diff --git a/.github/pull-request-template.md b/.github/pull-request-template.md index 0981a83ff02..eae9f847918 100644 --- a/.github/pull-request-template.md +++ b/.github/pull-request-template.md @@ -5,7 +5,7 @@ Provide a short summary in the Title above. Examples of good PR titles: --> Fixes: @@ -23,19 +23,20 @@ will affect, so please take the time to jot it down. Put an `x` in all the items that apply, make notes next to any that haven't been addressed, and remove any items that are not relevant to this PR. ---> -#### For new package PRs only +--> +#### For new package PRs only + - [ ] This PR is marked as fixing a pre-existing package request bug - [ ] Alternatively, the PR is marked as related to a pre-existing package request bug, such as a dependency -- [ ] The package is available under an OSI-approved or FSF-approved license -- [ ] The version of the package is still receiving security updates +- [ ] REQUIRED - The package is available under an OSI-approved or FSF-approved license +- [ ] REQUIRED - The version of the package is still receiving security updates #### For security-related PRs - + - [ ] The security fix is recorded in `annotations` and `secfixes` #### For version bump PRs - + - [ ] The `epoch` field is reset to 0 diff --git a/Makefile b/Makefile index c4173ce8923..d4fd30a098f 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,12 @@ +USE_CACHE ?= yes ARCH ?= $(shell uname -m) +ifeq (${ARCH}, arm64) + ARCH = aarch64 + # Presently buggy because --cache-dir is presumed to be both a source + # and a destination. See melange#329. + USE_CACHE = no +endif + MELANGE_DIR ?= ../melange MELANGE ?= ${MELANGE_DIR}/melange KEY ?= local-melange.rsa @@ -15,11 +23,14 @@ MELANGE_OPTS += --signing-key ${KEY} MELANGE_OPTS += --pipeline-dir ${MELANGE_DIR}/pipelines MELANGE_OPTS += --arch ${ARCH} MELANGE_OPTS += --env-file build-${ARCH}.env -MELANGE_OPTS += --cache-dir ${CACHE_DIR} MELANGE_OPTS += --namespace wolfi MELANGE_OPTS += --generate-index false MELANGE_OPTS += ${MELANGE_EXTRA_OPTS} +ifeq (${USE_CACHE}, yes) + MELANGE_OPTS += --cache-dir ${CACHE_DIR} +endif + ifeq (${BUILDWORLD}, no) MELANGE_OPTS += -k ${WOLFI_SIGNING_PUBKEY} MELANGE_OPTS += -r ${WOLFI_PROD} @@ -60,10 +71,10 @@ $(eval $(call build-package,flex,2.6.4-r4)) $(eval $(call build-package,glibc,2.37-r3)) $(eval $(call build-package,build-base,1-r5)) $(eval $(call build-package,gcc,12.2.0-r9)) -$(eval $(call build-package,openssl,3.0.8-r0)) +$(eval $(call build-package,openssl,3.1.0-r0)) $(eval $(call build-package,binutils,2.40-r2)) $(eval $(call build-package,bison,3.8.2-r3)) -$(eval $(call build-package,etcd,3.5.7-r1)) +$(eval $(call build-package,etcd,3.5.7-r2)) $(eval $(call build-package,pax-utils,1.3.4-r4)) $(eval $(call build-package,texinfo,7.0.2-r2)) $(eval $(call build-package,gzip,1.12-r3)) @@ -150,30 +161,30 @@ $(eval $(call build-package,py3-magic,0.4.27-r2)) $(eval $(call build-package,libedit,3.1-r2)) $(eval $(call build-package,tiff,4.5.0-r2)) $(eval $(call build-package,pcre2,10.42-r2)) -$(eval $(call build-package,git,2.39.2-r1)) +$(eval $(call build-package,git,2.40.0-r0)) $(eval $(call build-package,bash,5.2.15-r2)) $(eval $(call build-package,go-stage0,1.19.1-r2)) -$(eval $(call build-package,go-1.19,1.19.6-r1)) -$(eval $(call build-package,go-1.20,1.20.1-r1)) -$(eval $(call build-package,git-lfs,3.3.0-r5)) +$(eval $(call build-package,go-1.19,1.19.7-r0)) +$(eval $(call build-package,go-1.20,1.20.2-r0)) +$(eval $(call build-package,git-lfs,3.3.0-r6)) $(eval $(call build-package,openssh,9.2_p1-r0)) $(eval $(call build-package,skalibs,2.13.1.0-r0)) $(eval $(call build-package,execline,2.9.2.1-r0)) $(eval $(call build-package,s6,2.11.3.0-r0)) $(eval $(call build-package,libretls,3.5.2-r2)) -$(eval $(call build-package,grype,0.59.0-r0)) -$(eval $(call build-package,trivy,0.38.1-r0)) -$(eval $(call build-package,ruby-3.0,3.0.4-r4)) +$(eval $(call build-package,grype,0.59.1-r1)) +$(eval $(call build-package,trivy,0.38.3-r0)) +$(eval $(call build-package,ruby-3.0,3.0.5-r0)) $(eval $(call build-package,ruby-3.1,3.1.3-r4)) -$(eval $(call build-package,ruby-3.2,3.2.0-r6)) +$(eval $(call build-package,ruby-3.2,3.2.1-r0)) $(eval $(call build-package,rust-stage0,1.65.0-r2)) $(eval $(call build-package,http-parser,2.9.4-r2)) $(eval $(call build-package,libssh2,1.10.0-r2)) $(eval $(call build-package,libgit2,1.6.2-r0)) $(eval $(call build-package,meson,1.0.1-r0)) $(eval $(call build-package,wasi-libc,0.20220525-r2)) -$(eval $(call build-package,rust,1.67.1-r0)) -$(eval $(call build-package,deno,1.31.1-r0)) +$(eval $(call build-package,rust,1.68.0-r0)) +$(eval $(call build-package,deno,1.31.3-r0)) $(eval $(call build-package,rustup,1.25.2-r0)) $(eval $(call build-package,libcap,2.26-r2)) $(eval $(call build-package,tree,2.1.0-r2)) @@ -189,7 +200,7 @@ $(eval $(call build-package,libgcrypt,1.10.1-r3)) $(eval $(call build-package,libxml2,2.10.3-r3)) $(eval $(call build-package,perl-test-pod,1.52-r2)) $(eval $(call build-package,perl-yaml-syck,1.34-r2)) -$(eval $(call build-package,prometheus,2.42.0-r2)) +$(eval $(call build-package,prometheus,2.42.0-r3)) $(eval $(call build-package,libxslt,1.1.37-r2)) $(eval $(call build-package,docbook-xml,4.5-r2)) $(eval $(call build-package,xmlto,0.0.28-r3)) @@ -214,7 +225,7 @@ $(eval $(call build-package,py3-markupsafe,2.1.2-r2)) $(eval $(call build-package,py3-jinja2,3.1.2-r2)) $(eval $(call build-package,nano,7.2-r0)) $(eval $(call build-package,nodejs-16,16.19.1-r0)) -$(eval $(call build-package,nodejs-18,18.14.2-r0)) +$(eval $(call build-package,nodejs-18,18.15.0-r1)) $(eval $(call build-package,nodejs-19,19.7.0-r0)) $(eval $(call build-package,yarn,1.22.19-r3)) $(eval $(call build-package,libxt,1.2.1-r2)) @@ -231,8 +242,8 @@ $(eval $(call build-package,fontconfig,2.14.2-r0)) $(eval $(call build-package,giflib,5.2.1-r2)) $(eval $(call build-package,libjpeg,2.1.91-r1)) $(eval $(call build-package,lcms2,2.14-r2)) -$(eval $(call build-package,openjdk-11,11.0.18-r1)) -$(eval $(call build-package,openjdk-17,17.0.6-r1)) +$(eval $(call build-package,openjdk-11,11.0.19+5-r0)) +$(eval $(call build-package,openjdk-17,17.0.7+5-r0)) $(eval $(call build-package,su-exec,0.2-r1)) $(eval $(call build-package,llvm15,15.0.6-r1)) $(eval $(call build-package,postgresql-11,11.19-r0,postgresql)) @@ -252,20 +263,20 @@ $(eval $(call build-package,bazel-5,5.4.0-r2,bazel)) $(eval $(call build-package,bazel-6,6.0.0-r3,bazel)) $(eval $(call build-package,libmaxminddb,1.7.1-r1)) $(eval $(call build-package,clang-15,15.0.6-r1)) -$(eval $(call build-package,jenkins,2.394-r0)) -$(eval $(call build-package,cosign,2.0.0-r0)) +$(eval $(call build-package,jenkins,2.395-r0)) +$(eval $(call build-package,cosign,2.0.0-r1)) $(eval $(call build-package,yasm,1.3.0-r0)) -$(eval $(call build-package,crane,0.13.0-r1)) +$(eval $(call build-package,crane,0.14.0-r0)) $(eval $(call build-package,geoip,1.6.12-r0)) $(eval $(call build-package,pcre,8.45-r0)) -$(eval $(call build-package,go-bindata,3.1.3-r2)) +$(eval $(call build-package,go-bindata,3.1.3-r3)) $(eval $(call build-package,popt,1.19-r0)) $(eval $(call build-package,rsync,3.2.7-r0)) $(eval $(call build-package,zeromq,4.3.4-r0)) -$(eval $(call build-package,kubectl,1.26.1-r1)) -$(eval $(call build-package,regclient,0.4.5-r2)) +$(eval $(call build-package,kubectl,1.26.2-r0)) +$(eval $(call build-package,regclient,0.4.5-r3)) $(eval $(call build-package,libwebp,1.2.4-r0)) -$(eval $(call build-package,skopeo,1.11.1-r0)) +$(eval $(call build-package,skopeo,1.11.1-r1)) $(eval $(call build-package,llvm-libunwind,15.0.7-r0)) $(eval $(call build-package,llvm-lld,15.0.7-r0)) $(eval $(call build-package,mimalloc2,2.0.7-r0)) @@ -273,18 +284,18 @@ $(eval $(call build-package,libtbb,2021.7.0-r0)) $(eval $(call build-package,mold,1.10.1-r0)) $(eval $(call build-package,dumb-init,1.2.5-r0)) $(eval $(call build-package,envoy,1.25.1-r0)) -$(eval $(call build-package,redis,7.0.8-r1)) +$(eval $(call build-package,redis,7.0.9-r0)) $(eval $(call build-package,mailcap,2.1.53-r0)) -$(eval $(call build-package,php,8.2.3-r0)) +$(eval $(call build-package,php,8.2.4-r0)) $(eval $(call build-package,composer,2.5.1-r0)) $(eval $(call build-package,yaml,0.2.5-r0)) -$(eval $(call build-package,docker-credential-ecr-login,0.6.0-r2)) +$(eval $(call build-package,docker-credential-ecr-login,0.6.0-r3)) $(eval $(call build-package,pwgen,2.08-r1)) $(eval $(call build-package,mariadb,10.6.12-r1,mariadb)) $(eval $(call build-package,wait-for-it,0.20200823-r1)) $(eval $(call build-package,argon2,20190702-r0)) $(eval $(call build-package,haproxy,2.6.9-r1)) -$(eval $(call build-package,vault,1.12.3-r0)) +$(eval $(call build-package,vault,1.13.0-r0)) $(eval $(call build-package,libunistring,1.1-r1)) $(eval $(call build-package,gettext,0.21.1-r0)) $(eval $(call build-package,libcap-ng,0.8.3-r0)) @@ -306,9 +317,9 @@ $(eval $(call build-package,erlang,25.2-r0)) $(eval $(call build-package,elixir,1.14.2-r0)) $(eval $(call build-package,rabbitmq-server,3.11.10-r0)) $(eval $(call build-package,gd,2.3.3-r0)) -$(eval $(call build-package,kyverno-cli,1.8.5-r0)) +$(eval $(call build-package,kyverno-cli,1.8.5-r1)) $(eval $(call build-package,py3-sphinx,6.0.0-r0)) -$(eval $(call build-package,heimdal,7.8.0-r0)) +$(eval $(call build-package,heimdal,7.8.0-r1)) $(eval $(call build-package,cyrus-sasl,2.1.28-r0)) $(eval $(call build-package,e2fsprogs,1.46.5-r0)) $(eval $(call build-package,unixodbc,2.3.11-r0)) @@ -319,21 +330,21 @@ $(eval $(call build-package,memcached,1.6.18-r0)) $(eval $(call build-package,groff,1.22.4-r0)) $(eval $(call build-package,db,5.3.28-r0)) $(eval $(call build-package,openldap,2.6.3-r0)) -$(eval $(call build-package,ko,0.12.0-r0)) -$(eval $(call build-package,apko,0.7.1-r0)) -$(eval $(call build-package,melange,0.2.0-r0)) -$(eval $(call build-package,goreleaser,1.15.2-r0)) -$(eval $(call build-package,nerdctl,1.2.0-r0)) -$(eval $(call build-package,tkn,0.28.0-r0)) -$(eval $(call build-package,bom,0.4.1-r1)) +$(eval $(call build-package,ko,0.13.0-r1)) +$(eval $(call build-package,apko,0.7.1-r1)) +$(eval $(call build-package,melange,0.2.0-r1)) +$(eval $(call build-package,goreleaser,1.15.2-r1)) +$(eval $(call build-package,nerdctl,1.2.0-r1)) +$(eval $(call build-package,tkn,0.28.0-r1)) +$(eval $(call build-package,bom,0.4.1-r2)) $(eval $(call build-package,libverto,0.3.2-r0)) $(eval $(call build-package,keyutils,1.6.3-r0)) $(eval $(call build-package,krb5-conf,1.0-r0)) $(eval $(call build-package,krb5,1.20.1-r1)) $(eval $(call build-package,libtirpc,1.3.3-r0)) $(eval $(call build-package,rustls-ffi,0.8.2-r1)) -$(eval $(call build-package,spire-server,1.5.5-r0)) -$(eval $(call build-package,kustomize,5.0.0-r1)) +$(eval $(call build-package,spire-server,1.5.5-r1)) +$(eval $(call build-package,kustomize,5.0.1-r0)) $(eval $(call build-package,alpine-keys,2.4-r1)) $(eval $(call build-package,xcb-util,0.4.1-r0)) $(eval $(call build-package,pixman,0.42.2-r0)) @@ -363,7 +374,7 @@ $(eval $(call build-package,wayland-protocols,1.31-r0)) $(eval $(call build-package,at-spi2-core,2.46.0-r0)) $(eval $(call build-package,itstool,2.0.7-r0)) $(eval $(call build-package,shared-mime-info,2.2-r0)) -$(eval $(call build-package,scorecard,4.10.2-r1)) +$(eval $(call build-package,scorecard,4.10.2-r2)) $(eval $(call build-package,libkcapi,1.4.0-r0)) $(eval $(call build-package,libidn2,2.3.4-r0)) $(eval $(call build-package,libksba,1.6.3-r0)) @@ -393,58 +404,57 @@ $(eval $(call build-package,py3-yaml,6.0-r0)) $(eval $(call build-package,nginx,1.23.3-r1)) $(eval $(call build-package,python-3.10,3.10.9-r3)) $(eval $(call build-package,aws-cli,1.27.38-r0)) -$(eval $(call build-package,helm,3.11.1-r1)) -$(eval $(call build-package,kubescape,2.0.183-r1)) +$(eval $(call build-package,helm,3.11.2-r0)) +$(eval $(call build-package,kubescape,2.0.183-r2)) $(eval $(call build-package,s3cmd,2.3.0-r0)) -$(eval $(call build-package,kubevela,1.7.0-r1)) +$(eval $(call build-package,kubevela,1.7.0-r2)) $(eval $(call build-package,fluent-bit,2.0.8-r0)) -$(eval $(call build-package,sbom-scorecard,0.0.5-r0)) +$(eval $(call build-package,sbom-scorecard,0.0.5-r1)) $(eval $(call build-package,libaio,0.3.113-r1)) -$(eval $(call build-package,flux,0.40.2-r0)) +$(eval $(call build-package,flux,0.41.1-r1)) $(eval $(call build-package,libunwind,1.6.2-r0)) $(eval $(call build-package,userspace-rcu,0.13.2-r0)) $(eval $(call build-package,lttng-ust,2.13.5-r0)) $(eval $(call build-package,jemalloc,5.3.0-r0)) -$(eval $(call build-package,traefik,2.9.8-r1)) +$(eval $(call build-package,traefik,2.9.8-r2)) $(eval $(call build-package,snappy,1.1.9-r0)) -$(eval $(call build-package,gitsign,0.5.2-r0)) -$(eval $(call build-package,kind,0.17.0-r1)) -$(eval $(call build-package,vim,9.0.1275-r0)) -$(eval $(call build-package,policy-controller,0.7.0-r0)) -$(eval $(call build-package,syft,0.70.0-r0)) +$(eval $(call build-package,gitsign,0.5.2-r1)) +$(eval $(call build-package,kind,0.17.0-r2)) +$(eval $(call build-package,vim,9.0.1402-r0)) +$(eval $(call build-package,policy-controller,0.7.0-r1)) +$(eval $(call build-package,syft,0.70.0-r1)) $(eval $(call build-package,uutils,0.0.17-r0)) -$(eval $(call build-package,yq,4.30.8-r0)) -$(eval $(call build-package,delve,1.20.1-r1)) -$(eval $(call build-package,oras,0.16.0-r0)) -$(eval $(call build-package,step,0.23.1-r0)) +$(eval $(call build-package,yq,4.30.8-r1)) +$(eval $(call build-package,delve,1.20.1-r2)) +$(eval $(call build-package,oras,0.16.0-r2)) +$(eval $(call build-package,step,0.23.1-r1)) $(eval $(call build-package,netcat-openbsd,1.219-r0)) $(eval $(call build-package,gnutar,1.34-r0)) $(eval $(call build-package,dpkg,1.20.12-r0)) -$(eval $(call build-package,calicoctl,3.25.0-r0)) +$(eval $(call build-package,calicoctl,3.25.0-r1)) $(eval $(call build-package,container-entrypoint,0.1.0-r0)) -$(eval $(call build-package,gomplate,3.11.4-r0)) -$(eval $(call build-package,dex,2.35.3-r1)) $(eval $(call build-package,ruby3.2-bundler,2.4.7-r1)) -$(eval $(call build-package,ruby3.2-async-io,1.34.3-r0)) +$(eval $(call build-package,ruby3.2-async-io,1.34.3-r1)) $(eval $(call build-package,ruby3.2-cool.io,1.7.1-r0)) $(eval $(call build-package,ruby3.2-fiber-local,1.0.0-r0)) -$(eval $(call build-package,ruby3.2-fluentd,1.15.3-r1)) +$(eval $(call build-package,ruby3.2-fluentd14,1.14.6-r0)) +$(eval $(call build-package,ruby3.2-fluentd15,1.15.3-r0)) $(eval $(call build-package,ruby3.2-msgpack,1.6.0-r0)) $(eval $(call build-package,ruby3.2-oj,3.14.2-r0)) $(eval $(call build-package,ruby3.2-rexml,3.2.5-r0)) -$(eval $(call build-package,ruby3.2-serverengine,2.3.1-r0)) +$(eval $(call build-package,ruby3.2-serverengine,2.3.1-r1)) $(eval $(call build-package,ruby3.2-sigdump,0.2.4-r0)) $(eval $(call build-package,ruby3.2-strptime,0.2.5-r0)) -$(eval $(call build-package,ruby3.2-tzinfo-data,1.2022.7-r0)) -$(eval $(call build-package,ruby3.2-tzinfo,2.0.6-r0)) +$(eval $(call build-package,ruby3.2-tzinfo-data,1.2022.7-r1)) +$(eval $(call build-package,ruby3.2-tzinfo,2.0.6-r1)) $(eval $(call build-package,ruby3.2-webrick,1.7.0-r0)) -$(eval $(call build-package,ruby3.2-async-http,0.60.1-r0)) -$(eval $(call build-package,ruby3.2-async-pool,0.3.12-r0)) -$(eval $(call build-package,ruby3.2-async,2.3.1-r0)) -$(eval $(call build-package,ruby3.2-console,1.16.2-r0)) +$(eval $(call build-package,ruby3.2-async-http,0.60.1-r1)) +$(eval $(call build-package,ruby3.2-async-pool,0.3.12-r1)) +$(eval $(call build-package,ruby3.2-async,2.3.1-r1)) +$(eval $(call build-package,ruby3.2-console,1.16.2-r1)) $(eval $(call build-package,ruby3.2-io-event,1.1.6-r0)) -$(eval $(call build-package,ruby3.2-protocol-http1,0.15.0-r0)) -$(eval $(call build-package,ruby3.2-protocol-http2,0.15.1-r0)) +$(eval $(call build-package,ruby3.2-protocol-http1,0.15.0-r1)) +$(eval $(call build-package,ruby3.2-protocol-http2,0.15.1-r1)) $(eval $(call build-package,ruby3.2-protocol-http,0.24.1-r0)) $(eval $(call build-package,ruby3.2-timers,4.3.5-r0)) $(eval $(call build-package,ruby3.2-traces,0.8.0-r0)) @@ -452,22 +462,42 @@ $(eval $(call build-package,ruby3.2-concurrent-ruby,1.2.0-r0)) $(eval $(call build-package,ruby3.2-http_parser.rb,0.8.0-r0)) $(eval $(call build-package,ruby3.2-protocol-hpack,1.4.2-r0)) $(eval $(call build-package,ruby3.2-yajl-ruby,1.4.3-r0)) +$(eval $(call build-package,gomplate,3.11.4-r1)) +$(eval $(call build-package,dex,2.35.3-r2)) $(eval $(call build-package,gradle-stage0,8.0.1-r0)) $(eval $(call build-package,gradle-8,8.0.1-r0)) -$(eval $(call build-package,python-3.12,3.12.0_alpha5-r2)) -$(eval $(call build-package,golangci-lint,1.51.1-r0)) +$(eval $(call build-package,python-3.12,3.12.0_alpha6-r0)) +$(eval $(call build-package,golangci-lint,1.51.1-r1)) $(eval $(call build-package,doxygen,1.9.6-r0)) $(eval $(call build-package,jbig2dec,0.19-r0)) -$(eval $(call build-package,dataplaneapi,2.7.2-r0)) -$(eval $(call build-package,wasmtime,6.0.0-r0)) -$(eval $(call build-package,poetry,1.3.2-r0)) -$(eval $(call build-package,zot,1.4.3-r0)) -$(eval $(call build-package,terraform,1.3.9-r0)) -$(eval $(call build-package,prometheus-node-exporter,1.5.0-r1)) +$(eval $(call build-package,dataplaneapi,2.7.2-r1)) $(eval $(call build-package,rekor-cli,1.0.1-r0)) $(eval $(call build-package,rekor-server,1.0.1-r0)) -$(eval $(call build-package,prometheus-alertmanager,0.25.0-r0)) -$(eval $(call build-package,prometheus-mysqld-exporter,0.14.0-r0)) +$(eval $(call build-package,wasmtime,6.0.1-r0)) +$(eval $(call build-package,poetry,1.3.2-r0)) +$(eval $(call build-package,zot,1.4.3-r2)) +$(eval $(call build-package,terraform,1.3.9-r2)) +$(eval $(call build-package,prometheus-node-exporter,1.5.0-r2)) +$(eval $(call build-package,prometheus-alertmanager,0.25.0-r1)) +$(eval $(call build-package,prometheus-mysqld-exporter,0.14.0-r1)) +$(eval $(call build-package,socat,1.7.4.4-r0)) +$(eval $(call build-package,sbt-stage0,1.8.2-r0)) +$(eval $(call build-package,sbt,1.8.2-r0)) +$(eval $(call build-package,kafka,3.4.0-r0)) +$(eval $(call build-package,ctop,0.7.7-r0)) +$(eval $(call build-package,dhcping,1.2-r0)) +$(eval $(call build-package,grpcurl,1.8.7-r0)) +$(eval $(call build-package,iperf,2.1.8-r0)) +$(eval $(call build-package,iperf3,3.13-r0)) +$(eval $(call build-package,libmnl,1.0.5-r0)) +$(eval $(call build-package,libnet,1.2-r0)) +$(eval $(call build-package,libpcap,1.10.3-r0)) +$(eval $(call build-package,libssh,0.10.4-r0)) +$(eval $(call build-package,zookeeper,3.8.1-r0)) +$(eval $(call build-package,nats-server,2.9.15-r0)) +$(eval $(call build-package,nats,0.0.35-r0)) +$(eval $(call build-package,nsc,2.7.8-r0)) +$(eval $(call build-package,json-c,0.16-r0)) .build-packages: ${PACKAGES} diff --git a/apko.yaml b/apko.yaml index 2147e8d6671..f04001c9870 100644 --- a/apko.yaml +++ b/apko.yaml @@ -1,7 +1,7 @@ package: name: apko version: 0.7.1 - epoch: 0 + epoch: 1 description: Build OCI images using APK directly without Dockerfile copyright: - license: Apache-2.0 diff --git a/bom.yaml b/bom.yaml index 1d8102bcac4..66c23d38481 100644 --- a/bom.yaml +++ b/bom.yaml @@ -1,7 +1,7 @@ package: name: bom version: 0.4.1 - epoch: 1 + epoch: 2 description: A utility to generate SPDX-compliant Bill of Materials manifests copyright: - license: Apache-2.0 diff --git a/calicoctl.yaml b/calicoctl.yaml index 9d0939c17fd..d83cb7842d0 100644 --- a/calicoctl.yaml +++ b/calicoctl.yaml @@ -1,7 +1,7 @@ package: name: calicoctl version: 3.25.0 - epoch: 0 + epoch: 1 description: "CLI tool that allows management of Calico API resources" copyright: - license: Apache-2.0 @@ -32,4 +32,4 @@ pipeline: mkdir -p ${{targets.destdir}}/usr/bin go build -v -o ${{targets.destdir}}/usr/bin/calicoctl -ldflags "$LDFLAGS" "./calicoctl/calicoctl/calicoctl.go" - - uses: strip \ No newline at end of file + - uses: strip diff --git a/cosign.yaml b/cosign.yaml index 8989d00c102..43e0f12d5aa 100644 --- a/cosign.yaml +++ b/cosign.yaml @@ -1,7 +1,7 @@ package: name: cosign version: 2.0.0 - epoch: 0 + epoch: 1 description: Container Signing copyright: - license: Apache-2.0 diff --git a/crane.yaml b/crane.yaml index f7b7d0c3a9a..44ec38c145c 100644 --- a/crane.yaml +++ b/crane.yaml @@ -1,7 +1,7 @@ package: name: crane - version: 0.13.0 - epoch: 1 + version: 0.14.0 + epoch: 0 description: Tool for interacting with remote images and registries. copyright: - license: Apache-2.0 @@ -18,7 +18,7 @@ pipeline: - uses: fetch with: uri: https://github.com/google/go-containerregistry/archive/v${{package.version}}/v${{package.version}}.tar.gz - expected-sha256: e5946a3cab514085278386cf9962a3591def359dbc213c06e7a53501766590fd + expected-sha256: 33ce5a1745c595b8cf7d9f231b7b7c8fea22a5f71c386fc8325d0e0c18bf686d - runs: | CGO_ENABLED=0 go build \ -trimpath -ldflags \ diff --git a/ctop.yaml b/ctop.yaml new file mode 100644 index 00000000000..77ad8e456ce --- /dev/null +++ b/ctop.yaml @@ -0,0 +1,29 @@ +package: + name: ctop + version: 0.7.7 + epoch: 0 + description: Top-like interface for container metrics + target-architecture: + - all + copyright: + - paths: + - "*" + attestation: TODO + license: MIT +environment: + contents: + packages: + - busybox + - ca-certificates-bundle + - build-base + - automake + - go + - git +pipeline: + - uses: fetch + with: + expected-sha512: 9924c4dc5da489f90b029bc8060e759edf02a170e17bbc9f9c29b6536e5bc3e5eec69af829c7662a1f69cd331fc24022cae8b30e865a07742fd7e3623bc7f33f + uri: https://github.com/bcicen/ctop/archive/refs/tags/v${{package.version}}.tar.gz + - runs: | + make build + install -Dm755 ctop "${{targets.destdir}}"/usr/bin/ctop \ No newline at end of file diff --git a/curl.yaml b/curl.yaml index 316d2327f87..23df71eff85 100644 --- a/curl.yaml +++ b/curl.yaml @@ -5,6 +5,7 @@ package: description: "URL retrieval utility and library" copyright: - license: MIT + secfixes: 7.87.0-r0: - CVE-2022-43551 @@ -12,6 +13,7 @@ secfixes: 7.86.0-r0: - CVE-2022-42916 - CVE-2022-32221 + environment: contents: packages: @@ -24,6 +26,7 @@ environment: - zlib-dev - brotli-dev - rustls-ffi + pipeline: - uses: fetch with: @@ -57,6 +60,7 @@ pipeline: - runs: | make install DESTDIR="/home/build/curl-rustls" - uses: strip + subpackages: - name: "curl-dev" description: "headers for libcurl" @@ -89,6 +93,7 @@ subpackages: - runs: | mkdir -p "${{targets.subpkgdir}}"/usr/lib mv "/home/build/curl-rustls"/usr/lib/libcurl.so.* "${{targets.subpkgdir}}"/usr/lib/ + advisories: CVE-2022-32221: - timestamp: 2022-12-09T12:10:34-05:00 @@ -99,10 +104,10 @@ advisories: status: fixed fixed-version: 7.86.0-r0 CVE-2022-43551: - - timestamp: 2022-12-21T13:16:36+00:00 + - timestamp: 2022-12-21T13:16:36Z status: fixed fixed-version: 7.87.0-r0 CVE-2022-43552: - - timestamp: 2022-12-21T13:16:36+00:00 + - timestamp: 2022-12-21T13:16:36Z status: fixed fixed-version: 7.87.0-r0 diff --git a/dataplaneapi.yaml b/dataplaneapi.yaml index 87d7d44f4d9..8a11288d663 100644 --- a/dataplaneapi.yaml +++ b/dataplaneapi.yaml @@ -1,7 +1,7 @@ package: name: dataplaneapi version: 2.7.2 - epoch: 0 + epoch: 1 description: HAProxy Data Plane API copyright: - license: Apache-2.0 diff --git a/delve.yaml b/delve.yaml index a981fcdada5..d77b8b0cde0 100644 --- a/delve.yaml +++ b/delve.yaml @@ -1,7 +1,7 @@ package: name: delve version: 1.20.1 - epoch: 1 + epoch: 2 description: Delve is a debugger for the Go programming language. copyright: - license: MIT diff --git a/deno.yaml b/deno.yaml index 9470522ce5f..68353480608 100644 --- a/deno.yaml +++ b/deno.yaml @@ -1,10 +1,11 @@ package: name: deno - version: 1.31.1 + version: 1.31.3 epoch: 0 description: "A modern runtime for JavaScript and TypeScript." copyright: - license: MIT + environment: contents: packages: @@ -18,22 +19,25 @@ environment: - glibc-dev - posix-libc-utils - bash + pipeline: - uses: fetch with: uri: https://github.com/denoland/deno/releases/download/v${{package.version}}/deno_src.tar.gz - expected-sha256: d39666180142d936e187c9eb9e2037e1db246c387b0d50ad2d7fed37271856ba + expected-sha256: 94746cfdc02333e7b47a1154784aeb2b1eef30b42ba285d77e62f92958442d30 - name: Configure and build runs: | cargo build --release -vv mkdir -p ${{targets.destdir}}/usr/bin/ mv target/release/deno ${{targets.destdir}}/usr/bin/ - uses: strip + advisories: CVE-2023-22499: - timestamp: 2023-02-11T12:51:24.232894-05:00 status: fixed fixed-version: 1.30.0-r0 + secfixes: 1.30.0-r0: - CVE-2023-22499 diff --git a/dex.yaml b/dex.yaml index b6f232c4a86..6a60e2117bf 100644 --- a/dex.yaml +++ b/dex.yaml @@ -2,7 +2,7 @@ package: name: dex # When bumping the version check if the GHSA mitigations below can be removed. version: 2.35.3 - epoch: 1 + epoch: 2 description: OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors copyright: - license: Apache-2.0 diff --git a/dhcping.yaml b/dhcping.yaml new file mode 100644 index 00000000000..452d51ef27b --- /dev/null +++ b/dhcping.yaml @@ -0,0 +1,36 @@ +package: + name: dhcping + version: 1.2 + epoch: 0 + description: dhcp daemon ping program + target-architecture: + - all + copyright: + - paths: + - "*" + attestation: TODO + license: BSD-2-Clause +environment: + contents: + packages: + - busybox + - ca-certificates-bundle + - build-base + - automake + - autoconf +pipeline: + - uses: fetch + with: + expected-sha256: 32ef86959b0bdce4b33d4b2b216eee7148f7de7037ced81b2116210bc7d3646a + uri: http://www.mavetju.org/download/dhcping-${{package.version}}.tar.gz + - uses: patch + with: + patches: fix-endless-getopt-loop.patch + - uses: autoconf/configure + with: + opts: | + --host=${{host.triplet.gnu}} \ + --build=${{host.triplet.gnu}} + - uses: autoconf/make + - uses: autoconf/make-install + - uses: strip diff --git a/dhcping/fix-endless-getopt-loop.patch b/dhcping/fix-endless-getopt-loop.patch new file mode 100644 index 00000000000..11da8eaa6ed --- /dev/null +++ b/dhcping/fix-endless-getopt-loop.patch @@ -0,0 +1,25 @@ +From 27e74baf97c4669e14b8c690044ab979dc34b2ef Mon Sep 17 00:00:00 2001 +From: Petr Fedchenkov +Date: Tue, 28 Jun 2022 10:54:24 +0300 +Subject: [PATCH] Fix type to not hit endless getopt loop + +Signed-off-by: Petr Fedchenkov +--- + dhcping.