Skip to content

2016.14
Compare
Choose a tag to compare
@cgwalters cgwalters released this 23 Nov 16:47
v2016.14
This tag was signed with the committer’s verified signature.
cgwalters Colin Walters
GPG key ID: DC45FD5921C13F0B
Learn about vigilant mode.
7584dc0

First, this release adds GPG verification for the commit objects
inside deltas. This was a vulnerability if you are fetching content
over plain HTTP, and is still important if using TLS. More
information is available in the commit
and there is continuing upstream discussion
of transport integrity models.

Also regarding GPG, we now make it easier to use a GPG ASCII key
in a remote configuration.

Another major thing in this release is that we started making more use
of the GCC/Clang sanitizers like
-fsanitize=address, -fsanitize=undefined etc. and numerous small
memory leaks were fixed in particular.

Thanks to all contributors!

Abhay Kadam (1):
      Fix broken link in docs/CONTRIBUTING.md

Alexander Larsson (1):
      commit: Fix reading xattrs from OstreeRepoFile:s

Colin Walters (17):
      travis: Drop debian unstable since we can't fetch packages reliably
      pull: Add support for `http-headers` option
      pull: Redo logic for "scanning"
      lib: Define and use cleanup functions for gpgme
      lib: Split out helper function to create GPG context
      Add "gpgkeypath" option to remotes
      lib: Add an API to GPG verify a commit given a remote
      [UBSAN] deltas: Don't call memset(NULL, NULL, 0) with no xattrs
      [TSAN] main: Stop calling g_set_prgname()
      [TSAN] Rework assertions to always access refcount atomically
      pull: Dedup code for checking for > 0 valid results
      pull: Use new per-remote API for GPG verification
      pull: Do GPG verify commit objects when using deltas
      tests: Support TEST_SKIP_CLEANUP=err
      [ASAN] tests: Fix some memleaks in libarchive importer
      [ASAN] lib: Squash various leaks in library and commandline
      Release 2016.14

Jasper St. Pierre (3):
      ostree-repo: Fix parameter name
      ostree-repo-static-delta-processing: Don't close(-1)
      ostree-repo: Make the lock with a long-lasting FD

Jonathan Lebon (1):
      .redhat-ci.yml: no longer install libubsan & clang

William Manley (1):
      ostree commit: Fix combining trees with multiple --tree=ref arguments


Git-EVTag-v0-SHA512: 6756eef81978c4a9559327972b53019f9ea214ab92af266054d303770e7a60684e73fba0870fda81b5262a0ab3aae3f89d962cd346930932a3c668f081d5726a
-----BEGIN PGP SIGNATURE-----

iQEwBAABCgAaBQJYNcd6Exx3YWx0ZXJzQHZlcmJ1bS5vcmcACgkQ3EX9WSHBPwtu
mgf/Z1rDWdTKAdvnJ4jR4eW2yKJYMrok0QUZXn2Q7MlA/1O0qtY6GudlNdScW9Tr
WFMydw6xr04PCQFMofsK14KkeD4eZqAAon2dyrnoZM1A5a6rVjfBSYLgVf8k+oIl
yZxlqHjKnKSnW985lIIrZPanFTk8aekXL2oMzQtr0xKjflcpeW6XJvm7fMIfv+dM
pyLlDQA6zfo+eQ8fgKJc9opx7MTmVACcP4Efzvj+YV3msLRVOqs5S2WE76CDhL5T
KV0AnVfSTYY1PQLfgwOmqSAyV2nCf96aUIYquHqMz/pt5p2WElxTMKuD5YYB7GoG
goDEz0dNJDER+65leUUtGCqYZg==
=n2Vt
-----END PGP SIGNATURE-----
Assets 3