Skip to content

Releases: opencontainers/runc

runc 1.0 -- "A wizard is never late, nor is he early, he arrives precisely when he means to."

22 Jun 06:09
@cyphar cyphar
v1.0.0
This tag was signed with the committer’s verified signature. The key has been revoked.
cyphar Aleksa Sarai
GPG key ID: 9D94B96321B9D012
Revoked
Learn about vigilant mode.
84113ee
This commit was signed with the committer’s verified signature. The key has been revoked.
cyphar Aleksa Sarai
GPG key ID: 9D94B96321B9D012
Revoked
Learn about vigilant mode.
Compare
Choose a tag to compare
runc 1.0 -- "A wizard is never late, nor is he early, he arrives precisely when he means to."

This release has quite a few last-minute bug-fixes and various correctness and
performance improvements (almost all of which are related to cgroup handling),
and is the first non-rc release of runc in 5 years (v1.0.0-rc1 was released in
2016). It's been a very long road, and we thank the many contributors and
maintainers that helped us get to this point (approximately 422 people in
total).

As runc follows Semantic Versioning, we will endeavor to not make any
breaking changes without bumping the major version number of runc.

However, it should be noted that Go API usage of runc's internal
implementation (libcontainer) is not covered by this policy -- for
historical reasons, this code was not moved into an "internal" package
(this feature did not exist in Go at the time) and because certain
projects currently depend on this, we have not yet moved this code into
an internal package. Despite this, we reserve the right to make breaking
changes in our Go APIs (though we will note such changes in our
changelog, and will try to avoid needless disruption if possible).

Breaking changes:

  • Removed libcontainer/configs.Device* identifiers (deprecated since rc94,
    use libcontainer/devices) (#2999)
  • Removed libcontainer/system.RunningInUserNS function (deprecated since
    rc94, use libcontainer/userns) (#2999)

Deprecations:

  • The usage of relative paths for mountpoints will now produce a warning
    (such configurations are outside of the spec, and in future runc will
    produce an error when given such configurations). (#2917, #3004)

Bugfixes:

  • cgroupv2: devices: rework the filter generation to produce consistent
    results with cgroupv1, and always clobber any existing eBPF
    program(s) to fix runc update and avoid leaking eBPF programs
    (resulting in errors when managing containers). (#2951)
  • cgroupv2: correctly convert "number of IOs" statistics in a
    cgroupv1-compatible way. (#2965, #2967, #2968, #2964)
  • cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures.
  • cgroupv2: wait for freeze to finish before returning from the freezing
    code, optimize the method for checking whether a cgroup is frozen. (#2955)
  • cgroups/systemd: fixed "retry on dbus disconnect" logic introduced in rc94
  • cgroups/systemd: fixed returning "unit already exists" error from a systemd
    cgroup manager (regression in rc94) (#2997, #2996)

Improvements:

  • cgroupv2: support SkipDevices with systemd driver (#2958, #3019)
  • cgroup/systemd: return, not ignore, stop unit error from Destroy (#2946)
  • Fix all golangci-lint failures. (#2781, #2962)
  • Make "runc --version" output sane even when built with go get or
    otherwise outside of our build scripts. (#2962)
  • cgroups: set SkipDevices during runc update (so we don't modify
    cgroups at all during runc update). (#2994)
  • cgroup1: blkio: support BFQ weights. (#3010)
  • cgroupv2: set per-device io weights if BFQ IO scheduler is available.
    (#3022)

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

Vote: +5 -0 %2
Signed-off-by: Aleksa Sarai cyphar@cyphar.com

Assets 9

runc 1.0-rc95 -- "Just when I thought I was out, they pull me back in."

19 May 10:04
@cyphar cyphar
v1.0.0-rc95
This tag was signed with the committer’s verified signature. The key has been revoked.
cyphar Aleksa Sarai
GPG key ID: 9D94B96321B9D012
Revoked
Learn about vigilant mode.
b9ee9c6
This commit was signed with the committer’s verified signature. The key has been revoked.
cyphar Aleksa Sarai
GPG key ID: 9D94B96321B9D012
Revoked
Learn about vigilant mode.
Compare
Choose a tag to compare
runc 1.0-rc95 -- "Just when I thought I was out, they pull me back in."

