '% 11n %s' gosu-before gosu-after
gosu-before 1495254
 gosu-after 1478001
```

Ditch `fmt`, `log`, `path/filepath`, and `strings` for ~17KB more savings

…ys/user`

This allows us to drop the mips64le upstream patch we've been applying (fixed in Go 1.20.0) and the GO-2023-1840 / CVE-2023-29403 govulncheck exclusion (which still doesn't apply, but was fixed in Go in 1.20.5 and thus we no longer need to ignore).

Also:
- update the tests to Debian Bookworm and Alpine 3.19
- update `SECURITY.md` to make our Go version update policy explicit and written down (including the parallel to how Linux distributions handle similar situations)

…ount more bytes)

Update to Go 1.20.5

Thanks to `rpm --query --queryformat='%{ARCH}' rpm`, I feel good about documenting this "officially" again. 🚀

Add an "RPM-based" section back to `INSTALL.md`

… issue with 0.3

…lly too

Fix govulncheck wrapper + run govulncheck on latest release periodically too

Update broken Dockerfile.test link