Merge branch 'main' into feature/rekor

Signed-off-by: Jason Hall <jason@chainguard.dev>
wolfi-dev · Mar 17, 2023 · 26973fa · 26973fa
2 parents 6cd8852 + 822c310
commit 26973fa
Show file tree

Hide file tree

Showing 121 changed files with 1,549 additions and 389 deletions.
diff --git a/.github/pull-request-template.md b/.github/pull-request-template.md
@@ -5,7 +5,7 @@ Provide a short summary in the Title above. Examples of good PR titles:
 -->
 
 <!--
-Please include references to any related issues. 
+Please include references to any related issues or delete this section otherwise.
  -->
 
 Fixes: 
@@ -23,19 +23,20 @@ will affect, so please take the time to jot it down.
 
 Put an `x` in all the items that apply, make notes next to any that haven't been
 addressed, and remove any items that are not relevant to this PR.
--->
 
-#### For new package PRs only
+-->
 
+#### For new package PRs only 
+<!-- remove if unrelated -->
 - [ ] This PR is marked as fixing a pre-existing package request bug
   - [ ] Alternatively, the PR is marked as related to a pre-existing package request bug, such as a dependency
-- [ ] The package is available under an OSI-approved or FSF-approved license
-- [ ] The version of the package is still receiving security updates
+- [ ] REQUIRED - The package is available under an OSI-approved or FSF-approved license
+- [ ] REQUIRED - The version of the package is still receiving security updates
 
 #### For security-related PRs
-
+<!-- remove if unrelated -->
 - [ ] The security fix is recorded in `annotations` and `secfixes`
 
 #### For version bump PRs
-
+<!-- remove if unrelated -->
 - [ ] The `epoch` field is reset to 0
diff --git a/Makefile b/Makefile
diff --git a/apko.yaml b/apko.yaml
@@ -1,7 +1,7 @@
 package:
   name: apko
   version: 0.7.1
-  epoch: 0
+  epoch: 1
   description: Build OCI images using APK directly without Dockerfile
   copyright:
     - license: Apache-2.0

diff --git a/bom.yaml b/bom.yaml
@@ -1,7 +1,7 @@
 package:
   name: bom
   version: 0.4.1
-  epoch: 1
+  epoch: 2
   description: A utility to generate SPDX-compliant Bill of Materials manifests
   copyright:
     - license: Apache-2.0

diff --git a/calicoctl.yaml b/calicoctl.yaml
@@ -1,7 +1,7 @@
 package:
   name: calicoctl
   version: 3.25.0
-  epoch: 0
+  epoch: 1
   description: "CLI tool that allows management of Calico API resources"
   copyright:
     - license: Apache-2.0
@@ -32,4 +32,4 @@ pipeline:
 
       mkdir -p ${{targets.destdir}}/usr/bin
       go build -v -o ${{targets.destdir}}/usr/bin/calicoctl -ldflags "$LDFLAGS" "./calicoctl/calicoctl/calicoctl.go"
-  - uses: strip
+  - uses: strip
diff --git a/cosign.yaml b/cosign.yaml
@@ -1,7 +1,7 @@
 package:
   name: cosign
   version: 2.0.0
-  epoch: 0
+  epoch: 1
   description: Container Signing
   copyright:
     - license: Apache-2.0

diff --git a/crane.yaml b/crane.yaml
@@ -1,7 +1,7 @@
 package:
   name: crane
-  version: 0.13.0
-  epoch: 1
+  version: 0.14.0
+  epoch: 0
   description: Tool for interacting with remote images and registries.
   copyright:
     - license: Apache-2.0
@@ -18,7 +18,7 @@ pipeline:
   - uses: fetch
     with:
       uri: https://github.com/google/go-containerregistry/archive/v${{package.version}}/v${{package.version}}.tar.gz
-      expected-sha256: e5946a3cab514085278386cf9962a3591def359dbc213c06e7a53501766590fd
+      expected-sha256: 33ce5a1745c595b8cf7d9f231b7b7c8fea22a5f71c386fc8325d0e0c18bf686d
   - runs: |
       CGO_ENABLED=0 go build \
         -trimpath -ldflags \