This release of runc contains a fix for CVE-2021-30465, and users are
strongly recommended to update (especially if you are providing
semi-limited access to spawn containers to untrusted users).

Aside from this security fix, only a few other changes were made since
v1.0.0-rc94 (the only user-visible change was the addition of support
for defaultErrnoRet in seccomp profiles).

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

Due to the nature of this release, it didn't go through the normal
public release procedure. However, this break from procedure was agreed
upon on the security mailing list.

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

Assets 9

runc 1.0-rc94 -- "Time is an illusion. Lunchtime doubly so."

10 May 14:43
@cyphar cyphar
v1.0.0-rc94
This tag was signed with the committer’s verified signature. The key has been revoked.
cyphar Aleksa Sarai
GPG key ID: 9D94B96321B9D012
Revoked
Learn about vigilant mode.
2c7861b
This commit was signed with the committer’s verified signature. The key has been revoked.
cyphar Aleksa Sarai
GPG key ID: 9D94B96321B9D012
Revoked
Learn about vigilant mode.
Compare
Choose a tag to compare
runc 1.0-rc94 -- "Time is an illusion. Lunchtime doubly so."

This release fixes several regressions found in v1.0.0-rc93. We
recommend users update as soon as possible. This release includes the
following notable changes:

Potentially breaking changes:

  • cgroupv1: kernel memory limits are now always ignored, as kmemcg has
    been effectively deprecated by the kernel. Users should make use of
    regular memory cgroup controls. (#2840)
  • libcontainer/cgroups: cgroup managers' Set now accept
    configs.Resources rather than configs.Cgroups (#2906)
  • libcontainer/cgroups/systemd: reconnect and retry in case dbus
    connection is closed (after dbus restart) (#2923)
  • libcontainer/cgroups/systemd: don't set limits in Apply (#2814)

Bugfixes:

  • seccomp: fix 32-bit compilation errors (regression in rc93, #2783)
  • cgroupv2: blkio weight value conversion fix (#2786)
  • runc init: fix a hang caused by deadlock in seccomp/ebpf loading code
    (regression in rc93, #2871)
  • runc start: fix "chdir to cwd: permission denied" for some setups
    (regression in rc93, #2894)
  • s390: fix broken terminal (regression in rc93, #2898)

Improvements:

  • runc start/exec: better diagnostics when container limits are too low
    (#2812)
  • runc start/exec: better cleanup after failed runc init (#2855)
  • cgroupv1: improve freezing chances (#2941, #2918, #2791)
  • cgroupv2: multiple GetStats improvements (#2816, #2873)
  • cgroupv2: fallback to setting io.weight if io.bfq.weight is not
    available (#2820)
  • capabilities: WARN, not ERROR, for unknown / unavailable capabilities
    (#2854)

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

Vote: +6 -0 !1
Signed-off-by: Aleksa Sarai cyphar@cyphar.com

Assets 9

runc 1.0-rc93 -- "I never could get the hang of Thursdays."

04 Feb 00:18
@cyphar cyphar
v1.0.0-rc93
This tag was signed with the committer’s verified signature. The key has been revoked.
cyphar Aleksa Sarai
GPG key ID: 9D94B96321B9D012
Revoked
Learn about vigilant mode.
12644e6
This commit was signed with the committer’s verified signature. The key has been revoked.
cyphar Aleksa Sarai
GPG key ID: 9D94B96321B9D012
Revoked
Learn about vigilant mode.
Compare
Choose a tag to compare
runc 1.0-rc93 -- "I never could get the hang of Thursdays."

This is the last feature-rich RC release and we are in a feature-freeze until
1.0. 1.0.0~rc94 will be released in a few weeks with minimal bug fixes only,
and 1.0.0 will be released soon afterwards.

  • runc's cgroupv2 support is no longer considered experimental. It is now
    believed to be fully ready for production deployments. In addition, runc's
    cgroup code has been improved:

    • The systemd cgroup driver has been improved to be more resilient and
      handle more systemd properties correctly.
    • We now make use of openat2(2) when possible to improve the security of
      cgroup operations (in future runc will be wholesale ported to libpathrs to
      get this protection in all codepaths).

  • runc's mountinfo parsing code has been reworked significantly, making
    container startup times significantly faster and less wasteful in general.