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dhcping.c b/dhcping.c +index 7eb5ae6..cdce51c 100644 +--- a/dhcping.c ++++ b/dhcping.c +@@ -70,7 +70,7 @@ unsigned char serveridentifier[4]; + int maxwait=3; + + void doargs(int argc,char **argv) { +- char ch; ++ int ch; + + inform=request=verbose=VERBOSE=quiet=0; + ci=gi=server="0.0.0.0"; +-- +2.34.1 diff --git a/docker-credential-ecr-login.yaml b/docker-credential-ecr-login.yaml index d65fefb839c..b306e0a570f 100644 --- a/docker-credential-ecr-login.yaml +++ b/docker-credential-ecr-login.yaml @@ -1,7 +1,7 @@ package: name: docker-credential-ecr-login version: 0.6.0 - epoch: 2 + epoch: 3 description: Credential helper for Docker to use the AWS Elastic Container Registry copyright: - license: Apache-2.0 diff --git a/etcd.yaml b/etcd.yaml index db0f89e67fe..7b0af31ef5d 100644 --- a/etcd.yaml +++ b/etcd.yaml @@ -1,7 +1,7 @@ package: name: etcd version: 3.5.7 - epoch: 1 + epoch: 2 description: A highly-available key value store for shared configuration and service discovery. copyright: - license: Apache-2.0 diff --git a/flux.yaml b/flux.yaml index 4837fccb794..9824b42e063 100644 --- a/flux.yaml +++ b/flux.yaml @@ -1,7 +1,7 @@ package: name: flux - version: 0.40.2 - epoch: 0 + version: 0.41.1 + epoch: 1 description: Open and extensible continuous delivery solution for Kubernetes. Powered by GitOps Toolkit. copyright: - license: Apache-2.0 @@ -20,7 +20,7 @@ pipeline: - uses: fetch with: uri: https://github.com/fluxcd/flux2/archive/v${{package.version}}/v${{package.version}}.tar.gz - expected-sha256: 9bfa38503352e638e16cc5b4ca297ae5e42789526bcd06b5bf60d8e4a47534ae + expected-sha256: 1e875dba2c25911d0ca98781f54023a9c9020a9ec94c0f290d50adf19972c2fc - runs: | mkdir -p "${{targets.destdir}}"/usr/bin VERSION=${{package.version}} make build diff --git a/git-lfs.yaml b/git-lfs.yaml index 612102104e5..1f27a2c1dfd 100644 --- a/git-lfs.yaml +++ b/git-lfs.yaml @@ -1,7 +1,7 @@ package: name: git-lfs version: 3.3.0 - epoch: 5 + epoch: 6 description: "large file support for git" copyright: - license: MIT diff --git a/git.yaml b/git.yaml index cd5152b9c2c..7857e102170 100644 --- a/git.yaml +++ b/git.yaml @@ -1,7 +1,7 @@ package: name: git - version: 2.39.2 - epoch: 1 + version: 2.40.0 + epoch: 0 description: "distributed version control system" copyright: - license: GPL-2.0-or-later @@ -36,7 +36,7 @@ pipeline: - uses: fetch with: uri: https://www.kernel.org/pub/software/scm/git/git-${{package.version}}.tar.xz - expected-sha256: 475f75f1373b2cd4e438706185175966d5c11f68c4db1e48c26257c43ddcf2d6 + expected-sha256: b17a598fbf58729ef13b577465eb93b2d484df1201518b708b5044ff623bf46d - runs: | cat >> config.mak <<-EOF NO_GETTEXT=YesPlease diff --git a/gitsign.yaml b/gitsign.yaml index 9871cd52bd2..501e28fd01b 100644 --- a/gitsign.yaml +++ b/gitsign.yaml @@ -1,7 +1,7 @@ package: name: gitsign version: 0.5.2 - epoch: 0 + epoch: 1 description: Keyless Git signing with Sigstore! copyright: - license: Apache-2.0 diff --git a/go-1.19.yaml b/go-1.19.yaml index 84dde3eb28d..eca379fe3a4 100644 --- a/go-1.19.yaml +++ b/go-1.19.yaml @@ -1,7 +1,7 @@ package: name: go-1.19 - version: 1.19.6 - epoch: 1 + version: 1.19.7 + epoch: 0 description: "the Go programming language" copyright: - license: BSD-3-Clause @@ -21,6 +21,10 @@ secfixes: 1.19.4-r0: - CVE-2022-41717 - CVE-2022-41720 + 1.19.6-r1: + - CVE-2022-41723 + 1.19.7-r0: + - CVE-2023-24532 environment: contents: @@ -39,7 +43,7 @@ pipeline: - uses: fetch with: uri: https://go.dev/dl/go${{package.version}}.src.tar.gz - expected-sha256: d7f0013f82e6d7f862cc6cb5c8cdb48eef5f2e239b35baa97e2f1a7466043767 + expected-sha256: 775bdf285ceaba940da8a2fe20122500efd7a0b65dbcee85247854a8d7402633 strip-components: 0 - runs: | cd go/src @@ -106,3 +110,11 @@ advisories: - timestamp: 2022-12-07T08:11:39Z status: fixed fixed-version: 1.19.4-r0 + CVE-2022-41723: + - timestamp: 2023-03-10T10:37:34.372665-05:00 + status: fixed + fixed-version: 1.19.6-r1 + CVE-2023-24532: + - timestamp: 2023-03-10T10:43:49.770471-05:00 + status: fixed + fixed-version: 1.19.7-r0 diff --git a/go-1.20.yaml b/go-1.20.yaml index 1892d0c8ef3..e36b0fdcff9 100644 --- a/go-1.20.yaml +++ b/go-1.20.yaml @@ -1,7 +1,7 @@ package: name: go-1.20 - version: 1.20.1 - epoch: 1 + version: 1.20.2 + epoch: 0 description: "the Go programming language" copyright: - license: BSD-3-Clause @@ -17,6 +17,10 @@ secfixes: "0": - CVE-2020-29509 - CVE-2020-29511 + 1.20.1-r1: + - CVE-2022-41723 + 1.20.2-r0: + - CVE-2023-24532 environment: contents: @@ -31,7 +35,7 @@ pipeline: - uses: fetch with: uri: https://go.dev/dl/go${{package.version}}.src.tar.gz - expected-sha256: b5c1a3af52c385a6d1c76aed5361cf26459023980d0320de7658bae3915831a2 + expected-sha256: 4d0e2850d197b4ddad3bdb0196300179d095bb3aefd4dfbc3b36702c3728f8ab strip-components: 0 - runs: | cd go/src @@ -94,3 +98,11 @@ advisories: - timestamp: 2023-03-04T21:45:58.722232-05:00 status: not_affected justification: vulnerable_code_not_in_execute_path + CVE-2022-41723: + - timestamp: 2023-03-10T10:38:17.029502-05:00 + status: fixed + fixed-version: 1.20.1-r1 + CVE-2023-24532: + - timestamp: 2023-03-10T10:43:37.274724-05:00 + status: fixed + fixed-version: 1.20.2-r0 diff --git a/go-bindata.yaml b/go-bindata.yaml index 8f8be11d758..089f32c7914 100644 --- a/go-bindata.yaml +++ b/go-bindata.yaml @@ -1,7 +1,7 @@ package: name: go-bindata version: 3.1.3 - epoch: 2 + epoch: 3 description: A small utility which generates Go code from any file copyright: - license: Apache-2.0 diff --git a/golangci-lint.yaml b/golangci-lint.yaml index fbe3dd0b0cb..ab4b8f11906 100644 --- a/golangci-lint.yaml +++ b/golangci-lint.yaml @@ -1,7 +1,7 @@ package: name: golangci-lint version: 1.51.1 - epoch: 0 + epoch: 1 description: Fast linters Runner for Go copyright: - license: Apache-2.0 @@ -26,4 +26,4 @@ pipeline: - runs: | make build mkdir -p ${{targets.destdir}}/usr/bin/ - cp ./golangci-lint ${{targets.destdir}}/usr/bin/golangci-lint \ No newline at end of file + cp ./golangci-lint ${{targets.destdir}}/usr/bin/golangci-lint diff --git a/gomplate.yaml b/gomplate.yaml index 1a591cd347e..0cc283dc2fc 100644 --- a/gomplate.yaml +++ b/gomplate.yaml @@ -1,7 +1,7 @@ package: name: gomplate version: 3.11.4 - epoch: 0 + epoch: 1 description: A go templating utility. copyright: - license: MIT diff --git a/goreleaser.yaml b/goreleaser.yaml index 42a7d7131a2..d10a16d6edc 100644 --- a/goreleaser.yaml +++ b/goreleaser.yaml @@ -1,7 +1,7 @@ package: name: goreleaser version: 1.15.2 - epoch: 0 + epoch: 1 description: Deliver Go binaries as fast and easily as possible copyright: - license: Apache-2.0 @@ -14,4 +14,4 @@ environment: pipeline: - uses: go/install with: - package: github.com/goreleaser/goreleaser@v${{package.version}} \ No newline at end of file + package: github.com/goreleaser/goreleaser@v${{package.version}} diff --git a/grpcurl.yaml b/grpcurl.yaml new file mode 100644 index 00000000000..5c30cb388ff --- /dev/null +++ b/grpcurl.yaml @@ -0,0 +1,32 @@ +package: + name: grpcurl + version: 1.8.7 + epoch: 0 + description: CLI tool to interact with gRPC servers + target-architecture: + - all + copyright: + - license: MIT + paths: + - "*" + dependencies: + runtime: + - ca-certificates-bundle + +environment: + contents: + packages: + - ca-certificates-bundle + - busybox + - go + - build-base + +pipeline: + - uses: fetch + with: + expected-sha256: 7f7a59f8a5ef8833d30a94e1c36ddb0d76bab1ae64cd5c8bcb87d42e877c3bca + uri: https://github.com/fullstorydev/grpcurl/archive/refs/tags/v${{package.version}}.tar.gz + - runs: | + go build -v -ldflags "-X main.version=v${{package.version}}" ./cmd/grpcurl/ + install -Dm755 grpcurl "${{targets.destdir}}"/usr/bin/grpcurl + - uses: strip \ No newline at end of file diff --git a/grype.yaml b/grype.yaml index bb272e2e107..76801c624e7 100644 --- a/grype.yaml +++ b/grype.yaml @@ -1,7 +1,7 @@ package: name: grype - version: 0.59.0 - epoch: 0 + version: 0.59.1 + epoch: 1 description: Vulnerability scanner for container images, filesystems, and SBOMs copyright: - license: Apache-2.0 @@ -15,7 +15,7 @@ pipeline: - uses: fetch with: uri: https://github.com/anchore/grype/archive/v${{package.version}}/grype-${{package.version}}.tar.gz - expected-sha512: dd04055ed749388d3d77966859bb0a0ea732479366f669cedde3db47e05839dcaefc853bd558c24a9f18632729dab24f0fea5ce213939f8f06132382070f32cc + expected-sha512: 8f219ade9d7369f124dd8c035f3bef6ce5055e318d7ab1578f7f98a7fa6e842dad26fae8b2337884d4af3773b2c590b61485a490f98c66dfcbd82ef73d8b766b - runs: | CGO_ENABLED=0 go build \ -ldflags "-X github.com/anchore/grype/internal/version.version=${{package.version}}" \ diff --git a/heimdal.yaml b/heimdal.yaml index 0a6359e331b..ce2c6c675d5 100644 --- a/heimdal.yaml +++ b/heimdal.yaml @@ -1,7 +1,7 @@ package: name: heimdal version: 7.8.0 - epoch: 0 + epoch: 1 description: "Implementation of Kerberos 5" copyright: - license: BSD-3-Clause @@ -19,7 +19,6 @@ environment: - readline-dev - sqlite-dev - texinfo - # - perl-json - gdbm-dev - ncurses-dev - perl @@ -29,6 +28,9 @@ pipeline: with: uri: https://github.com/heimdal/heimdal/releases/download/heimdal-${{package.version}}/heimdal-${{package.version}}.tar.gz expected-sha512: 0167345aca77d65b7a1113874eee5b65ec6e1fec1f196d57e571265409fa35ef95a673a4fd4aafbb0ab5fb5b246b97412353a68d6613a8aff6393a9f1e72999e + - uses: patch + with: + patches: CVE-2022-45142.patch - runs: | ./configure \ --build=$CBUILD \ @@ -54,9 +56,20 @@ subpackages: dependencies: runtime: - heimdal - - name: "heimdal-doc" description: "heimdal manpages" pipeline: - uses: split/manpages - uses: split/infodir + +advisories: + CVE-2022-45142: + - timestamp: 2023-03-15T11:31:20.584188-04:00 + status: under_investigation + - timestamp: 2023-03-15T12:06:34.898053-04:00 + status: fixed + fixed-version: 7.8.0-r1 + +secfixes: + 7.8.0-r1: + - CVE-2022-45142 diff --git a/heimdal/CVE-2022-45142.patch b/heimdal/CVE-2022-45142.patch new file mode 100644 index 00000000000..c9b86b88062 --- /dev/null +++ b/heimdal/CVE-2022-45142.patch @@ -0,0 +1,42 @@ +From: Helmut Grohne +Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions + +The referenced commit attempted to fix miscompilations with gcc-9 and +gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately, +it also inverted the result of the comparison in two occasions. This +inversion happened during backporting the patch to 7.7.1 and 7.8.0. + +Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp() + for arcfour unwrap") +Signed-off-by: Helmut Grohne +--- + lib/gssapi/krb5/arcfour.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Changes since v1: + * Fix typo in commit message. + * Mention 7.8.0 in commit message. Thanks to Jeffrey Altman. + +Changes since v2: + * Add CVE identifier. + +--- heimdal-7.7.0+dfsg.orig/lib/gssapi/krb5/arcfour.c ++++ heimdal-7.7.0+dfsg/lib/gssapi/krb5/arcfour.c +@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * m + return GSS_S_FAILURE; + } + +- cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0); ++ cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0); + if (cmp) { + *minor_status = 0; + return GSS_S_BAD_MIC; +@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint + return GSS_S_FAILURE; + } + +- cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */ ++ cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */ + if (cmp) { + _gsskrb5_release_buffer(minor_status, output_message_buffer); + *minor_status = 0; diff --git a/helm.yaml b/helm.yaml index 938f6287f92..72ac9f37ebc 100644 --- a/helm.yaml +++ b/helm.yaml @@ -1,8 +1,8 @@ package: name: helm # When you bump this you can remove the CVE mitigations - version: 3.11.1 - epoch: 1 + version: 3.11.2 + epoch: 0 description: The Kubernetes Package Manager copyright: - license: Apache-2.0 @@ -24,11 +24,11 @@ pipeline: with: repository: https://github.com/helm/helm tag: v${{package.version}} - expected-commit: 293b50c65d4d56187cd4e2f390f0ada46b4c4737 + expected-commit: 912ebc1cd10d38d340f048efaf0abda047c3468e destination: helm - runs: | cd helm - # Mitigate GHSA-259w-8hf6-59c2 and GHSA-hmfx-3pcx-653p and GHSA-vvpx-j8f3-3w6h + # Mitigate GHSA-259w-8hf6-59c2 and GHSA-hmfx-3pcx-653p and GHSA-vvpx-j8f3-3w6h go get github.com/containerd/containerd@v1.6.18 go get golang.org/x/net@v0.7.0 go mod tidy diff --git a/iperf.yaml b/iperf.yaml new file mode 100644 index 00000000000..29ef211d8d6 --- /dev/null +++ b/iperf.yaml @@ -0,0 +1,38 @@ +package: + name: iperf + version: 2.1.8 + epoch: 0 + description: A tool to measure IP bandwidth using UDP or TCP + target-architecture: + - all + copyright: + - paths: + - "*" + attestation: TODO + license: NCSA +environment: + contents: + packages: + - busybox + - ca-certificates-bundle + - build-base + - automake + - autoconf + - linux-headers +pipeline: + - uses: fetch + with: + expected-sha256: 8e2cf2fbc9d0d4d1cf9d109b1e328459f9622993dc9a4c5a7dc8a2088fb7beaf + uri: https://sourceforge.net/projects/iperf2/files/iperf-${{package.version}}.tar.gz + - uses: autoconf/configure + with: + opts: | + --build=$CBUILD \ + --host=$CHOST \ + --prefix=/usr \ + --sysconfdir=/etc \ + --mandir=/usr/share/man \ + --infodir=/usr/share/info + - uses: autoconf/make + - uses: autoconf/make-install + - uses: strip diff --git a/iperf3.yaml b/iperf3.yaml new file mode 100644 index 00000000000..3ef5114604b --- /dev/null +++ b/iperf3.yaml @@ -0,0 +1,47 @@ +package: + name: iperf3 + version: 3.13 + epoch: 0 + description: A tool to measure IP bandwidth using UDP or TCP + target-architecture: + - all + copyright: + - paths: + - "*" + attestation: TODO + license: BSD-3-Clause-LBNL +environment: + contents: + packages: + - busybox + - ca-certificates-bundle + - build-base + - automake + - autoconf + - openssl-dev +pipeline: + - uses: fetch + with: + expected-sha256: a49d23fe0d3b1482047ad7f3b9e384c69657a63b486c4e3f0ce512a077d94434 + uri: https://github.com/esnet/iperf/archive/${{package.version}}.tar.gz + - uses: autoconf/configure + with: + opts: | + --build=$CBUILD \ + --host=$CHOST \ + --prefix=/usr \ + --sysconfdir=/etc \ + --mandir=/usr/share/man \ + --infodir=/usr/share/info \ + --disable-static + - uses: autoconf/make + - uses: autoconf/make-install + - uses: strip +subpackages: + - name: "iperf3-dev" + description: "headers for iperf3" + pipeline: + - uses: split/dev + dependencies: + runtime: + - iperf3 \ No newline at end of file diff --git a/jenkins.yaml b/jenkins.yaml index cf62c93a425..0d57601bdc5 100644 --- a/jenkins.yaml +++ b/jenkins.yaml @@ -1,6 +1,6 @@ package: name: jenkins - version: "2.394" + version: "2.395" epoch: 0 description: copyright: @@ -8,6 +8,7 @@ package: dependencies: runtime: - ttf-dejavu + environment: contents: packages: @@ -27,11 +28,12 @@ environment: - git - patch - ttf-dejavu + pipeline: - uses: fetch with: uri: https://github.com/jenkinsci/jenkins/archive/refs/tags/jenkins-${{package.version}}.tar.gz - expected-sha256: 50bb23b6f0382823a16255eda0e9fcf29c05986ab3fd0c0b9cd0df73571930f8 + expected-sha256: f5a0a28e2d9941893540bd30fda315e33fad1072ccf86cc26599e5ee7095192a - uses: patch with: patches: ignoreArchiveNotReadableTest.patch @@ -46,3 +48,13 @@ pipeline: mkdir -p ${{targets.destdir}}/usr/share/java/jenkins mv war/target/jenkins.war ${{targets.destdir}}/usr/share/java/jenkins/ + +advisories: + CVE-2023-27898: + - timestamp: 2023-03-11T18:35:43.356601-05:00 + status: fixed + fixed-version: 2.394-r0 + +secfixes: + 2.394-r0: + - CVE-2023-27898 diff --git a/json-c.yaml b/json-c.yaml new file mode 100644 index 00000000000..3b259a488d4 --- /dev/null +++ b/json-c.yaml @@ -0,0 +1,41 @@ +# Generated from https://git.alpinelinux.org/aports/plain/main/json-c/APKBUILD +package: + name: json-c + version: "0.16" + epoch: 0 + description: A JSON implementation in C + copyright: + - license: MIT +environment: + contents: + packages: + - busybox + - ca-certificates-bundle + - build-base + - cmake + - doxygen + - samurai +pipeline: + - uses: fetch + with: + expected-sha256: 8e45ac8f96ec7791eaf3bb7ee50e9c2100bbbc87b8d0f1d030c5ba8a0288d96b + uri: https://s3.amazonaws.com/json-c_releases/releases/json-c-${{package.version}}.tar.gz + - uses: cmake/configure + - uses: cmake/build + - uses: cmake/install + - uses: strip +subpackages: + - name: json-c-dev + pipeline: + - uses: split/dev + dependencies: + runtime: + - json-c + description: json-c dev + - name: json-c-doc + pipeline: + - uses: split/manpages + - runs: | + mkdir -p "${{targets.subpkgdir}}"/usr/share/doc/json-c + mv doc/html "${{targets.subpkgdir}}"/usr/share/doc/json-c + description: json-c doc diff --git a/kafka.yaml b/kafka.yaml new file mode 100644 index 00000000000..038f1350587 --- /dev/null +++ b/kafka.yaml @@ -0,0 +1,45 @@ +package: + name: kafka + version: "3.4.0" + epoch: 0 + description: + target-architecture: + - all + copyright: + - paths: + - "*" + attestation: + license: Apache-2.0 + dependencies: + runtime: + - bash # some helper scripts use bash + - openjdk-11-jre +environment: + contents: + packages: + - busybox + - ca-certificates-bundle + - curl + - gradle + - sbt +pipeline: + - uses: git-checkout + with: + repository: https://github.com/apache/kafka + tag: ${{package.version}} + expected-commit: 2e1947d240607d53f071f61c875cfffc3fec47fe + - runs: | + export LANG=en_US.UTF-8 + + ./gradlew clean releaseTarGz + + tar -xf core/build/distributions/kafka_2.13-${{package.version}}.tgz + + mkdir -p ${{targets.destdir}}/usr/lib/kafka + + mv kafka_2.13-${{package.version}}/bin ${{targets.destdir}}/usr/lib/kafka + mv kafka_2.13-${{package.version}}/libs ${{targets.destdir}}/usr/lib/kafka + mv kafka_2.13-${{package.version}}/config ${{targets.destdir}}/usr/lib/kafka + + # Clean up windows + rm -rf ${{targets.destdir}}/usr/lib/kafka/bin/*.bat diff --git a/kind.yaml b/kind.yaml index c189c2d4e5d..86f8fb274ff 100644 --- a/kind.yaml +++ b/kind.yaml @@ -1,7 +1,7 @@ package: name: kind version: 0.17.0 - epoch: 1 + epoch: 2 description: Kubernetes IN Docker - local clusters for testing Kubernetes copyright: - license: Apache-2.0 diff --git a/ko.yaml b/ko.yaml index 60314d849c2..66a43993511 100644 --- a/ko.yaml +++ b/ko.yaml @@ -1,7 +1,7 @@ package: name: ko - version: 0.12.0 - epoch: 0 + version: 0.13.0 + epoch: 1 description: Simple, fast container image builder for Go applications. copyright: - license: Apache-2.0 @@ -9,9 +9,18 @@ package: environment: contents: packages: - - git + - ca-certificates-bundle + - busybox + - go pipeline: - - uses: go/install + - uses: git-checkout with: - package: github.com/google/ko@v${{package.version}} + repository: https://github.com/ko-build/ko + tag: v${{package.version}} + expected-commit: e22e7a15ffb988adc14c3fc6a964f61ed711812f + destination: ko + - runs: | + cd ko + CGO_ENABLED=0 go build -ldflags="-s -w -X github.com/google/ko/pkg/commands.Version=${{package.version}}" + install -m755 -D ./ko "${{targets.destdir}}"/usr/bin/ko diff --git a/kubectl.yaml b/kubectl.yaml index 639ebcce01e..f6ff9153105 100644 --- a/kubectl.yaml +++ b/kubectl.yaml @@ -1,7 +1,7 @@ package: name: kubectl - version: 1.26.1 - epoch: 1 + version: 1.26.2 + epoch: 0 description: Command-line interface for Kubernetes copyright: - license: Apache-2.0 @@ -24,7 +24,7 @@ pipeline: - uses: fetch with: uri: https://github.com/kubernetes/kubernetes/archive/v${{package.version}}.tar.gz - expected-sha256: 0e19d477b5123c74d12bb46bc72e5b6f4c407473af3772ef31cfff3a1d64d311 + expected-sha256: 7a50f0a8f0b649922f021f811d6ace8c282d09a0e3a30fa69d86b6c28eb51fd1 - runs: | make kubectl mkdir -p ${{targets.destdir}}/usr/bin/ diff --git a/kubescape.yaml b/kubescape.yaml index 89595f91244..785c3870bbe 100644 --- a/kubescape.yaml +++ b/kubescape.yaml @@ -1,7 +1,7 @@ package: name: kubescape version: 2.0.183 - epoch: 1 + epoch: 2 description: "Kubescape is an open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters. It includes risk analysis, security, compliance, and misconfiguration scanning, saving Kubernetes users and administrators precious time, effort, and resources." copyright: - license: Apache-2.0 AND MIT @@ -21,7 +21,7 @@ pipeline: with: repository: https://github.com/kubescape/kubescape tag: v${{package.version}} - expected-commit: b772588e96d36449cc43db08efa46d3d5606db0d + expected-commit: 63083ae48a9f120cefb7e4067a1e07961e658bee destination: kubescape - runs: | cd kubescape @@ -30,4 +30,3 @@ pipeline: python3 --version && python3 build.py install -Dm755 ./build/ubuntu-latest/kubescape ${{targets.destdir}}/usr/bin/kubescape - uses: strip - diff --git a/kubevela.yaml b/kubevela.yaml index 31e80e44865..d0661c835bc 100644 --- a/kubevela.yaml +++ b/kubevela.yaml @@ -1,7 +1,7 @@ package: name: kubevela version: 1.7.0 - epoch: 1 + epoch: 2 description: KubeVela is a modern application delivery platform that makes deploying and operating applications across today's hybrid, multi-cloud environments easier, faster and more reliable copyright: - license: Apache-2.0 diff --git a/kustomize.yaml b/kustomize.yaml index 0f434bf5c84..dceca9576fd 100644 --- a/kustomize.yaml +++ b/kustomize.yaml @@ -1,7 +1,7 @@ package: name: kustomize - version: 5.0.0 - epoch: 1 + version: 5.0.1 + epoch: 0 description: Customization of kubernetes YAML configurations copyright: - license: Apache-2.0 @@ -18,7 +18,7 @@ pipeline: - uses: fetch with: uri: https://github.com/kubernetes-sigs/kustomize/archive/refs/tags/kustomize/v${{package.version}}.tar.gz - expected-sha256: c2235c70854ca11522ab89df295b694ffc975fa440534baf208f12c957681ede + expected-sha256: fd1d3173e2fea04441bada0308e74b184784575c1f05a92064072fe37ad0e765 - uses: go/build with: packages: ./kustomize diff --git a/kyverno-cli.yaml b/kyverno-cli.yaml index 7ddb34c3feb..f125911596a 100644 --- a/kyverno-cli.yaml +++ b/kyverno-cli.yaml @@ -1,7 +1,7 @@ package: name: kyverno-cli version: 1.8.5 - epoch: 0 + epoch: 1 description: Kubernetes Native Policy Management CLI copyright: - license: Apache-2.0 diff --git a/libarchive.yaml b/libarchive.yaml index 8eb07ed75c4..d47e6c20390 100644 --- a/libarchive.yaml +++ b/libarchive.yaml @@ -5,6 +5,7 @@ package: description: "multi-format archive and compression library" copyright: - license: BSD-2-Clause + environment: contents: packages: @@ -21,9 +22,11 @@ environment: - attr-dev - openssl-dev - expat-dev + secfixes: 3.6.1-r2: - CVE-2022-36227 + pipeline: - uses: fetch with: @@ -35,6 +38,7 @@ pipeline: - uses: autoconf/make - uses: autoconf/make-install - uses: strip + subpackages: - name: "libarchive-doc" description: "libarchive documentation" @@ -54,8 +58,9 @@ subpackages: - runs: | mkdir -p "${{targets.subpkgdir}}"/usr/bin mv "${{targets.destdir}}"/usr/bin/bsd* "${{targets.subpkgdir}}"/usr/bin/ + advisories: CVE-2022-36227: - - timestamp: 2022-12-06T16:23:01+00:00 + - timestamp: 2022-12-06T16:23:01Z status: fixed fixed-version: 3.6.1-r2 diff --git a/libmnl.yaml b/libmnl.yaml new file mode 100644 index 00000000000..c1ab56aa6a1 --- /dev/null +++ b/libmnl.yaml @@ -0,0 +1,49 @@ +package: + name: libmnl + version: 1.0.5 + epoch: 0 + description: Library for minimalistic netlink + target-architecture: + - all + copyright: + - paths: + - "*" + attestation: TODO + license: LGPL-2.1-or-later +environment: + contents: + packages: + - busybox + - ca-certificates-bundle + - build-base + - automake + - autoconf + - linux-headers + +pipeline: + - uses: fetch + with: + expected-sha256: 274b9b919ef3152bfb3da3a13c950dd60d6e2bcd54230ffeca298d03b40d0525 + uri: https://www.netfilter.org/projects/libmnl/files/libmnl-${{package.version}}.tar.bz2 + - uses: patch + with: + patches: musl-fix-headers.patch + - uses: autoconf/configure + with: + opts: | + --build=$CBUILD \ + --host=$CHOST \ + --prefix=/usr \ + --enable-static + - uses: autoconf/make + - uses: autoconf/make-install + - uses: strip + +subpackages: + - name: "libmnl-dev" + description: "headers for libmnl" + pipeline: + - uses: split/dev + dependencies: + runtime: + - libmnl \ No newline at end of file diff --git a/libmnl/musl-fix-headers.patch b/libmnl/musl-fix-headers.patch new file mode 100644 index 00000000000..e3b0a9aa269 --- /dev/null +++ b/libmnl/musl-fix-headers.patch @@ -0,0 +1,13 @@ +diff --git a/examples/netfilter/nfct-daemon.c b/examples/netfilter/nfct-daemon.c +index a97c2ec..e3bb17a 100644 +--- a/examples/netfilter/nfct-daemon.c ++++ b/examples/netfilter/nfct-daemon.c +@@ -20,6 +20,8 @@ + #include + + #include ++#include ++#include + + struct nstats { + LIST_ENTRY(nstats) list; \ No newline at end of file diff --git a/libnet.yaml b/libnet.yaml new file mode 100644 index 00000000000..86a738b57f9 --- /dev/null +++ b/libnet.yaml @@ -0,0 +1,47 @@ +package: + name: libnet + version: 1.2 + epoch: 0 + description: A generic networking API that provides access to several protocols + target-architecture: + - all + copyright: + - paths: + - "*" + attestation: TODO + license: BSD-2-Clause +environment: + contents: + packages: + - busybox + - ca-certificates-bundle + - build-base + - automake + - autoconf +pipeline: + - uses: fetch + with: + expected-sha256: caa4868157d9e5f32e9c7eac9461efeff30cb28357f7f6bf07e73933fb4edaa7 + uri: https://github.com/libnet/libnet/releases/download/v${{package.version}}/libnet-${{package.version}}.tar.gz + - uses: patch + with: + patches: fix-types.patch + - uses: autoconf/configure + with: + opts: | + --build=$CBUILD \ + --host=$CHOST \ + --prefix=/usr \ + --with-link-layer=linux + - uses: autoconf/make + - uses: autoconf/make-install + - uses: strip + - runs: tree +subpackages: + - name: "libnet-dev" + description: "headers for libnet" + pipeline: + - uses: split/dev + dependencies: + runtime: + - libnet \ No newline at end of file diff --git a/libnet/fix-types.patch b/libnet/fix-types.patch new file mode 100644 index 00000000000..a67e4a7a37d --- /dev/null +++ b/libnet/fix-types.patch @@ -0,0 +1,14 @@ +--- a/include/libnet/libnet-structures.h ++++ b/include/libnet/libnet-structures.h +@@ -49,9 +49,9 @@ + /* libnet statistics structure */ + struct libnet_stats + { +- __int64_t packets_sent; /* packets sent */ +- __int64_t packet_errors; /* packets errors */ +- __int64_t bytes_written; /* bytes written */ ++ int64_t packets_sent; /* packets sent */ ++ int64_t packet_errors; /* packets errors */ ++ int64_t bytes_written; /* bytes written */ + }; + diff --git a/libpcap.yaml b/libpcap.yaml new file mode 100644 index 00000000000..d0d70fd00ed --- /dev/null +++ b/libpcap.yaml @@ -0,0 +1,54 @@ +package: + name: libpcap + version: 1.10.3 + epoch: 0 + description: A system-independent interface for user-level packet capture + target-architecture: + - all + copyright: + - paths: + - "*" + attestation: TODO + license: BSD-3-Clause +environment: + contents: + packages: + - busybox + - ca-certificates-bundle + - build-base + - automake + - autoconf + - bison + - flex + - linux-headers +pipeline: + - uses: fetch + with: + expected-sha256: 2a8885c403516cf7b0933ed4b14d6caa30e02052489ebd414dc75ac52e7559e6 + uri: https://www.tcpdump.org/release/libpcap-${{package.version}}.tar.gz + - uses: patch + with: + patches: fix-headers.patch + - uses: autoconf/configure + with: + opts: | + --build=$CBUILD \ + --host=$CHOST \ + --prefix=/usr \ + --sysconfdir=/etc \ + --mandir=/usr/share/man \ + --localstatedir=/var \ + --enable-ipv6 + - runs: | + ./config.status + make all shared + make -j1 DESTDIR="${{targets.destdir}}" install install-shared + - uses: strip +subpackages: + - name: "libpcap-dev" + description: "headers for libpcap" + pipeline: + - uses: split/dev + dependencies: + runtime: + - libpcap \ No newline at end of file diff --git a/libpcap/fix-headers.patch b/libpcap/fix-headers.patch new file mode 100644 index 00000000000..5b24e0ac542 --- /dev/null +++ b/libpcap/fix-headers.patch @@ -0,0 +1,12 @@ +diff --git a/pcap-usb-linux.c b/pcap-usb-linux.c +index 6f8adf6..82780fa 100644 +--- a/pcap-usb-linux.c ++++ b/pcap-usb-linux.c +@@ -57,6 +57,7 @@ + #include + #include + #include ++#include + #ifdef HAVE_LINUX_USBDEVICE_FS_H + /* + * We might need to define __user for diff --git a/libpng.yaml b/libpng.yaml index 01e6e3700f4..b3b665f454b 100644 --- a/libpng.yaml +++ b/libpng.yaml @@ -5,6 +5,7 @@ package: description: Portable Network Graphics library copyright: - license: Libpng + environment: contents: packages: @@ -16,6 +17,7 @@ environment: - zlib-dev - gawk - libtool + pipeline: - uses: fetch with: @@ -26,6 +28,7 @@ pipeline: - uses: autoconf/make - uses: autoconf/make-install - uses: strip + subpackages: - name: libpng-doc pipeline: diff --git a/libssh.yaml b/libssh.yaml new file mode 100644 index 00000000000..85b06208cbb --- /dev/null +++ b/libssh.yaml @@ -0,0 +1,44 @@ +package: + name: libssh + version: 0.10.4 + epoch: 0 + description: Library for accessing ssh client services through C libraries + target-architecture: + - all + copyright: + - paths: + - "*" + attestation: TODO + license: LGPL-2.1-or-later BSD-2-Clause +environment: + contents: + packages: + - busybox + - ca-certificates-bundle + - build-base + - cmake + - samurai + - openssl-dev + - zlib-dev + - xz + +pipeline: + - uses: fetch + with: + expected-sha512: 01ee52d480201d9886c15e81137c185334b404d1c8e8b743ddf58e95fe8619c8c013616a49807bd1111fde72fa177cd35f3c22b66cbf5d720b5abfacdf7601ed + uri: https://www.libssh.org/files/0.10/libssh-${{package.version}}.tar.xz + - runs: | + cmake -B build -G Ninja \ + -DCMAKE_BUILD_TYPE=None \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DCMAKE_INSTALL_LIBDIR=lib \ + -DWITH_GSSAPI=OFF \ + -DUNIT_TESTING=OFF + cmake --build build + DESTDIR="${{targets.destdir}}" cmake --install build + - uses: strip +subpackages: + - name: "libssh-dev" + description: "headers for libssh" + pipeline: + - uses: split/dev \ No newline at end of file diff --git a/mariadb.yaml b/mariadb.yaml index 027ccca0fa2..ae93eaed22e 100644 --- a/mariadb.yaml +++ b/mariadb.yaml @@ -111,33 +111,33 @@ pipeline: runs: | rm -rf "${{targets.destdir}}"/usr/local/mysql/sql-bench/ rm -rf "${{targets.destdir}}"/usr/local/mysql/mysql-test/ - - rm -rf "${{targets.destdir}}"/usr/bin/mariadb_config - rm -rf "${{targets.destdir}}"/usr/bin/mysql_config - rm -rf "${{targets.destdir}}"/usr/include/mysql/errmsg.h - rm -rf "${{targets.destdir}}"/usr/include/mysql/ma_list.h - rm -rf "${{targets.destdir}}"/usr/include/mysql/ma_pvio.h - rm -rf "${{targets.destdir}}"/usr/include/mysql/ma_tls.h - rm -rf "${{targets.destdir}}"/usr/include/mysql/mariadb/ma_io.h - rm -rf "${{targets.destdir}}"/usr/include/mysql/mariadb_com.h - rm -rf "${{targets.destdir}}"/usr/include/mysql/mariadb_ctype.h - rm -rf "${{targets.destdir}}"/usr/include/mysql/mariadb_dyncol.h - rm -rf "${{targets.destdir}}"/usr/include/mysql/mariadb_stmt.h - rm -rf "${{targets.destdir}}"/usr/include/mysql/mariadb_version.h - rm -rf "${{targets.destdir}}"/usr/include/mysql/mysql.h - rm -rf "${{targets.destdir}}"/usr/include/mysql/mysql/client_plugin.h - rm -rf "${{targets.destdir}}"/usr/include/mysql/mysql/plugin_auth.h - rm -rf "${{targets.destdir}}"/usr/include/mysql/mysql/plugin_auth_common.h - rm -rf "${{targets.destdir}}"/usr/include/mysql/mysql_version.h - rm -rf "${{targets.destdir}}"/usr/include/mysql/mysqld_error.h - rm -rf "${{targets.destdir}}"/usr/lib/${{package.name}}/plugin/dialog.so - rm -rf "${{targets.destdir}}"/usr/lib/${{package.name}}/plugin/mysql_clear_password.so - rm -rf "${{targets.destdir}}"/usr/lib/${{package.name}}/plugin/sha256_password.so - rm -rf "${{targets.destdir}}"/usr/lib/${{package.name}}/plugin/caching_sha2_password.so - rm -rf "${{targets.destdir}}"/usr/lib/${{package.name}}/plugin/client_ed25519.so - rm -rf "${{targets.destdir}}"/usr/lib/libmysqlclient.so - rm -rf "${{targets.destdir}}"/usr/lib/libmysqlclient_r.so - rm -rf "${{targets.destdir}}"/usr/lib/libmariadb.so* + + rm -rf "${{targets.destdir}}"/usr/bin/mariadb_config + rm -rf "${{targets.destdir}}"/usr/bin/mysql_config + rm -rf "${{targets.destdir}}"/usr/include/mysql/errmsg.h + rm -rf "${{targets.destdir}}"/usr/include/mysql/ma_list.h + rm -rf "${{targets.destdir}}"/usr/include/mysql/ma_pvio.h + rm -rf "${{targets.destdir}}"/usr/include/mysql/ma_tls.h + rm -rf "${{targets.destdir}}"/usr/include/mysql/mariadb/ma_io.h + rm -rf "${{targets.destdir}}"/usr/include/mysql/mariadb_com.h + rm -rf "${{targets.destdir}}"/usr/include/mysql/mariadb_ctype.h + rm -rf "${{targets.destdir}}"/usr/include/mysql/mariadb_dyncol.h + rm -rf "${{targets.destdir}}"/usr/include/mysql/mariadb_stmt.h + rm -rf "${{targets.destdir}}"/usr/include/mysql/mariadb_version.h + rm -rf "${{targets.destdir}}"/usr/include/mysql/mysql.h + rm -rf "${{targets.destdir}}"/usr/include/mysql/mysql/client_plugin.h + rm -rf "${{targets.destdir}}"/usr/include/mysql/mysql/plugin_auth.h + rm -rf "${{targets.destdir}}"/usr/include/mysql/mysql/plugin_auth_common.h + rm -rf "${{targets.destdir}}"/usr/include/mysql/mysql_version.h + rm -rf "${{targets.destdir}}"/usr/include/mysql/mysqld_error.h + rm -rf "${{targets.destdir}}"/usr/lib/${{package.name}}/plugin/dialog.so + rm -rf "${{targets.destdir}}"/usr/lib/${{package.name}}/plugin/mysql_clear_password.so + rm -rf "${{targets.destdir}}"/usr/lib/${{package.name}}/plugin/sha256_password.so + rm -rf "${{targets.destdir}}"/usr/lib/${{package.name}}/plugin/caching_sha2_password.so + rm -rf "${{targets.destdir}}"/usr/lib/${{package.name}}/plugin/client_ed25519.so + rm -rf "${{targets.destdir}}"/usr/lib/libmysqlclient.so + rm -rf "${{targets.destdir}}"/usr/lib/libmysqlclient_r.so + rm -rf "${{targets.destdir}}"/usr/lib/libmariadb.so* rm -rf "${{targets.destdir}}"/usr/lib/pkgconfig/libmariadb.pc subpackages: @@ -150,36 +150,36 @@ subpackages: - mariadb - name: "mariadb-doc" pipeline: - - uses: split/manpages + - uses: split/manpages - name: "mariadb-test" pipeline: - - runs: | - mkdir -p "${{targets.subpkgdir}}"/usr/bin - mv "${{targets.destdir}}"/usr/bin/mysql_client_test \ - "${{targets.destdir}}"/usr/bin/mysql_client_test_embedded \ - "${{targets.destdir}}"/usr/bin/mariadb-client-test \ - "${{targets.destdir}}"/usr/bin/mariadb-client-test-embedded \ - "${{targets.destdir}}"/usr/bin/mariadb-test \ - "${{targets.destdir}}"/usr/bin/mariadb-test-embedded \ - "${{targets.destdir}}"/usr/bin/mysqltest \ - "${{targets.destdir}}"/usr/bin/mysqltest_embedded \ - "${{targets.subpkgdir}}"/usr/bin/ + - runs: | + mkdir -p "${{targets.subpkgdir}}"/usr/bin + mv "${{targets.destdir}}"/usr/bin/mysql_client_test \ + "${{targets.destdir}}"/usr/bin/mysql_client_test_embedded \ + "${{targets.destdir}}"/usr/bin/mariadb-client-test \ + "${{targets.destdir}}"/usr/bin/mariadb-client-test-embedded \ + "${{targets.destdir}}"/usr/bin/mariadb-test \ + "${{targets.destdir}}"/usr/bin/mariadb-test-embedded \ + "${{targets.destdir}}"/usr/bin/mysqltest \ + "${{targets.destdir}}"/usr/bin/mysqltest_embedded \ + "${{targets.subpkgdir}}"/usr/bin/ - mv "${{targets.destdir}}"/usr/mysql-test \ - "${{targets.subpkgdir}}"/usr/ + mv "${{targets.destdir}}"/usr/mysql-test \ + "${{targets.subpkgdir}}"/usr/ - name: "mariadb-bench" pipeline: - - runs: | - mkdir -p "${{targets.subpkgdir}}"/usr/share/ - mv "${{targets.destdir}}"/usr/sql-bench "${{targets.subpkgdir}}"/usr/share + - runs: | + mkdir -p "${{targets.subpkgdir}}"/usr/share/ + mv "${{targets.destdir}}"/usr/sql-bench "${{targets.subpkgdir}}"/usr/share - name: "mariadb-backup" pipeline: - - runs: | - mkdir -p "${{targets.subpkgdir}}"/usr/bin - mv "${{targets.destdir}}"/usr/bin/mariabackup \ - "${{targets.destdir}}"/usr/bin/mariadb-backup \ - "${{targets.destdir}}"/usr/bin/mbstream \ - "${{targets.subpkgdir}}"/usr/bin/ + - runs: | + mkdir -p "${{targets.subpkgdir}}"/usr/bin + mv "${{targets.destdir}}"/usr/bin/mariabackup \ + "${{targets.destdir}}"/usr/bin/mariadb-backup \ + "${{targets.destdir}}"/usr/bin/mbstream \ + "${{targets.subpkgdir}}"/usr/bin/ - name: mariadb-oci-entrypoint description: Entrypoint for using HAProxy in OCI containers dependencies: diff --git a/melange.yaml b/melange.yaml index 23dc6cb6bd7..8dfa3197fff 100644 --- a/melange.yaml +++ b/melange.yaml @@ -1,7 +1,7 @@ package: name: melange version: 0.2.0 - epoch: 0 + epoch: 1 description: build APKs from source code copyright: - license: Apache-2.0 diff --git a/nats-server.yaml b/nats-server.yaml new file mode 100644 index 00000000000..952af87d067 --- /dev/null +++ b/nats-server.yaml @@ -0,0 +1,29 @@ +package: + name: nats-server + version: 2.9.15 + epoch: 0 + description: High-Performance server for NATS.io, the cloud and edge native messaging system. + copyright: + - license: Apache-2.0 +environment: + contents: + packages: + - wolfi-baselayout + - busybox + - go + - ca-certificates-bundle +pipeline: + # We can't use go/install because this requires a specific go version + - uses: git-checkout + with: + repository: https://github.com/nats-io/nats-server + tag: v${{package.version}} + expected-commit: b91fa85462d42c2f988170aee27955773e68c56d + - runs: | + mkdir -p ${{targets.destdir}}/usr/bin + mkdir -p ${{targets.destdir}}/etc/nats + go build \ + -ldflags "-w -X github.com/nats-io/nats-server/v2/server.gitCommit=$(git rev-parse HEAD)" \ + -o ${{targets.destdir}}/usr/bin/nats-server \ + main.go + mv docker/nats-server.conf ${{targets.destdir}}/etc/nats/nats-server.conf diff --git a/nats.yaml b/nats.yaml new file mode 100644 index 00000000000..81be635ca35 --- /dev/null +++ b/nats.yaml @@ -0,0 +1,25 @@ +package: + name: nats + version: 0.0.35 + epoch: 0 + description: The NATS Command Line Interface. + copyright: + - license: Apache-2.0 +environment: + contents: + packages: + - wolfi-baselayout + - busybox + - go + - ca-certificates-bundle +pipeline: + # We can't use go/install because this requires a specific go version + - uses: git-checkout + with: + repository: https://github.com/nats-io/natscli + tag: v${{package.version}} + expected-commit: 08972cdf512c4bbe30b45df880a67762d6d0f4d4 + - runs: | + mkdir -p ${{targets.destdir}}/usr/bin + cd nats + go build -ldflags "-w -X main.version=${{package.version}}" -o ${{targets.destdir}}/usr/bin/nats diff --git a/nerdctl.yaml b/nerdctl.yaml index fbc382da251..3c85874b547 100644 --- a/nerdctl.yaml +++ b/nerdctl.yaml @@ -1,7 +1,7 @@ package: name: nerdctl version: 1.2.0 - epoch: 0 + epoch: 1 description: Docker-compatible CLI for containerd, with support for Compose, Rootless, eStargz, OCIcrypt, IPFS, ... copyright: - license: Apache-2.0 @@ -21,4 +21,4 @@ pipeline: uri: https://github.com/containerd/nerdctl/archive/v${{package.version}}.tar.gz - runs: | make nerdctl - install -Dm755 ./_output/nerdctl ${{targets.destdir}}/usr/bin/nerdctl \ No newline at end of file + install -Dm755 ./_output/nerdctl ${{targets.destdir}}/usr/bin/nerdctl diff --git a/nodejs-18.yaml b/nodejs-18.yaml index 5e427354d7a..631bc179e2c 100644 --- a/nodejs-18.yaml +++ b/nodejs-18.yaml @@ -1,13 +1,13 @@ package: name: nodejs-18 - version: 18.14.2 - epoch: 0 + version: 18.15.0 + epoch: 1 description: "JavaScript runtime built on V8 engine - LTS version" copyright: - license: MIT dependencies: provides: - - nodejs=18.14.999 + - nodejs=18.15.999 environment: contents: packages: @@ -29,7 +29,7 @@ pipeline: - uses: fetch with: uri: https://nodejs.org/dist/v${{package.version}}/node-v${{package.version}}.tar.gz - expected-sha256: 850aebb879e3efd904ebfe65325caa97b013773bb94fafd2d0fb794324918252 + expected-sha256: d65c4c3ef3c8815bccda9502081a29458c7c80797db0763f8752f270a824ac2b - name: Configure and build runs: | # Add defines recommended in libuv readme. diff --git a/nsc.yaml b/nsc.yaml new file mode 100644 index 00000000000..f8bb11616cd --- /dev/null +++ b/nsc.yaml @@ -0,0 +1,14 @@ +package: + name: nsc + version: 2.7.8 + epoch: 0 + description: Tool for creating nkey/jwt based configurations + copyright: + - license: Apache-2.0 + dependencies: + runtime: + - go +pipeline: + - uses: go/install + with: + package: github.com/nats-io/nsc/v2@v${{package.version}} diff --git a/openjdk-11.yaml b/openjdk-11.yaml index 38bf270cc5f..511d57979b4 100644 --- a/openjdk-11.yaml +++ b/openjdk-11.yaml @@ -1,7 +1,8 @@ +#nolint:bad-version package: name: openjdk-11 - version: 11.0.18 - epoch: 1 + version: 11.0.19+5 + epoch: 0 description: copyright: - license: GPL-2.0-only @@ -39,8 +40,8 @@ environment: pipeline: - uses: fetch with: - uri: https://github.com/openjdk/jdk11u/archive/refs/tags/jdk-${{package.version}}-ga.tar.gz - expected-sha256: c0560c3480e7ded2a59d783ddf2cb624a44ece9d3036f4a7a7575d597b18fb2e + uri: https://github.com/openjdk/jdk11u/archive/refs/tags/jdk-${{package.version}}.tar.gz + expected-sha256: 83cdfc35fe9de04534e147c83bf983dc5dba8e15e009891df466a743ce119075 - runs: chmod +x configure - uses: autoconf/configure diff --git a/openjdk-17.yaml b/openjdk-17.yaml index 0b3a5a58437..759783903ef 100644 --- a/openjdk-17.yaml +++ b/openjdk-17.yaml @@ -1,7 +1,8 @@ +#nolint:bad-version package: name: openjdk-17 - version: 17.0.6 - epoch: 1 + version: 17.0.7+5 + epoch: 0 description: copyright: - license: GPL-2.0-only @@ -39,8 +40,8 @@ environment: pipeline: - uses: fetch with: - uri: https://github.com/openjdk/jdk17u/archive/refs/tags/jdk-${{package.version}}-ga.tar.gz - expected-sha256: f1d1c29ff5ac8254dc81d1635d60f658b6f2b790476acab836ddcb488c8c7fbe + uri: https://github.com/openjdk/jdk17u/archive/refs/tags/jdk-${{package.version}}.tar.gz + expected-sha256: a3148fc387a34f6e59d8195b032849f79b0d708e84d13e4bd69e850731edafdf - uses: fetch with: diff --git a/openssl.yaml b/openssl.yaml index 367d3d303cd..868f9b28a5d 100644 --- a/openssl.yaml +++ b/openssl.yaml @@ -1,6 +1,6 @@ package: name: openssl - version: 3.0.8 + version: 3.1.0 epoch: 0 description: "the OpenSSL cryptography suite" copyright: @@ -41,7 +41,7 @@ pipeline: - uses: fetch with: uri: https://www.openssl.org/source/openssl-${{package.version}}.tar.gz - expected-sha256: 6c13d2bf38fdf31eac3ce2a347073673f5d63263398f1f69d0df4a41253e4b3e + expected-sha256: aaa925ad9828745c4cad9d9efeb273deca820f2cdcf2c3ac7d7c1212b7c497b4 - name: Configure and build runs: | export CC=${{host.triplet.gnu}}-gcc diff --git a/oras.yaml b/oras.yaml index 53d94e5d1cf..65ed2d71320 100644 --- a/oras.yaml +++ b/oras.yaml @@ -1,37 +1,30 @@ -package: - name: oras - version: 0.16.0 - epoch: 0 - description: OCI registry client - managing content like artifacts, images, packages. - copyright: - - license: Apache-2.0 - dependencies: - runtime: - - ca-certificates-bundle -environment: - contents: - packages: - - ca-certificates-bundle - - busybox - - go -pipeline: - - uses: git-checkout - with: - repository: https://github.com/oras-project/oras - tag: v${{package.version}} - destination: oras - expected-commit: d606fed4be252fd6162f63548e024451c31f3864 - - assertions: - required-steps: 1 - pipeline: - - if: ${{build.arch}} == 'x86_64' - runs: | - cd oras - make build-linux-amd64 - install -m755 -D ./bin/linux/amd64/oras "${{targets.destdir}}"/usr/bin/oras - - if: ${{build.arch}} == 'aarch64' - runs: | - cd oras - make build-linux-arm64 - install -m755 -D ./bin/linux/arm64/oras "${{targets.destdir}}"/usr/bin/oras - - uses: strip +package: + name: oras + version: 0.16.0 + epoch: 2 + description: OCI registry client - managing content like artifacts, images, packages. + copyright: + - license: Apache-2.0 + dependencies: + runtime: + - ca-certificates-bundle +environment: + contents: + packages: + - ca-certificates-bundle + - busybox + - go +pipeline: + - uses: git-checkout + with: + repository: https://github.com/oras-project/oras + tag: v${{package.version}} + destination: oras + expected-commit: d606fed4be252fd6162f63548e024451c31f3864 + - runs: | + cd oras + GOARCH=$(go env GOARCH) + make build-linux-${GOARCH} + install -m755 -D ./bin/linux/${GOARCH}/oras "${{targets.destdir}}"/usr/bin/oras + - uses: strip + diff --git a/php.yaml b/php.yaml index 4f9575e7780..7133e53a3f6 100644 --- a/php.yaml +++ b/php.yaml @@ -1,6 +1,6 @@ package: name: php - version: 8.2.3 + version: 8.2.4 epoch: 0 description: "the PHP programming language" copyright: @@ -8,7 +8,6 @@ package: dependencies: runtime: - libxml2 - environment: contents: packages: @@ -21,12 +20,11 @@ environment: - openssl-dev - readline-dev - sqlite-dev - pipeline: - uses: fetch with: uri: https://www.php.net/distributions/php-${{package.version}}.tar.gz - expected-sha256: 7c475bcbe61d28b6878604b1b6f387f39d1a63b5f21fa8156fd7aa615d43e259 + expected-sha256: cee7748015a2ddef1739d448b980b095dccd09ed589cf1b6c6ee2d16f5e73c50 - name: Configure runs: | ./configure \ @@ -41,7 +39,6 @@ pipeline: - uses: autoconf/make - uses: autoconf/make-install - uses: strip - subpackages: - name: php-dev description: PHP 8.2 development headers @@ -84,7 +81,6 @@ subpackages: echo; \ echo 'decorate_workers_output = no'; \ } | tee ${{targets.subpkgdir}}/etc/php-fpm.d/zz-apko.conf - advisories: CVE-2007-2728: - timestamp: 2023-02-16T11:01:48.943749-05:00 @@ -102,7 +98,6 @@ advisories: - timestamp: 2023-02-11T20:12:25.988296-05:00 status: fixed fixed-version: 8.1.13-r0 - secfixes: "0": - CVE-2007-2728 diff --git a/policy-controller.yaml b/policy-controller.yaml index 8b23ac3857f..f928775f00c 100644 --- a/policy-controller.yaml +++ b/policy-controller.yaml @@ -1,7 +1,7 @@ package: name: policy-controller version: 0.7.0 - epoch: 0 + epoch: 1 description: "The policy admission controller used to enforce policy on a cluster on verifiable supply-chain metadata from cosign." copyright: - license: Apache-2.0 diff --git a/prometheus-alertmanager.yaml b/prometheus-alertmanager.yaml index 969463cde0b..e6c55475549 100644 --- a/prometheus-alertmanager.yaml +++ b/prometheus-alertmanager.yaml @@ -2,7 +2,7 @@ package: name: prometheus-alertmanager # When bumping this version you can remove the `go get` line in the build script version: 0.25.0 - epoch: 0 + epoch: 1 description: Prometheus Alertmanager copyright: - license: Apache-2.0 diff --git a/prometheus-mysqld-exporter.yaml b/prometheus-mysqld-exporter.yaml index 65a6bc3b04f..e4b7ac39538 100644 --- a/prometheus-mysqld-exporter.yaml +++ b/prometheus-mysqld-exporter.yaml @@ -2,7 +2,7 @@ package: name: prometheus-mysqld-exporter # When bumping this version you can remove the `go get` line in the build script version: 0.14.0 - epoch: 0 + epoch: 1 description: Prometheus Exporter for MySQL server metrics copyright: - license: Apache-2.0 diff --git a/prometheus-node-exporter.yaml b/prometheus-node-exporter.yaml index 81c88bffcd6..9e6fb0a130e 100644 --- a/prometheus-node-exporter.yaml +++ b/prometheus-node-exporter.yaml @@ -2,7 +2,7 @@ package: name: prometheus-node-exporter # When bumping this version you can remove the `go get` line in the build script version: 1.5.0 - epoch: 1 + epoch: 2 description: Prometheus Exporter for machine metrics copyright: - license: Apache-2.0 diff --git a/prometheus.yaml b/prometheus.yaml index a096fd1f00a..745f9dc219b 100644 --- a/prometheus.yaml +++ b/prometheus.yaml @@ -2,7 +2,7 @@ package: name: prometheus # When bumping this version you can remove the `go get` line in the build script version: 2.42.0 - epoch: 2 + epoch: 3 description: The Prometheus monitoring system and time series database. copyright: - license: Apache-2.0 diff --git a/python-3.10.yaml b/python-3.10.yaml index fb3b63b6f14..fd287a80c32 100644 --- a/python-3.10.yaml +++ b/python-3.10.yaml @@ -9,6 +9,8 @@ package: runtime: secfixes: + "0": + - CVE-2007-4559 3.10.9-r0: - CVE-2020-10735 @@ -97,6 +99,11 @@ subpackages: - python3-dev=3.10.999 advisories: + CVE-2007-4559: + - timestamp: 2023-03-11T17:20:54.537869-05:00 + status: not_affected + justification: vulnerable_code_not_present + impact: The upstream issue has been closed, deeming this to be expected behavior, not a security issue. See https://bugs.python.org/issue1044. CVE-2020-10735: - timestamp: 2023-02-07T08:34:29.611707Z status: fixed diff --git a/python-3.11.yaml b/python-3.11.yaml index 81a2b7a92c1..8f7fd0ae28d 100644 --- a/python-3.11.yaml +++ b/python-3.11.yaml @@ -8,9 +8,13 @@ package: dependencies: provides: - python3=3.11.999 + secfixes: + "0": + - CVE-2007-4559 3.0.7-r0: - CVE-2020-10735 + environment: contents: repositories: @@ -33,6 +37,7 @@ environment: - sqlite-dev - xz-dev - zlib-dev + pipeline: - uses: fetch with: @@ -75,6 +80,7 @@ pipeline: runs: | ln -s python3 "${{targets.destdir}}"/usr/bin/python - uses: strip + subpackages: - name: "python-3.11-doc" description: "python3 documentation" @@ -84,15 +90,21 @@ subpackages: description: "python3 development headers" pipeline: - uses: split/dev - # pyconfig.h is needed at runtime... ugh. - runs: | + # pyconfig.h is needed at runtime... ugh. mkdir -p "${{targets.destdir}}"/usr/include/python3.11 mv "${{targets.subpkgdir}}"/usr/include/python3.11/pyconfig.h "${{targets.destdir}}"/usr/include/python3.11 dependencies: provides: - python3-dev=3.11.999 + advisories: + CVE-2007-4559: + - timestamp: 2023-03-11T17:20:54.562759-05:00 + status: not_affected + justification: vulnerable_code_not_present + impact: The upstream issue has been closed, deeming this to be expected behavior, not a security issue. See https://bugs.python.org/issue1044. CVE-2020-10735: - - timestamp: 2022-09-12T21:06:30+00:00 + - timestamp: 2022-09-12T21:06:30Z status: fixed fixed-version: 3.0.7-r0 diff --git a/python-3.12.yaml b/python-3.12.yaml index 59f5c96e2fd..ec547d6ce5a 100644 --- a/python-3.12.yaml +++ b/python-3.12.yaml @@ -1,14 +1,18 @@ package: name: python-3.12 # When bumping to a real non-prerelease you'll have to change the URL pattern on line 45 - version: 3.12.0_alpha5 - epoch: 2 + version: 3.12.0_alpha6 + epoch: 0 description: "the Python programming language" copyright: - license: PSF-2.0 + secfixes: + "0": + - CVE-2007-4559 3.0.7-r0: - CVE-2020-10735 + environment: contents: repositories: @@ -31,11 +35,12 @@ environment: - sqlite-dev - xz-dev - zlib-dev + pipeline: - uses: fetch with: - uri: https://www.python.org/ftp/python/3.12.0/Python-3.12.0a5.tar.xz - expected-sha256: d66ef7a342fe3a356f9cee3bb97adc1e5fb4840f6b6cff7de0ff7dd495f8323b + uri: https://www.python.org/ftp/python/3.12.0/Python-3.12.0a6.tar.xz + expected-sha256: 298440252c4b6b4e120e014c15d729eaf8ab779300dcca61d422c537e4e85eca - name: Force use of system libraries runs: | rm -rf Modules/expat \ @@ -73,6 +78,7 @@ pipeline: runs: | ln -s python3 "${{targets.destdir}}"/usr/bin/python - uses: strip + subpackages: - name: "python-3.12-doc" description: "python3 documentation" @@ -82,13 +88,18 @@ subpackages: description: "python3 development headers" pipeline: - uses: split/dev - # pyconfig.h is needed at runtime... ugh. - runs: | + # pyconfig.h is needed at runtime... ugh. mkdir -p "${{targets.destdir}}"/usr/include/python3.12 mv "${{targets.subpkgdir}}"/usr/include/python3.12/pyconfig.h "${{targets.destdir}}"/usr/include/python3.12 advisories: + CVE-2007-4559: + - timestamp: 2023-03-11T17:20:54.584305-05:00 + status: not_affected + justification: vulnerable_code_not_present + impact: The upstream issue has been closed, deeming this to be expected behavior, not a security issue. See https://bugs.python.org/issue1044. CVE-2020-10735: - - timestamp: 2022-09-12T21:06:30+00:00 + - timestamp: 2022-09-12T21:06:30Z status: fixed fixed-version: 3.0.7-r0 diff --git a/redis.yaml b/redis.yaml index 480e26b7415..e0fa5a76634 100644 --- a/redis.yaml +++ b/redis.yaml @@ -1,8 +1,8 @@ # Generated from https://git.alpinelinux.org/aports/plain/main/redis/APKBUILD package: name: redis - version: 7.0.8 - epoch: 1 + version: 7.0.9 + epoch: 0 description: Advanced key-value store copyright: - license: BSD-3-Clause @@ -15,6 +15,8 @@ secfixes: 7.0.8-r0: - CVE-2022-35977 - CVE-2023-22458 + 7.0.9-r0: + - CVE-2022-36021 environment: contents: @@ -30,7 +32,7 @@ environment: pipeline: - uses: fetch with: - expected-sha256: 06a339e491306783dcf55b97f15a5dbcbdc01ccbde6dc23027c475cab735e914 + expected-sha256: f77135c2a47c9151d4028bfea3b34470ab4d324d1484f79a84c6f32a3cfb9f65 uri: https://download.redis.io/releases/redis-${{package.version}}.tar.gz - uses: patch with: @@ -61,6 +63,12 @@ advisories: - timestamp: 2023-02-20T14:37:55.058122-05:00 status: fixed fixed-version: 7.0.8-r0 + CVE-2022-36021: + - timestamp: 2023-03-09T19:16:28.313696-05:00 + status: under_investigation + - timestamp: 2023-03-09T19:32:02.236148-05:00 + status: fixed + fixed-version: 7.0.9-r0 CVE-2023-22458: - timestamp: 2023-02-25T06:54:30.972765-05:00 status: fixed diff --git a/regclient.yaml b/regclient.yaml index 3e99878444c..04ccbfa15fc 100644 --- a/regclient.yaml +++ b/regclient.yaml @@ -1,7 +1,7 @@ package: name: regclient version: 0.4.5 - epoch: 2 + epoch: 3 description: Docker and OCI Registry Client in Go and tooling using those libraries copyright: - license: Apache-2.0 diff --git a/ruby-3.0.yaml b/ruby-3.0.yaml index f37e3b307e5..e54e7e89c73 100644 --- a/ruby-3.0.yaml +++ b/ruby-3.0.yaml @@ -1,7 +1,7 @@ package: name: ruby-3.0 - version: 3.0.4 - epoch: 4 + version: 3.0.5 + epoch: 0 description: "the Ruby programming language" copyright: - license: PSF-2.0 @@ -32,7 +32,7 @@ pipeline: - uses: fetch with: uri: https://cache.ruby-lang.org/pub/ruby/3.0/ruby-${{package.version}}.tar.gz - expected-sha256: 70b47c207af04bce9acea262308fb42893d3e244f39a4abc586920a1c723722b + expected-sha256: 9afc6380a027a4fe1ae1a3e2eccb6b497b9c5ac0631c12ca56f9b7beb4848776 - name: Configure runs: | ./configure \ @@ -64,8 +64,17 @@ subpackages: mkdir -p "${{targets.subpkgdir}}"/usr/share mv "${{targets.destdir}}"/usr/share/doc "${{targets.subpkgdir}}"/usr/share/ mv "${{targets.destdir}}"/usr/share/ri "${{targets.subpkgdir}}"/usr/share/ - - name: "ruby-3.0-dev" description: "ruby development headers" pipeline: - uses: split/dev + +advisories: + CVE-2021-33621: + - timestamp: 2023-03-10T10:57:16.957642-05:00 + status: fixed + fixed-version: 3.0.5-r0 + +secfixes: + 3.0.5-r0: + - CVE-2021-33621 diff --git a/ruby-3.2.yaml b/ruby-3.2.yaml index ae8092d65db..c2588ac92e7 100644 --- a/ruby-3.2.yaml +++ b/ruby-3.2.yaml @@ -1,7 +1,7 @@ package: name: ruby-3.2 - version: 3.2.0 - epoch: 6 + version: 3.2.1 + epoch: 0 description: "the Ruby programming language" copyright: - license: PSF-2.0 @@ -35,7 +35,7 @@ pipeline: - uses: fetch with: uri: https://cache.ruby-lang.org/pub/ruby/3.2/ruby-${{package.version}}.tar.gz - expected-sha256: daaa78e1360b2783f98deeceb677ad900f3a36c0ffa6e2b6b19090be77abc272 + expected-sha256: 13d67901660ee3217dbd9dd56059346bd4212ce64a69c306ef52df64935f8dbd - name: Configure runs: | ./configure \ diff --git a/ruby3.2-async-http.yaml b/ruby3.2-async-http.yaml index b11815a045c..b69c0c70919 100644 --- a/ruby3.2-async-http.yaml +++ b/ruby3.2-async-http.yaml @@ -1,13 +1,20 @@ package: name: ruby3.2-async-http version: 0.60.1 - epoch: 0 + epoch: 1 description: A HTTP client and server library. copyright: - license: MIT dependencies: runtime: - ruby-3.2 + - ruby3.2-async + - ruby3.2-async-io + - ruby3.2-async-pool + - ruby3.2-protocol-http + - ruby3.2-protocol-http1 + - ruby3.2-protocol-http2 + - ruby3.2-traces environment: contents: diff --git a/ruby3.2-async-io.yaml b/ruby3.2-async-io.yaml index ce3961ce912..9c74339c525 100644 --- a/ruby3.2-async-io.yaml +++ b/ruby3.2-async-io.yaml @@ -1,13 +1,14 @@ package: name: ruby3.2-async-io version: 1.34.3 - epoch: 0 + epoch: 1 description: Provides support for asynchonous TCP, UDP, UNIX and SSL sockets. copyright: - license: MIT dependencies: runtime: - ruby-3.2 + - ruby3.2-async environment: contents: diff --git a/ruby3.2-async-pool.yaml b/ruby3.2-async-pool.yaml index 644e72b2e5f..54d7c612856 100644 --- a/ruby3.2-async-pool.yaml +++ b/ruby3.2-async-pool.yaml @@ -1,13 +1,14 @@ package: name: ruby3.2-async-pool version: 0.3.12 - epoch: 0 + epoch: 1 description: A singleplex and multiplex resource pool for implementing robust clients. copyright: - license: MIT dependencies: runtime: - ruby-3.2 + - ruby3.2-async environment: contents: diff --git a/ruby3.2-async.yaml b/ruby3.2-async.yaml index c0e830b2eca..6accd6b7996 100644 --- a/ruby3.2-async.yaml +++ b/ruby3.2-async.yaml @@ -1,13 +1,16 @@ package: name: ruby3.2-async version: 2.3.1 - epoch: 0 + epoch: 1 description: A concurrency framework for Ruby. copyright: - license: MIT dependencies: runtime: - ruby-3.2 + - ruby3.2-console + - ruby3.2-io-event + - ruby3.2-timers environment: contents: diff --git a/ruby3.2-bundler.yaml b/ruby3.2-bundler.yaml index 36f96435e52..a4383f4b8cf 100644 --- a/ruby3.2-bundler.yaml +++ b/ruby3.2-bundler.yaml @@ -25,8 +25,9 @@ vars: pipeline: - uses: fetch with: - uri: https://github.com/rubygems/rubygems/archive/bundler-v${{package.version}}.tar.gz expected-sha256: 78b91bb1dee3814e9de8e3a6d80619d599ed024cfe02eed9c66679851d808f45 + uri: https://github.com/rubygems/rubygems/archive/bundler-v${{package.version}}.tar.gz + - working-directory: ${{vars.gem}} pipeline: - uses: ruby/build diff --git a/ruby3.2-concurrent-ruby.yaml b/ruby3.2-concurrent-ruby.yaml index 526ac68d7e5..915c6a78ea5 