diff --git a/ctop.yaml b/ctop.yaml
@@ -0,0 +1,29 @@
+package:
+  name: ctop
+  version: 0.7.7
+  epoch: 0
+  description: Top-like interface for container metrics
+  target-architecture:
+    - all
+  copyright:
+    - paths:
+        - "*"
+      attestation: TODO
+      license: MIT
+environment:
+  contents:
+    packages:
+      - busybox
+      - ca-certificates-bundle
+      - build-base
+      - automake
+      - go
+      - git
+pipeline:
+  - uses: fetch
+    with:
+      expected-sha512: 9924c4dc5da489f90b029bc8060e759edf02a170e17bbc9f9c29b6536e5bc3e5eec69af829c7662a1f69cd331fc24022cae8b30e865a07742fd7e3623bc7f33f
+      uri: https://github.com/bcicen/ctop/archive/refs/tags/v${{package.version}}.tar.gz
+  - runs: |
+      make build
+      install -Dm755 ctop "${{targets.destdir}}"/usr/bin/ctop
diff --git a/curl.yaml b/curl.yaml
@@ -5,13 +5,15 @@ package:
   description: "URL retrieval utility and library"
   copyright:
     - license: MIT
+
 secfixes:
   7.87.0-r0:
     - CVE-2022-43551
     - CVE-2022-43552
   7.86.0-r0:
     - CVE-2022-42916
     - CVE-2022-32221
+
 environment:
   contents:
     packages:
@@ -24,6 +26,7 @@ environment:
       - zlib-dev
       - brotli-dev
       - rustls-ffi
+
 pipeline:
   - uses: fetch
     with:
@@ -57,6 +60,7 @@ pipeline:
   - runs: |
       make install DESTDIR="/home/build/curl-rustls"
   - uses: strip
+
 subpackages:
   - name: "curl-dev"
     description: "headers for libcurl"
@@ -89,6 +93,7 @@ subpackages:
       - runs: |
           mkdir -p "${{targets.subpkgdir}}"/usr/lib
           mv "/home/build/curl-rustls"/usr/lib/libcurl.so.* "${{targets.subpkgdir}}"/usr/lib/
+
 advisories:
   CVE-2022-32221:
     - timestamp: 2022-12-09T12:10:34-05:00
@@ -99,10 +104,10 @@ advisories:
       status: fixed
       fixed-version: 7.86.0-r0
   CVE-2022-43551:
-    - timestamp: 2022-12-21T13:16:36+00:00
+    - timestamp: 2022-12-21T13:16:36Z
       status: fixed
       fixed-version: 7.87.0-r0
   CVE-2022-43552:
-    - timestamp: 2022-12-21T13:16:36+00:00
+    - timestamp: 2022-12-21T13:16:36Z
       status: fixed
       fixed-version: 7.87.0-r0
diff --git a/dataplaneapi.yaml b/dataplaneapi.yaml
@@ -1,7 +1,7 @@
 package:
   name: dataplaneapi
   version: 2.7.2
-  epoch: 0
+  epoch: 1
   description: HAProxy Data Plane API
   copyright:
     - license: Apache-2.0

diff --git a/delve.yaml b/delve.yaml
@@ -1,7 +1,7 @@
 package:
   name: delve
   version: 1.20.1
-  epoch: 1
+  epoch: 2
   description: Delve is a debugger for the Go programming language.
   copyright:
     - license: MIT

diff --git a/deno.yaml b/deno.yaml
@@ -1,10 +1,11 @@
 package:
   name: deno
-  version: 1.31.1
+  version: 1.31.3
   epoch: 0
   description: "A modern runtime for JavaScript and TypeScript."
   copyright:
     - license: MIT
+
 environment:
   contents:
     packages:
@@ -18,22 +19,25 @@ environment:
       - glibc-dev
       - posix-libc-utils
       - bash
+
 pipeline:
   - uses: fetch
     with:
       uri: https://github.com/denoland/deno/releases/download/v${{package.version}}/deno_src.tar.gz
-      expected-sha256: d39666180142d936e187c9eb9e2037e1db246c387b0d50ad2d7fed37271856ba
+      expected-sha256: 94746cfdc02333e7b47a1154784aeb2b1eef30b42ba285d77e62f92958442d30
   - name: Configure and build
     runs: |
       cargo build --release -vv
       mkdir -p ${{targets.destdir}}/usr/bin/
       mv target/release/deno ${{targets.destdir}}/usr/bin/
   - uses: strip
+
 advisories:
   CVE-2023-22499:
     - timestamp: 2023-02-11T12:51:24.232894-05:00
       status: fixed
       fixed-version: 1.30.0-r0
+
 secfixes:
   1.30.0-r0:
     - CVE-2023-22499
diff --git a/dex.yaml b/dex.yaml
@@ -2,7 +2,7 @@ package:
   name: dex
   # When bumping the version check if the GHSA mitigations below can be removed.
   version: 2.35.3
-  epoch: 1
+  epoch: 2
   description: OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors
   copyright:
     - license: Apache-2.0