  • runc now has special handling for seccomp profiles to avoid making new
    syscalls unusable for glibc. This is done by installing a custom prefix to
    all seccomp filters which returns -ENOSYS for syscalls that are newer than
    any syscall in the profile (meaning they have a larger syscall number).

    This should not cause any regressions (because previously users would simply
    get -EPERM rather than -ENOSYS, and the rule applied above is the most
    conservative rule possible) but please report any regressions you find as a
    result of this change -- in particular, programs which have special fallback
    code that is only run in the case of -EPERM.

  • runc now supports the following new runtime-spec features:

    • The umask of a container can now be specified.
    • The new Linux 5.9 capabilities (CAP_PERFMON, CAP_BPF, and
      CAP_CHECKPOINT_RESTORE) are now supported.
    • The "unified" cgroup configuration option, which allows users to explicitly
      specify the limits based on the cgroup file names rather than abstracting
      them through OCI configuration. This is currently limited in scope to
      cgroupv2.

  • Various rootless containers improvements:

    • runc will no longer cause conflicts if a user specifies a custom device
      which conflicts with a user-configured device -- the user device takes
      precedence.
    • runc no longer panics if /sys/fs/cgroup is missing in rootless mode.

  • runc --root is now always treated as local to the current working directory.

  • The --no-pivot-root hardening was improved to handle nested mounts properly
    (please note that we still strongly recommend that users do not use
    --no-pivot-root -- it is still an insecure option).

  • A large number of code cleanliness and other various cleanups, including
    fairly large changes to our tests and CI to make them all run more
    efficiently.

For packagers the following changes have been made which will have impact on
your packaging of runc:

  • The "selinux" and "apparmor" buildtags have been removed, and now all runc
    builds will have SELinux and AppArmor support enabled. Note that "seccomp"
    is still optional (though we very highly recommend you enable it).

  • make install DESTDIR= now functions correctly.

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

Vote: +6 -0 #1
Signed-off-by: Aleksa Sarai cyphar@cyphar.com

Assets 9

runc 1.0-rc92 -- "Almost, but not quite, entirely unlike tea."

06 Aug 05:22
@cyphar cyphar
v1.0.0-rc92
This tag was signed with the committer’s verified signature. The key has been revoked.
cyphar Aleksa Sarai
GPG key ID: 9D94B96321B9D012
Revoked
Learn about vigilant mode.
ff819c7
Compare
Choose a tag to compare
runc 1.0-rc92 -- "Almost, but not quite, entirely unlike tea."

This release contains a hotfix to solve a regression in v1.0.0-rc91 that
concerns Docker (this only affects Docker's vendoring of libcontainer,
not the usage of runc as the runtime):

  • Fix helpers used by Docker to correctly handle symlinks in /dev (when running
    with --privileged containers).

As well as some other improvements:

  • Updates to CRIU support.
  • Improvements to cgroupfs performance and correctness.

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

Vote: +4 -0 #3
Signed-off-by: Aleksa Sarai cyphar@cyphar.com

Assets 9

runc 1.0-rc91 -- "Just Hook a Right Over Here"

02 Jul 01:20
@cyphar cyphar
v1.0.0-rc91
This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
24a3cf8
Compare
Choose a tag to compare
runc 1.0-rc91 -- "Just Hook a Right Over Here"

This is intended to be the second-last RC release, with -rc92 having
very few large changes so that we can release runc 1.0 (at long last).

NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp with our releases) and thus we had to recompile our runc
binaries to be sure we were distributing the correct version of libseccomp.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.

  • The long-awaited hooks changes have been merged into runc. This was
    one of the few remaining spec-related issues which were blocking us
    from releasing runc 1.0. Existing hook users will not be affected by
    this change, but runc now supports additional hooks that we expect
    users to migrate to eventually. The new hooks are:

    • createRuntime (replacement for the now-deprecated prestart)
    • createContainer
    • startContainer

  • A large amount of effort has been undertaken to support cgroupv2
    within runc. The support is still considered experimental, but it is
    mostly functional at this point. Please report any bugs you find when
    running under cgroupv2-only systems.

  • A minor-severity security bug was fixed. The devices list would
    be in allow-by-default mode from the outset, meaning that users would
    have to explicitly specify they wish to deny all device access at the
    beginning of the configuration. While this would normally be
    considered a high-severity vulnerability, all known users of runc had
    worked around this issue several years ago (hence why this fairly
    obvious bug was masked).

