[pull] master from tianon:master

.github/workflows/ci.yml

@@ -0,0 +1,33 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+  schedule:
+    - cron: 0 0 * * 0
+  workflow_dispatch:
+
+defaults:
+  run:
+    shell: 'bash -Eeuo pipefail -x {0}'
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: sudo apt-get update && sudo apt-get install -y --no-install-recommends binfmt-support qemu-user-static
+      - run: ./build.sh
+      - run: ./test.sh gosu-amd64
+      - run: ./test.sh gosu-i386
+      - run: ./test.sh --debian gosu-amd64
+      - run: ./test.sh --debian gosu-i386
+      - run: docker build --pull --file hub/Dockerfile.alpine hub
+      - run: docker build --pull --file hub/Dockerfile.debian hub
+
+      - name: govulncheck
+        run: |
+          for gosu in gosu-*; do
+            ./govulncheck-with-excludes.sh -mode=binary "$gosu"
+          done

.github/workflows/release.yml

@@ -0,0 +1,52 @@
+name: Release
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/release.yml'
+      - 'govulncheck-with-excludes.sh'
+  push:
+    paths:
+      - '.github/workflows/release.yml'
+      - 'govulncheck-with-excludes.sh'
+  schedule:
+    - cron: 0 0 * * 0
+  workflow_dispatch:
+
+defaults:
+  run:
+    shell: 'bash -Eeuo pipefail -x {0}'
+
+jobs:
+  test:
+    name: govulncheck
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: download
+        run: |
+          # find and download the latest release for testing
+          tags="$(git ls-remote --tags https://github.com/tianon/gosu.git | cut -d/ -f3 | cut -d^ -f1 | sort -urV)"
+          for tag in $tags; do
+            echo >&2 "checking $tag ..."
+            url="https://github.com/tianon/gosu/releases/download/$tag"
+            if wget -O SHA256SUMS "$url/SHA256SUMS" && [ -s SHA256SUMS ]; then
+              files="$(grep -oE '[ *]gosu-[^.]+$' SHA256SUMS | grep -oE 'gosu-.*$')"
+              for file in $files; do
+                wget -O "$file" "$url/$file"
+              done
+              if grep -E '[ *]gosu-[^.]+$' SHA256SUMS | sha256sum --strict --check -; then
+                echo >&2 "success with $tag !"
+                exit 0
+              fi
+            fi
+          done
+
+          echo >&2 'error: failed to find latest release'
+
+      - name: govulncheck
+        run: |
+          for gosu in gosu-*; do
+            ./govulncheck-with-excludes.sh -mode=binary "$gosu"
+          done

Dockerfile

@@ -1,6 +1,31 @@
-FROM golang:1.14-alpine3.12
-
-RUN apk add --no-cache file
+FROM golang:1.20.5-bookworm
+
+RUN set -eux; \
+	apt-get update; \
+	apt-get install -y --no-install-recommends \
+		arch-test \
+		file \
+	; \
+	rm -rf /var/lib/apt/lists/*
+
+# note: we cannot add "-s" here because then "govulncheck" does not work (see SECURITY.md); the ~0.2MiB increase (as of 2022-12-16, Go 1.18) is worth it
+ENV BUILD_FLAGS="-v -trimpath -ldflags '-d -w'"
+
+RUN set -eux; \
+	{ \
+		echo '#!/usr/bin/env bash'; \
+		echo 'set -Eeuo pipefail -x'; \
+		echo 'eval "go build $BUILD_FLAGS -o /go/bin/gosu-$ARCH"'; \
+		echo 'file "/go/bin/gosu-$ARCH"'; \
+		echo 'if arch-test "$ARCH"; then'; \
+# there's a fun QEMU + Go 1.18+ bug that causes our binaries (especially on ARM arches) to hang indefinitely *sometimes*, hence the "timeout" and looping here
+		echo '  try() { for (( i = 0; i < 30; i++ )); do if timeout 1s "$@"; then return 0; fi; done; return 1; }'; \
+		echo '  try "/go/bin/gosu-$ARCH" --version'; \
+		echo '  try "/go/bin/gosu-$ARCH" nobody id'; \
+		echo '  try "/go/bin/gosu-$ARCH" nobody ls -l /proc/self/fd'; \
+		echo 'fi'; \
+	} > /usr/local/bin/gosu-build-and-test.sh; \
+	chmod +x /usr/local/bin/gosu-build-and-test.sh
 
 # disable CGO for ALL THE THINGS (to help ensure no libc)
 ENV CGO_ENABLED 0
@@ -12,52 +37,18 @@ RUN set -eux; \
 	go mod download; \
 	go mod verify
 