diff --git a/dhcping.yaml b/dhcping.yaml
@@ -0,0 +1,36 @@
+package:
+  name: dhcping
+  version: 1.2
+  epoch: 0
+  description: dhcp daemon ping program
+  target-architecture:
+    - all
+  copyright:
+    - paths:
+        - "*"
+      attestation: TODO
+      license: BSD-2-Clause
+environment:
+  contents:
+    packages:
+      - busybox
+      - ca-certificates-bundle
+      - build-base
+      - automake
+      - autoconf
+pipeline:
+  - uses: fetch
+    with:
+      expected-sha256: 32ef86959b0bdce4b33d4b2b216eee7148f7de7037ced81b2116210bc7d3646a
+      uri: http://www.mavetju.org/download/dhcping-${{package.version}}.tar.gz
+  - uses: patch
+    with:
+      patches: fix-endless-getopt-loop.patch
+  - uses: autoconf/configure
+    with:
+      opts: |
+        --host=${{host.triplet.gnu}} \
+        --build=${{host.triplet.gnu}}
+  - uses: autoconf/make
+  - uses: autoconf/make-install
+  - uses: strip
diff --git a/dhcping/fix-endless-getopt-loop.patch b/dhcping/fix-endless-getopt-loop.patch
@@ -0,0 +1,25 @@
+From 27e74baf97c4669e14b8c690044ab979dc34b2ef Mon Sep 17 00:00:00 2001
+From: Petr Fedchenkov <giggsoff@gmail.com>
+Date: Tue, 28 Jun 2022 10:54:24 +0300
+Subject: [PATCH] Fix type to not hit endless getopt loop
+
+Signed-off-by: Petr Fedchenkov <giggsoff@gmail.com>
+---
+ dhcping.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dhcping.c b/dhcping.c
+index 7eb5ae6..cdce51c 100644
+--- a/dhcping.c
++++ b/dhcping.c
+@@ -70,7 +70,7 @@ unsigned char serveridentifier[4];
+ int maxwait=3;
+
+ void doargs(int argc,char **argv) {
+-    char ch;
++    int ch;
+
+     inform=request=verbose=VERBOSE=quiet=0;
+     ci=gi=server="0.0.0.0";
+-- 
+2.34.1
diff --git a/docker-credential-ecr-login.yaml b/docker-credential-ecr-login.yaml
@@ -1,7 +1,7 @@
 package:
   name: docker-credential-ecr-login
   version: 0.6.0
-  epoch: 2
+  epoch: 3
   description: Credential helper for Docker to use the AWS Elastic Container Registry
   copyright:
     - license: Apache-2.0

diff --git a/etcd.yaml b/etcd.yaml
@@ -1,7 +1,7 @@
 package:
   name: etcd
   version: 3.5.7
-  epoch: 1
+  epoch: 2
   description: A highly-available key value store for shared configuration and service discovery.
   copyright:
     - license: Apache-2.0

diff --git a/flux.yaml b/flux.yaml
@@ -1,7 +1,7 @@
 package:
   name: flux
-  version: 0.40.2
-  epoch: 0
+  version: 0.41.1
+  epoch: 1
   description: Open and extensible continuous delivery solution for Kubernetes. Powered by GitOps Toolkit.
   copyright:
     - license: Apache-2.0
@@ -20,7 +20,7 @@ pipeline:
   - uses: fetch
     with:
       uri: https://github.com/fluxcd/flux2/archive/v${{package.version}}/v${{package.version}}.tar.gz
-      expected-sha256: 9bfa38503352e638e16cc5b4ca297ae5e42789526bcd06b5bf60d8e4a47534ae
+      expected-sha256: 1e875dba2c25911d0ca98781f54023a9c9020a9ec94c0f290d50adf19972c2fc
   - runs: |
       mkdir -p "${{targets.destdir}}"/usr/bin
       VERSION=${{package.version}} make build

diff --git a/git-lfs.yaml b/git-lfs.yaml
@@ -1,7 +1,7 @@
 package:
   name: git-lfs
   version: 3.3.0
-  epoch: 5
+  epoch: 6
   description: "large file support for git"
   copyright:
     - license: MIT

diff --git a/git.yaml b/git.yaml
@@ -1,7 +1,7 @@
 package:
   name: git
-  version: 2.39.2
-  epoch: 1
+  version: 2.40.0
+  epoch: 0
   description: "distributed version control system"
   copyright:
     - license: GPL-2.0-or-later
@@ -36,7 +36,7 @@ pipeline:
   - uses: fetch
     with:
       uri: https://www.kernel.org/pub/software/scm/git/git-${{package.version}}.tar.xz
-      expected-sha256: 475f75f1373b2cd4e438706185175966d5c11f68c4db1e48c26257c43ddcf2d6
+      expected-sha256: b17a598fbf58729ef13b577465eb93b2d484df1201518b708b5044ff623bf46d
   - runs: |
       cat >> config.mak <<-EOF
       NO_GETTEXT=YesPlease

diff --git a/gitsign.yaml b/gitsign.yaml
@@ -1,7 +1,7 @@
 package:
   name: gitsign
   version: 0.5.2
-  epoch: 0
+  epoch: 1
   description: Keyless Git signing with Sigstore!
   copyright:
     - license: Apache-2.0