    In addition, the devices list code has been massively improved such
    that it will attempt to avoid causing spurrious errors in the
    container (such as while writing to /dev/null) when doing devices
    cgroup updates.

  • A security audit of runc was conducted in 2019, and the report PDF is
    now included in the runc repository. The previous release of runc
    has already addressed the security issues found in that report.

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

NOTE: For those who are confused by the massive version jump (rc10
to rc91), this was done to avoid issues with SemVer and lexical
comparisons -- there haven't been 90 other release candidates. Please
also note that runc 1.0.0-rc90 is identical to 1.0.0-rc10. See #2399
for more details.

Vote: +7 -0 #0
Signed-off-by: Aleksa Sarai asarai@suse.de

Assets 9

runc 1.0-rc90 -- "We Have To Go Back!"

02 Jun 03:07
@cyphar cyphar
v1.0.0-rc90
This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
dc9208a
This commit was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
Compare
Choose a tag to compare
runc 1.0-rc90 -- "We Have To Go Back!"

This release is identical to v1.0.0-rc10 (and thus the version string in
the binary will be v1.0.0-rc10).

The purpose of this release is to resolve an issue with our versioning
scheme (in particular, the format we've used under SemVer means that the
"-rcNN" string suffix is sorted lexicographically rather than in the
classic sort -V order).

Because we cannot do a post-1.0 release yet, this is a workaround to
make sure that systems such as Go modules correctly update to the latest
runc release. See #2399 for more details.

The next release (which would've originally been called -rc11) will be
1.0.0-rc91. I'm sorry.

NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp with our releases) and thus we had to recompile our runc
binaries to be sure we were distributing the correct version of libseccomp.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Signed-off-by: Aleksa Sarai asarai@suse.de

Assets 9

runc 1.0-rc10 -- "Procfs Strikes Back"

24 Jan 03:04
@cyphar cyphar
v1.0.0-rc10
This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
dc9208a
This commit was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
Compare
Choose a tag to compare
runc 1.0-rc10 -- "Procfs Strikes Back"

This is a hot-fix for v1.0.0~rc9, primarily fixing CVE-2019-19921. Given
that the relevant runtime-spec PR which was considered a blocker has
been merged the next rc release of runc should be the last one before
1.0.0.

Other notable changes include:

  • Fixing an exec-fifo race that could be triggered under Kubernetes (#2185).
  • Partial cgroupv2 support (#2209 for remaining issues).

NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp with our releases) and thus we had to recompile our runc
binaries to be sure we were distributing the correct version of libseccomp.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

Vote: +4 -0 #1
Signed-off-by: Aleksa Sarai asarai@suse.de

Assets 9

runc 1.0-rc9 -- "Watch out for that first step, it's a doozy!"

05 Oct 11:38
@cyphar cyphar
v1.0.0-rc9
This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
d736ef1
This commit was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
Compare
Choose a tag to compare
runc 1.0-rc9 -- "Watch out for that first step, it's a doozy!"

This is a hot-fix for v1.0.0~rc8, primarily fixing CVE-2019-16884.

NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp with our releases) and thus we had to recompile our runc
binaries to be sure we were distributing the correct version of libseccomp.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

Vote: +4 -0 #1
Signed-off-by: Aleksa Sarai asarai@suse.de

Assets 9

runc 1.0-rc8 -- "Oops, We Did It Again!"

26 Apr 05:07
@cyphar cyphar
v1.0.0-rc8
This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
425e105
This commit was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
Compare
Choose a tag to compare
runc 1.0-rc8 -- "Oops, We Did It Again!"

This is a hot-fix for v1.0.0-rc7, and fixes a regression on old kernels
(which don't support keycreate labeling). Users are strongly encouraged
to update, as this regression was introduced in 1.0.0-rc7 and has
blocked many users from updating to mitigate CVE-2019-5736.

Bugs: #2032 #2031 #2043

At the moment the only outlying issue before we can release 1.0.0 is
some spec discussions we are having about OCI hooks and how to handle
the integration with existing NVIDIA hooks. We will do our best to
finish this work as soon as we can.

NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp with our releases) and thus we had to recompile our runc
binaries to be sure we were distributing the correct version of libseccomp.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

Signed-off-by: Aleksa Sarai asarai@suse.de

Assets 9