-ENV BUILD_FLAGS="-v -ldflags '-d -s -w'"
-
 COPY *.go ./
 
 # gosu-$(dpkg --print-architecture)
-RUN set -eux; \
-	eval "GOARCH=amd64 go build $BUILD_FLAGS -o /go/bin/gosu-amd64"; \
-	file /go/bin/gosu-amd64; \
-	/go/bin/gosu-amd64 --version; \
-	/go/bin/gosu-amd64 nobody id; \
-	/go/bin/gosu-amd64 nobody ls -l /proc/self/fd
-
-RUN set -eux; \
-	eval "GOARCH=386 go build $BUILD_FLAGS -o /go/bin/gosu-i386"; \
-	file /go/bin/gosu-i386; \
-	/go/bin/gosu-i386 --version; \
-	/go/bin/gosu-i386 nobody id; \
-	/go/bin/gosu-i386 nobody ls -l /proc/self/fd
-
-RUN set -eux; \
-	eval "GOARCH=arm GOARM=5 go build $BUILD_FLAGS -o /go/bin/gosu-armel"; \
-	file /go/bin/gosu-armel
-
-RUN set -eux; \
-	eval "GOARCH=arm GOARM=6 go build $BUILD_FLAGS -o /go/bin/gosu-armhf"; \
-	file /go/bin/gosu-armhf
-
-# boo Raspberry Pi, making life hard (armhf-is-v7 vs armhf-is-v6 ...)
-#RUN set -eux; \
-#	eval "GOARCH=arm GOARM=7 go build $BUILD_FLAGS -o /go/bin/gosu-armhf"; \
-#	file /go/bin/gosu-armhf
-
-RUN set -eux; \
-	eval "GOARCH=arm64 go build $BUILD_FLAGS -o /go/bin/gosu-arm64"; \
-	file /go/bin/gosu-arm64
-
-RUN set -eux; \
-	eval "GOARCH=mips64le go build $BUILD_FLAGS -o /go/bin/gosu-mips64el"; \
-	file /go/bin/gosu-mips64el
-
-RUN set -eux; \
-	eval "GOARCH=ppc64le go build $BUILD_FLAGS -o /go/bin/gosu-ppc64el"; \
-	file /go/bin/gosu-ppc64el
-
-RUN set -eux; \
-	eval "GOARCH=s390x go build $BUILD_FLAGS -o /go/bin/gosu-s390x"; \
-	file /go/bin/gosu-s390x
+RUN ARCH=amd64    GOARCH=amd64       gosu-build-and-test.sh
+RUN ARCH=i386     GOARCH=386         gosu-build-and-test.sh
+RUN ARCH=armel    GOARCH=arm GOARM=5 gosu-build-and-test.sh
+RUN ARCH=armhf    GOARCH=arm GOARM=6 gosu-build-and-test.sh
+#RUN ARCH=armhf    GOARCH=arm GOARM=7 gosu-build-and-test.sh # boo Raspberry Pi, making life hard (armhf-is-v7 vs armhf-is-v6 ...)
+RUN ARCH=arm64    GOARCH=arm64       gosu-build-and-test.sh
+RUN ARCH=mips64el GOARCH=mips64le    gosu-build-and-test.sh
+RUN ARCH=ppc64el  GOARCH=ppc64le     gosu-build-and-test.sh
+RUN ARCH=riscv64  GOARCH=riscv64     gosu-build-and-test.sh
+RUN ARCH=s390x    GOARCH=s390x       gosu-build-and-test.sh
 
 RUN set -eux; ls -lAFh /go/bin/gosu-*; file /go/bin/gosu-*

Dockerfile.test-alpine

@@ -1,7 +1,7 @@
-FROM alpine:3.12
+FROM alpine:3.20
 
 # add "nobody" to ALL groups (makes testing edge cases more interesting)
-RUN cut -d: -f1 /etc/group | xargs -n1 addgroup nobody
+RUN cut -d: -f1 /etc/group | xargs -rtn1 addgroup nobody
 
 RUN { \
 		echo '#!/bin/sh'; \
@@ -25,6 +25,7 @@ COPY gosu /usr/local/bin/
 # adjust users so we can make sure the tests are interesting
 RUN chgrp nobody /usr/local/bin/gosu \
 	&& chmod +s /usr/local/bin/gosu
+ENV GOSU_PLEASE_LET_ME_BE_COMPLETELY_INSECURE_I_GET_TO_KEEP_ALL_THE_PIECES="I've seen things you people wouldn't believe. Attack ships on fire off the shoulder of Orion. I watched C-beams glitter in the dark near the Tannhäuser Gate. All those moments will be lost in time, like tears in rain. Time to die."
 USER nobody
 ENV HOME /omg/really/gosu/nowhere
 # now we should be nobody, ALL groups, and have a bogus useless HOME value

Dockerfile.test-debian

@@ -1,7 +1,7 @@
-FROM debian:buster-slim
+FROM debian:bookworm-slim
 
 # add "nobody" to ALL groups (makes testing edge cases more interesting)
-RUN cut -d: -f1 /etc/group | xargs -n1 -I'{}' usermod -aG '{}' nobody
+RUN cut -d: -f1 /etc/group | xargs -rtI'{}' usermod -aG '{}' nobody
 # emulate Alpine's "games" user (which is part of the "users" group)
 RUN usermod -aG users games
 
@@ -27,6 +27,7 @@ COPY gosu /usr/local/bin/
 # adjust users so we can make sure the tests are interesting
 RUN chgrp nogroup /usr/local/bin/gosu \
 	&& chmod +s /usr/local/bin/gosu
+ENV GOSU_PLEASE_LET_ME_BE_COMPLETELY_INSECURE_I_GET_TO_KEEP_ALL_THE_PIECES="I've seen things you people wouldn't believe. Attack ships on fire off the shoulder of Orion. I watched C-beams glitter in the dark near the Tannhäuser Gate. All those moments will be lost in time, like tears in rain. Time to die."
 USER nobody
 ENV HOME /omg/really/gosu/nowhere
 # now we should be nobody, ALL groups, and have a bogus useless HOME value

INSTALL.md

@@ -15,21 +15,15 @@ RUN set -eux; \
 	gosu nobody true
 ```
 
-Older Debian releases (or newer `gosu` releases):
+Newer `gosu` releases:
 
 ```dockerfile
-ENV GOSU_VERSION 1.12
+ENV GOSU_VERSION 1.17
 RUN set -eux; \
 # save list of currently installed packages for later so we can clean up
 	savedAptMark="$(apt-mark showmanual)"; \
 	apt-get update; \
-	apt-get install -y --no-install-recommends ca-certificates wget; \
-	if ! command -v gpg; then \
-		apt-get install -y --no-install-recommends gnupg2 dirmngr; \
-	elif gpg --version | grep -q '^gpg (GnuPG) 1\.'; then \
-# "This package provides support for HKPS keyservers." (GnuPG 1.x only)
-		apt-get install -y --no-install-recommends gnupg-curl; \
-	fi; \
+	apt-get install -y --no-install-recommends ca-certificates gnupg wget; \
 	rm -rf /var/lib/apt/lists/*; \
 	\
 	dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
@@ -40,7 +34,7 @@ RUN set -eux; \
 	export GNUPGHOME="$(mktemp -d)"; \
 	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
 	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
-	command -v gpgconf && gpgconf --kill all || :; \
+	gpgconf --kill all; \
 	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
 	\
 # clean up fetch dependencies
@@ -56,10 +50,8 @@ RUN set -eux; \
 
 ## `FROM alpine` (3.7+)
 
-**Note:** when using Alpine, it's probably also worth checking out [`su-exec`](https://github.com/ncopa/su-exec) (`apk add --no-cache su-exec`) instead, which since version 0.2 is fully `gosu`-compatible in a fraction of the file size.
-
 ```dockerfile
-ENV GOSU_VERSION 1.12
+ENV GOSU_VERSION 1.17
 RUN set -eux; \
 	\
 	apk add --no-cache --virtual .gosu-deps \
@@ -76,7 +68,7 @@ RUN set -eux; \
 	export GNUPGHOME="$(mktemp -d)"; \
 	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
 	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
-	command -v gpgconf && gpgconf --kill all || :; \
+	gpgconf --kill all; \
 	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
 	\
 # clean up fetch dependencies
@@ -87,3 +79,46 @@ RUN set -eux; \
 	gosu --version; \
 	gosu nobody true
 ```
+
+## `FROM centos|oraclelinux|...|ubi|...` (RPM-based distro)
+
+```dockerfile
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+	\
+	rpmArch="$(rpm --query --queryformat='%{ARCH}' rpm)"; \
+	case "$rpmArch" in \
+		aarch64) dpkgArch='arm64' ;; \
+		armv[67]*) dpkgArch='armhf' ;; \
+		i[3456]86) dpkgArch='i386' ;; \
+		ppc64le) dpkgArch='ppc64el' ;; \
+		riscv64 | s390x) dpkgArch="$rpmArch" ;; \
+		x86_64) dpkgArch='amd64' ;; \
+		*) echo >&2 "error: unknown/unsupported architecture '$rpmArch'"; exit 1 ;; \
+	esac; \
+	wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+	wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+	\
+# verify the signature
+	export GNUPGHOME="$(mktemp -d)"; \
+	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+	gpgconf --kill all; \
+	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+	\
+	chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+	gosu --version; \
+	gosu nobody true
+```
+
+Notes:
+
+- `gosu`'s `armhf` builds are ARMv6 (not ARMv7 as they might be in Debian proper) thanks to Raspbian, hence the `armv6` allowance above
+- `rpm` architecture values sourced from https://rpmfind.net/linux/rpm2html/search.php?query=rpm
+
+## Others / Lazy Method
+
+```dockerfile
+COPY --from=tianon/gosu /gosu /usr/local/bin/
+```