100644 --- a/ruby3.2-concurrent-ruby.yaml +++ b/ruby3.2-concurrent-ruby.yaml @@ -27,10 +27,10 @@ pipeline: # must be checked out in order for the gem to build with all files. - uses: git-checkout with: + destination: ${{vars.gem}} + expected-commit: cdbc6db6c7530eb64ecfb7417fb7a449c7ec2fd6 repository: https://github.com/ruby-concurrency/concurrent-ruby.git tag: v${{package.version}} - expected-commit: cdbc6db6c7530eb64ecfb7417fb7a449c7ec2fd6 - destination: ${{vars.gem}} - working-directory: ${{vars.gem}} pipeline: diff --git a/ruby3.2-console.yaml b/ruby3.2-console.yaml index c7cb166dd4a..2694f09d66b 100644 --- a/ruby3.2-console.yaml +++ b/ruby3.2-console.yaml @@ -1,13 +1,14 @@ package: name: ruby3.2-console version: 1.16.2 - epoch: 0 + epoch: 1 description: Beautiful logging for Ruby. copyright: - license: MIT dependencies: runtime: - ruby-3.2 + - ruby3.2-fiber-local environment: contents: diff --git a/ruby3.2-cool.io.yaml b/ruby3.2-cool.io.yaml index fa531eae358..ca4e2ec876e 100644 --- a/ruby3.2-cool.io.yaml +++ b/ruby3.2-cool.io.yaml @@ -27,10 +27,10 @@ pipeline: # must be checked out in order for the gem to build with all files. - uses: git-checkout with: + destination: ${{vars.gem}} + expected-commit: 8dc015147d40f30f8ee6a5dceae201476bb973a2 repository: https://github.com/tarcieri/cool.io.git tag: v${{package.version}} - expected-commit: 8dc015147d40f30f8ee6a5dceae201476bb973a2 - destination: ${{vars.gem}} - working-directory: ${{vars.gem}} pipeline: diff --git a/ruby3.2-fluentd14.yaml b/ruby3.2-fluentd14.yaml new file mode 100644 index 00000000000..3b43375bc94 --- /dev/null +++ b/ruby3.2-fluentd14.yaml @@ -0,0 +1,67 @@ +package: + name: ruby3.2-fluentd14 + version: 1.14.6 + epoch: 0 + description: Fluentd is an open source data collector designed to scale and simplify log management. It can collect, process and ship many kinds of data in near real-time. + target-architecture: + - all + copyright: + - paths: + - '*' + attestation: TODO + license: Apache-2.0 + dependencies: + runtime: + - ruby-3.2 + - ruby3.2-bundler + - ruby3.2-cool.io + - ruby3.2-http_parser.rb + - ruby3.2-msgpack + - ruby3.2-serverengine + - ruby3.2-sigdump + - ruby3.2-strptime + - ruby3.2-tzinfo + - ruby3.2-tzinfo-data + - 'ruby3.2-webrick=~1.7' + - ruby3.2-yajl-ruby + +environment: + contents: + packages: + - ca-certificates-bundle + - ruby-3.2 + - ruby-3.2-dev + - build-base + - busybox + - git + +vars: + gem: fluentd + +pipeline: + # This package makes use of `git ls-files` in it's gemspec so the git repo + # must be checked out in order for the gem to build with all files. + - uses: git-checkout + with: + destination: ${{vars.gem}} + expected-commit: c0f48a0080550eff6aa6fa19d269e480684e7a45 + repository: https://github.com/fluent/fluentd.git + tag: v${{package.version}} + + - working-directory: ${{vars.gem}} + pipeline: + - uses: ruby/build + with: + gem: ${{vars.gem}} + - uses: ruby/install + with: + gem: ${{vars.gem}} + version: ${{package.version}} + + - uses: ruby/clean + - runs: |- + GEM_DIR=${{targets.destdir}}$(ruby -e 'puts Gem.default_dir')/gems/${{vars.gem}}-${{package.version}} + rm -rf ${GEM_DIR}/test \ + ${GEM_DIR}/docs \ + ${GEM_DIR}/*.md \ + ${GEM_DIR}/.github diff --git a/ruby3.2-fluentd.yaml b/ruby3.2-fluentd15.yaml similarity index 80% rename from ruby3.2-fluentd.yaml rename to ruby3.2-fluentd15.yaml index 72c60e06d14..228cd9cd897 100644 --- a/ruby3.2-fluentd.yaml +++ b/ruby3.2-fluentd15.yaml @@ -1,7 +1,7 @@ package: - name: ruby3.2-fluentd + name: ruby3.2-fluentd15 version: 1.15.3 - epoch: 1 + epoch: 0 description: Fluentd is an open source data collector designed to scale and simplify log management. It can collect, process and ship many kinds of data in near real-time. copyright: - license: Apache-2.0 @@ -9,6 +9,17 @@ package: dependencies: runtime: - ruby-3.2 + - ruby3.2-bundler + - ruby3.2-cool.io + - ruby3.2-http_parser.rb + - ruby3.2-msgpack + - ruby3.2-serverengine + - ruby3.2-sigdump + - ruby3.2-strptime + - ruby3.2-tzinfo + - ruby3.2-tzinfo-data + - 'ruby3.2-webrick=~1.7' + - ruby3.2-yajl-ruby environment: contents: @@ -28,10 +39,10 @@ pipeline: # must be checked out in order for the gem to build with all files. - uses: git-checkout with: + destination: ${{vars.gem}} + expected-commit: e89092ce1132a933c12bb23fe8c9323c07ca81f5 repository: https://github.com/fluent/fluentd.git tag: v${{package.version}} - expected-commit: e89092ce1132a933c12bb23fe8c9323c07ca81f5 - destination: ${{vars.gem}} - working-directory: ${{vars.gem}} pipeline: diff --git a/ruby3.2-http_parser.rb.yaml b/ruby3.2-http_parser.rb.yaml index 481f604939f..4303faa7e2b 100644 --- a/ruby3.2-http_parser.rb.yaml +++ b/ruby3.2-http_parser.rb.yaml @@ -29,10 +29,10 @@ pipeline: # This package also makes use of git submodules which requires the git repo - uses: git-checkout with: + destination: ${{vars.gem}} + expected-commit: 90abe77b061c8b9b76204f53d4c223a2db0c858b repository: https://github.com/tmm1/http_parser.rb.git tag: v${{package.version}} - expected-commit: 90abe77b061c8b9b76204f53d4c223a2db0c858b - destination: ${{vars.gem}} - working-directory: ${{vars.gem}} pipeline: diff --git a/ruby3.2-msgpack.yaml b/ruby3.2-msgpack.yaml index b9c607a1e3f..ee4a0a477e2 100644 --- a/ruby3.2-msgpack.yaml +++ b/ruby3.2-msgpack.yaml @@ -27,10 +27,10 @@ pipeline: # must be checked out in order for the gem to build with all files. - uses: git-checkout with: + destination: ${{vars.gem}} + expected-commit: 8e8b353a98df782a55eb7939bed4a70a16a40cee repository: https://github.com/msgpack/msgpack-ruby.git tag: v${{package.version}} - expected-commit: 8e8b353a98df782a55eb7939bed4a70a16a40cee - destination: ${{vars.gem}} - working-directory: ${{vars.gem}} pipeline: diff --git a/ruby3.2-protocol-hpack.yaml b/ruby3.2-protocol-hpack.yaml index 5b3145ec839..cbfde19383d 100644 --- a/ruby3.2-protocol-hpack.yaml +++ b/ruby3.2-protocol-hpack.yaml @@ -31,10 +31,10 @@ pipeline: # must be checked out in order for the gem to build with all files. - uses: git-checkout with: + destination: ${{vars.gem}} + expected-commit: 031b055eeea20f42facd65e1b57e6d8af93292f3 repository: https://github.com/socketry/http-hpack.git tag: v${{package.version}} - expected-commit: 031b055eeea20f42facd65e1b57e6d8af93292f3 - destination: ${{vars.gem}} - working-directory: ${{vars.gem}} pipeline: diff --git a/ruby3.2-protocol-http1.yaml b/ruby3.2-protocol-http1.yaml index 049f5a87813..aa97f504a0d 100644 --- a/ruby3.2-protocol-http1.yaml +++ b/ruby3.2-protocol-http1.yaml @@ -1,13 +1,14 @@ package: name: ruby3.2-protocol-http1 version: 0.15.0 - epoch: 0 + epoch: 1 description: A low level implementation of the HTTP/1 protocol. copyright: - license: MIT dependencies: runtime: - ruby-3.2 + - ruby3.2-protocol-http environment: contents: diff --git a/ruby3.2-protocol-http2.yaml b/ruby3.2-protocol-http2.yaml index 939e7e85129..79dce4705bc 100644 --- a/ruby3.2-protocol-http2.yaml +++ b/ruby3.2-protocol-http2.yaml @@ -1,13 +1,15 @@ package: name: ruby3.2-protocol-http2 version: 0.15.1 - epoch: 0 + epoch: 1 description: A low level implementation of the HTTP/2 protocol. copyright: - license: MIT dependencies: runtime: - ruby-3.2 + - ruby3.2-protocol-hpack + - ruby3.2-protocol-http environment: contents: diff --git a/ruby3.2-serverengine.yaml b/ruby3.2-serverengine.yaml index d951e7e0b06..7cd109f4a59 100644 --- a/ruby3.2-serverengine.yaml +++ b/ruby3.2-serverengine.yaml @@ -1,13 +1,14 @@ package: name: ruby3.2-serverengine version: 2.3.1 - epoch: 0 + epoch: 1 description: A framework to implement robust multiprocess servers like Unicorn copyright: - license: Apache 2.0 dependencies: runtime: - ruby-3.2 + - ruby3.2-sigdump environment: contents: @@ -27,10 +28,10 @@ pipeline: # must be checked out in order for the gem to build with all files. - uses: git-checkout with: + destination: ${{vars.gem}} + expected-commit: c35e3a523958a82b6e27580f8197d66e601a0092 repository: https://github.com/fluent/serverengine.git tag: v${{package.version}} - expected-commit: c35e3a523958a82b6e27580f8197d66e601a0092 - destination: ${{vars.gem}} - working-directory: ${{vars.gem}} pipeline: diff --git a/ruby3.2-sigdump.yaml b/ruby3.2-sigdump.yaml index 676d53f9949..ab13ef4dcac 100644 --- a/ruby3.2-sigdump.yaml +++ b/ruby3.2-sigdump.yaml @@ -27,10 +27,10 @@ pipeline: # must be checked out in order for the gem to build with all files. - uses: git-checkout with: + destination: ${{vars.gem}} + expected-commit: 57570f04456560512e4efc1c6fa695b76c17dc0d repository: https://github.com/frsyuki/sigdump.git tag: v${{package.version}} - expected-commit: 57570f04456560512e4efc1c6fa695b76c17dc0d - destination: ${{vars.gem}} - working-directory: ${{vars.gem}} pipeline: diff --git a/ruby3.2-strptime.yaml b/ruby3.2-strptime.yaml index 657a1b366dd..305193993d9 100644 --- a/ruby3.2-strptime.yaml +++ b/ruby3.2-strptime.yaml @@ -27,10 +27,10 @@ pipeline: # must be checked out in order for the gem to build with all files. - uses: git-checkout with: + destination: ${{vars.gem}} + expected-commit: 1583aaa510cae4660907b22c8262ab31b1eb1864 repository: https://github.com/nurse/strptime.git tag: v${{package.version}} - expected-commit: 1583aaa510cae4660907b22c8262ab31b1eb1864 - destination: ${{vars.gem}} - working-directory: ${{vars.gem}} pipeline: diff --git a/ruby3.2-tzinfo-data.yaml b/ruby3.2-tzinfo-data.yaml index 3e6e1d452f1..c1f18f93607 100644 --- a/ruby3.2-tzinfo-data.yaml +++ b/ruby3.2-tzinfo-data.yaml @@ -1,13 +1,14 @@ package: name: ruby3.2-tzinfo-data version: 1.2022.7 - epoch: 0 + epoch: 1 description: TZInfo::Data contains data from the IANA Time Zone database packaged as Ruby modules for use with TZInfo. copyright: - license: MIT dependencies: runtime: - ruby-3.2 + - ruby3.2-tzinfo environment: contents: diff --git a/ruby3.2-tzinfo.yaml b/ruby3.2-tzinfo.yaml index 7bdc8fcbe4f..c96e2fc1093 100644 --- a/ruby3.2-tzinfo.yaml +++ b/ruby3.2-tzinfo.yaml @@ -1,13 +1,14 @@ package: name: ruby3.2-tzinfo version: 2.0.6 - epoch: 0 + epoch: 1 description: TZInfo provides access to time zone data and allows times to be converted using time zone rules. copyright: - license: MIT dependencies: runtime: - ruby-3.2 + - ruby3.2-concurrent-ruby environment: contents: diff --git a/rust.yaml b/rust.yaml index 0901a0a9e34..3d7cf725291 100644 --- a/rust.yaml +++ b/rust.yaml @@ -1,6 +1,6 @@ package: name: rust - version: 1.67.1 + version: 1.68.0 epoch: 0 description: "rust a type safe memory safe language" copyright: @@ -10,7 +10,7 @@ package: - libLLVM-15 provides: # hack to allow rust to bootstrap itself - - rust-bootstrap=1.67.0 + - rust-bootstrap=1.68.0 environment: contents: @@ -42,7 +42,7 @@ pipeline: - uses: fetch with: uri: https://static.rust-lang.org/dist/rustc-${{package.version}}-src.tar.xz - expected-sha256: 77e0615011f887d9533d5374bf9c15c590c3caf32bbb035b392d1c2ae502a682 + expected-sha256: 8651245e8708f11d0f65ba9fdb394c4b9300d603d318045664b371729da9eac4 extract: false - runs: | tar -xJf rustc-${{package.version}}-src.tar.xz diff --git a/sbom-scorecard.yaml b/sbom-scorecard.yaml index c35ee19cf08..8ca9e203343 100644 --- a/sbom-scorecard.yaml +++ b/sbom-scorecard.yaml @@ -1,7 +1,7 @@ package: name: sbom-scorecard version: 0.0.5 - epoch: 0 + epoch: 1 description: Generate a score for your sbom to understand if it will actually be useful. copyright: - license: Apache-2.0 diff --git a/sbt-stage0.yaml b/sbt-stage0.yaml new file mode 100644 index 00000000000..8f67c01bbeb --- /dev/null +++ b/sbt-stage0.yaml @@ -0,0 +1,42 @@ +package: + name: sbt-stage0 + version: 1.8.2 + epoch: 0 + description: A scala build tool + target-architecture: + - all + copyright: + - paths: + - "*" + attestation: TODO + license: Apache-2.0 + dependencies: + runtime: + - openjdk-11-jre + - bash +environment: + contents: + packages: + - ca-certificates-bundle + - build-base + - busybox +pipeline: + - uses: fetch + with: + expected-sha256: 1f65344da074dbd66dfefa93c0eff8d319d772e5cad47fcbeb6ae178bbdf4686 + uri: https://github.com/sbt/sbt/releases/download/v${{package.version}}/sbt-${{package.version}}.tgz + - runs: | + mkdir -p ${{targets.destdir}}/usr/share/java/sbt/bin + mkdir -p ${{targets.destdir}}/usr/share/java/sbt/conf + + install -m644 -Dt ${{targets.destdir}}/usr/share/java/sbt/bin ./bin/sbt-launch.jar + install -m755 -Dt ${{targets.destdir}}/usr/share/java/sbt/bin ./bin/sbt + + mkdir -p ${{targets.destdir}}/usr/bin + ln -sf /usr/share/java/sbt/bin/sbt ${{targets.destdir}}/usr/bin/sbt + - if: ${{build.arch}} == 'aarch64' + runs: | + install -m644 -Dt ${{targets.destdir}}/usr/share/java/sbt/bin ./bin/sbtn-aarch64-pc-linux + - if: ${{build.arch}} == 'amd64' + runs: | + install -m644 -Dt ${{targets.destdir}}/usr/share/java/sbt/bin ./bin/sbtn-x86_64-pc-linux diff --git a/sbt.yaml b/sbt.yaml new file mode 100644 index 00000000000..714b9a3c8b8 --- /dev/null +++ b/sbt.yaml @@ -0,0 +1,50 @@ +package: + name: sbt + version: 1.8.2 + epoch: 0 + description: A scala build tool + target-architecture: + - all + copyright: + - paths: + - "*" + attestation: TODO + license: Apache-2.0 + dependencies: + runtime: + - openjdk-11-jre + - bash +environment: + contents: + packages: + - ca-certificates-bundle + - build-base + - busybox + - sbt-stage0 +pipeline: + - uses: git-checkout + with: + repository: https://github.com/sbt/sbt + tag: v${{package.version}} + expected-commit: 8c1b98f11570047c0dd1411823628fa4342681e2 + - runs: | + cd launcher-package + + sbt -Dsbt.build.version=${{package.version}} universal:packageZipTarball + + tar -xf target/universal/sbt.tgz + + mkdir -p ${{targets.destdir}}/usr/share/java/sbt/bin + mkdir -p ${{targets.destdir}}/usr/share/java/sbt/conf + + install -m644 -Dt ${{targets.destdir}}/usr/share/java/sbt/bin ./sbt/bin/sbt-launch.jar + install -m755 -Dt ${{targets.destdir}}/usr/share/java/sbt/bin ./sbt/bin/sbt + + mkdir -p ${{targets.destdir}}/usr/bin + ln -sf /usr/share/java/sbt/bin/sbt ${{targets.destdir}}/usr/bin/sbt + - if: ${{build.arch}} == 'aarch64' + runs: | + install -m644 -Dt ${{targets.destdir}}/usr/share/java/sbt/bin ./launcher-package/sbt/bin/sbtn-aarch64-pc-linux + - if: ${{build.arch}} == 'amd64' + runs: | + install -m644 -Dt ${{targets.destdir}}/usr/share/java/sbt/bin ./launcher-package/sbt/bin/sbtn-x86_64-pc-linux diff --git a/scorecard.yaml b/scorecard.yaml index 407e8a831d5..76cd8eb1262 100644 --- a/scorecard.yaml +++ b/scorecard.yaml @@ -1,7 +1,7 @@ package: name: scorecard version: 4.10.2 - epoch: 1 + epoch: 2 description: OpenSSF Scorecard - Security health metrics for Open Source copyright: - license: Apache-2.0 diff --git a/skopeo.yaml b/skopeo.yaml index ce832bf815c..6ea54373619 100644 --- a/skopeo.yaml +++ b/skopeo.yaml @@ -1,7 +1,7 @@ package: name: skopeo version: 1.11.1 - epoch: 0 + epoch: 1 description: Work with remote images registries - retrieving information, images, signing content copyright: - license: Apache-2.0 diff --git a/socat.yaml b/socat.yaml new file mode 100644 index 00000000000..c3d6d30a8cc --- /dev/null +++ b/socat.yaml @@ -0,0 +1,44 @@ +package: + name: socat + version: 1.7.4.4 + epoch: 0 + description: Multipurpose relay for binary protocols + target-architecture: + - all + copyright: + - paths: + - "*" + attestation: TODO + license: GPL-2.0-only WITH OpenSSL-Exception +environment: + contents: + packages: + - busybox + - ca-certificates-bundle + - build-base + - automake + - autoconf + - openssl-dev + - readline-dev + - linux-headers +pipeline: + - uses: fetch + with: + expected-sha256: 0f8f4b9d5c60b8c53d17b60d79ababc4a0f51b3bb6d2bd3ae8a6a4b9d68f195e + uri: http://www.dest-unreach.org/socat/download/socat-${{package.version}}.tar.gz + - uses: patch + with: + patches: netdb-internal.patch use-linux-headers.patch + - uses: autoconf/configure + - runs: | + make + make DESTDIR="${{targets.destdir}}" install + - uses: strip + +subpackages: + - name: socat-doc + pipeline: + - uses: split/manpages + - runs: | + mkdir -p "${{targets.subpkgdir}}"/usr/share/socat + install -m644 EXAMPLES doc/*.html doc/*.css "${{targets.subpkgdir}}"/usr/share/socat \ No newline at end of file diff --git a/socat/netdb-internal.patch b/socat/netdb-internal.patch new file mode 100644 index 00000000000..d1ebc8e5be0 --- /dev/null +++ b/socat/netdb-internal.patch @@ -0,0 +1,13 @@ +--- socat-1.7.2.4.orig/compat.h ++++ socat-1.7.2.4/compat.h +@@ -656,6 +656,10 @@ + # define NETDB_INTERNAL h_NETDB_INTERNAL + #endif + ++#if !defined(NETDB_INTERNAL) ++# define NETDB_INTERNAL (-1) ++#endif ++ + #ifndef INET_ADDRSTRLEN + # define INET_ADDRSTRLEN sizeof(struct sockaddr_in) + #endif diff --git a/socat/use-linux-headers.patch b/socat/use-linux-headers.patch new file mode 100644 index 00000000000..5ef90ac84e8 --- /dev/null +++ b/socat/use-linux-headers.patch @@ -0,0 +1,11 @@ +--- socat-1.7.2.4.orig/sysincludes.h ++++ socat-1.7.2.4/sysincludes.h +@@ -134,7 +134,7 @@ + #include + #endif + #if HAVE_NETINET_IF_ETHER_H +-#include ++#include + #endif + #if HAVE_LINUX_IF_TUN_H + #include diff --git a/spire-server.yaml b/spire-server.yaml index 3f08f2bee0a..c50f4c37563 100644 --- a/spire-server.yaml +++ b/spire-server.yaml @@ -1,7 +1,7 @@ package: name: spire-server version: 1.5.5 - epoch: 0 + epoch: 1 description: The SPIFFE Runtime Environment (SPIRE) server copyright: - license: Apache-2.0 diff --git a/sqlite.yaml b/sqlite.yaml index f58e090e4b8..55e3a742898 100644 --- a/sqlite.yaml +++ b/sqlite.yaml @@ -7,6 +7,7 @@ package: - license: blessing dependencies: runtime: + environment: contents: repositories: @@ -18,9 +19,11 @@ environment: - ca-certificates-bundle - build-base - readline + secfixes: 3.40.0-r1: - CVE-2022-46908 + pipeline: - uses: fetch with: @@ -58,6 +61,7 @@ pipeline: make -j$(nproc) V=1 - uses: autoconf/make-install - uses: strip + subpackages: - name: "sqlite-dev" description: "sqlite headers" @@ -76,8 +80,9 @@ subpackages: - runs: | mkdir -p "${{targets.subpkgdir}}"/usr mv "${{targets.destdir}}"/usr/lib "${{targets.subpkgdir}}"/usr/ + advisories: CVE-2022-46908: - - timestamp: 2022-12-14T10:26:25+00:00 + - timestamp: 2022-12-14T10:26:25Z status: fixed fixed-version: 3.40.0-r1 diff --git a/step.yaml b/step.yaml index 4b94456e9da..800b270940c 100644 --- a/step.yaml +++ b/step.yaml @@ -1,7 +1,7 @@ package: name: step version: 0.23.1 - epoch: 0 + epoch: 1 description: A zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc. copyright: - license: Apache-2.0 diff --git a/syft.yaml b/syft.yaml index e9840b72e6c..930945818bf 100644 --- a/syft.yaml +++ b/syft.yaml @@ -1,7 +1,7 @@ package: name: syft version: 0.70.0 - epoch: 0 + epoch: 1 description: CLI tool and library for generating a Software Bill of Materials from container images and filesystems copyright: - license: Apache-2.0 diff --git a/terraform.yaml b/terraform.yaml index dad3ae6d354..53304392b52 100644 --- a/terraform.yaml +++ b/terraform.yaml @@ -1,7 +1,7 @@ package: name: terraform version: 1.3.9 - epoch: 0 + epoch: 2 copyright: - license: MPL-2.0 environment: @@ -19,6 +19,13 @@ pipeline: destination: terraform - runs: | cd terraform + + # Mitigate GHSA-jpxj-2jvg-6jv9 (CVE-2023-0475) + go get github.com/hashicorp/go-getter@v1.7.0 + + # Mitigate GHSA-vvpx-j8f3-3w6h (CVE-2022-41723) + go get golang.org/x/net@v0.7.0 + go generate ./... CGO_ENABLED=0 go build -v - runs: | diff --git a/tkn.yaml b/tkn.yaml index 7a31a1d5610..283e54bdd1f 100644 --- a/tkn.yaml +++ b/tkn.yaml @@ -1,7 +1,7 @@ package: name: tkn version: 0.28.0 - epoch: 0 + epoch: 1 description: A CLI for interacting with Tekton! copyright: - license: Apache-2.0 diff --git a/traefik.yaml b/traefik.yaml index 0a3c01da25b..3f2557580c1 100644 --- a/traefik.yaml +++ b/traefik.yaml @@ -1,7 +1,7 @@ package: name: traefik version: 2.9.8 - epoch: 1 + epoch: 2 description: The Cloud Native Application Proxy copyright: - license: MIT @@ -10,7 +10,7 @@ secfixes: 2.9.6-r0: - CVE-2022-23469 - CVE-2022-46153 - 2.9.8-r2: + 2.9.8-r1: - CVE-2021-41803 - CVE-2022-40716 @@ -44,7 +44,7 @@ advisories: CVE-2021-41803: - timestamp: 2023-03-07T11:51:57.26224-05:00 status: fixed - fixed-version: 2.9.8-r2 + fixed-version: 2.9.8-r1 CVE-2022-23469: - timestamp: 2023-01-29T11:56:03.991319-05:00 status: fixed @@ -52,7 +52,7 @@ advisories: CVE-2022-40716: - timestamp: 2023-03-07T11:52:26.180256-05:00 status: fixed - fixed-version: 2.9.8-r2 + fixed-version: 2.9.8-r1 CVE-2022-46153: - timestamp: 2023-01-29T11:56:03.989795-05:00 status: fixed diff --git a/trivy.yaml b/trivy.yaml index d7846832756..9fab13a4f35 100644 --- a/trivy.yaml +++ b/trivy.yaml @@ -1,6 +1,6 @@ package: name: trivy - version: 0.38.1 + version: 0.38.3 epoch: 0 description: Simple and comprehensive vulnerability scanner for containers copyright: @@ -15,7 +15,7 @@ pipeline: - uses: fetch with: uri: https://github.com/aquasecurity/trivy/archive/v${{package.version}}/trivy-${{package.version}}.tar.gz - expected-sha512: b1c66b25113e196897e129b3957c83de56166c132983b46dd931c57ba2e3b5241a846fbd60f8bc433d8490d3586b875b6125cb3249fdb4c1a19c9732fe22b24f + expected-sha512: ce55d452d159af84212e66387db401bbc7ed5948e5bcab1595d4a1ffaacd446e4b7a8f5028a6c7a867af7ce020bbc2061992c234197d119250979b281c347d8b - runs: | CGO_ENABLED=0 go build \ -ldflags "-s -w -X=main.version=${{package.version}}" \ diff --git a/vault.yaml b/vault.yaml index c6dbc9bc384..113ef671e3e 100644 --- a/vault.yaml +++ b/vault.yaml @@ -1,9 +1,8 @@ package: name: vault - version: 1.12.3 + version: 1.13.0 epoch: 0 description: Tool for encryption as a service, secrets and privileged access management - - !riscv64 copyright: - license: MPL-2.0 @@ -13,12 +12,13 @@ environment: - ca-certificates-bundle - busybox - go + pipeline: - uses: git-checkout with: repository: https://github.com/hashicorp/vault tag: v${{package.version}} - expected-commit: 209b3dd99fe8ca320340d08c70cff5f620261f9b + expected-commit: a4cf0dc4437de35fce4860857b64569d092a9b5a destination: vault - runs: | cd vault @@ -48,3 +48,15 @@ pipeline: install -m750 -d "${{targets.destdir}}/var/lib/vault" - uses: strip + +advisories: + CVE-2023-24999: + - timestamp: 2023-03-16T20:08:35.29356-04:00 + status: under_investigation + - timestamp: 2023-03-16T20:20:49.495382-04:00 + status: fixed + fixed-version: 1.12.4-r0 + +secfixes: + 1.12.4-r0: + - CVE-2023-24999 diff --git a/vim.yaml b/vim.yaml index 39bfc266e74..e5aad3e82bc 100644 --- a/vim.yaml +++ b/vim.yaml @@ -1,6 +1,6 @@ package: name: vim - version: 9.0.1275 + version: 9.0.1402 epoch: 0 description: "Improved vi-style text editor" copyright: @@ -21,7 +21,7 @@ pipeline: - uses: fetch with: uri: https://github.com/vim/vim/archive/v${{package.version}}.tar.gz - expected-sha256: 601236e727a91723b97656bd45ed7f0c6afdf166f27ebeec2187bad01eaad863 + expected-sha256: 607c9a8b771be2e2826f618f72c2215418332644210c999d708778a57ab5a5fa - runs: | # vim seems to manually set FORTIFY_SOURCE=1, and setting both breaks the build export CFLAGS=${CFLAGS/-Wp,-D_FORTIFY_SOURCE=3/} @@ -39,7 +39,41 @@ pipeline: --enable-gui=no \ --with-lua-prefix=/usr/lua5.3 \ --with-compiledby="Wolfi Linux" - - uses: autoconf/make - uses: autoconf/make-install - uses: strip + +advisories: + CVE-2023-1127: + - timestamp: 2023-03-09T19:43:53.391885-05:00 + status: under_investigation + - timestamp: 2023-03-09T19:45:56.751743-05:00 + status: fixed + fixed-version: 9.0.1378-r0 + CVE-2023-1175: + - timestamp: 2023-03-09T19:43:53.391892-05:00 + status: under_investigation + - timestamp: 2023-03-09T19:46:07.647689-05:00 + status: fixed + fixed-version: 9.0.1378-r0 + CVE-2023-1264: + - timestamp: 2023-03-15T13:55:12.275145-04:00 + status: under_investigation + - timestamp: 2023-03-15T14:57:52.866296-04:00 + status: fixed + fixed-version: 9.0.1392-r0 + CVE-2023-1355: + - timestamp: 2023-03-16T13:28:26.138811-04:00 + status: under_investigation + - timestamp: 2023-03-16T20:13:44.177605-04:00 + status: fixed + fixed-version: 9.0.1402-r0 + +secfixes: + 9.0.1378-r0: + - CVE-2023-1127 + - CVE-2023-1175 + 9.0.1392-r0: + - CVE-2023-1264 + 9.0.1402-r0: + - CVE-2023-1355 diff --git a/wasmtime.yaml b/wasmtime.yaml index 83f193a2d54..f52a9f5580c 100644 --- a/wasmtime.yaml +++ b/wasmtime.yaml @@ -1,10 +1,11 @@ package: name: wasmtime - version: 6.0.0 + version: 6.0.1 epoch: 0 description: "A fast and secure runtime for WebAssembly" copyright: - license: Apache-2.0 + environment: contents: packages: @@ -14,11 +15,12 @@ environment: - busybox - ca-certificates-bundle - build-base + pipeline: - uses: fetch with: - uri: https://github.com/bytecodealliance/wasmtime/releases/download/v6.0.0/wasmtime-v6.0.0-src.tar.gz - expected-sha256: 61dbb4f2b26391dbc7fa873c85697260db880b8a7891a700e5f26971bd030b5d + uri: https://github.com/bytecodealliance/wasmtime/releases/download/v${{package.version}}/wasmtime-v${{package.version}}-src.tar.gz + expected-sha256: 38e606e34ea6384ea9d72e7ab077cdc2093e9abf83bccd0c3781526e90339e4e - name: Configure and build runs: | cargo build --release -vv @@ -26,6 +28,7 @@ pipeline: mkdir -p ${{targets.destdir}}/usr/bin/ mv target/release/wasmtime ${{targets.destdir}}/usr/bin/ - uses: strip + subpackages: - name: "libwasmtime" description: "c library for wasmtime" @@ -34,3 +37,22 @@ subpackages: mkdir -p ${{targets.subpkgdir}}/usr/lib/ mv target/release/libwasmtime.* ${{targets.subpkgdir}}/usr/lib/ - uses: strip + +advisories: + CVE-2023-26489: + - timestamp: 2023-03-16T13:28:26.139607-04:00 + status: under_investigation + - timestamp: 2023-03-16T20:27:54.656845-04:00 + status: fixed + fixed-version: 6.0.1-r0 + CVE-2023-27477: + - timestamp: 2023-03-16T13:28:26.1396-04:00 + status: under_investigation + - timestamp: 2023-03-16T20:28:06.768799-04:00 + status: fixed + fixed-version: 6.0.1-r0 + +secfixes: + 6.0.1-r0: + - CVE-2023-26489 + - CVE-2023-27477 diff --git a/withdrawn-packages.txt b/withdrawn-packages.txt index 8f9ed9df547..7ae15c9e8bf 100644 --- a/withdrawn-packages.txt +++ b/withdrawn-packages.txt @@ -40,3 +40,5 @@ python-3.11-dev-3.11.1_alpha5-r1.apk python-3.11-dev-3.11.1_alpha5-r0.apk python-3.12-3.12.0_alpha5-r0.apk python-3.12-3.12.0_alpha5-r1.apk +ruby3.2-fluentd-1.15.3-r0.apk +ruby3.2-fluentd-1.15.3-r1.apk diff --git a/yq.yaml b/yq.yaml index 07d255af54e..5ca3d0ae483 100644 --- a/yq.yaml +++ b/yq.yaml @@ -1,7 +1,7 @@ package: name: yq version: 4.30.8 - epoch: 0 + epoch: 1 description: "yq is a portable command-line YAML, JSON, XML, CSV and properties processor" copyright: - license: Apache License 2.0 diff --git a/zookeeper.yaml b/zookeeper.yaml new file mode 100644 index 00000000000..8b43c18f943 --- /dev/null +++ b/zookeeper.yaml @@ -0,0 +1,50 @@ +package: + name: zookeeper + version: "3.8.1" + epoch: 0 + description: + target-architecture: + - all + copyright: + - paths: + - "*" + attestation: + license: Apache-2.0 + dependencies: + runtime: + - bash # some helper scripts use bash + - openjdk-17-jre +environment: + contents: + packages: + - busybox + - ca-certificates-bundle + - curl + - maven + - openjdk-17-jre +pipeline: + - uses: git-checkout + with: + repository: https://github.com/apache/zookeeper + tag: release-${{package.version}} + expected-commit: 74db005175a4ec545697012f9069cb9dcc8cdda7 + - runs: | + export LANG=en_US.UTF-8 + export JAVA_HOME=/usr/lib/jvm/openjdk-jre + + mvn install -DskipTests + tar -xf zookeeper-assembly/target/apache-zookeeper-${{package.version}}-bin.tar.gz + + mkdir -p ${{targets.destdir}}/usr/share/java/zookeeper + mkdir -p ${{targets.destdir}}/usr/share/java/zookeeper/bin + mkdir -p ${{targets.destdir}}/usr/share/java/zookeeper/lib + mkdir -p ${{targets.destdir}}/usr/share/java/zookeeper/conf + + # Clean up windows files + rm -rf apache-zookeeper-${{package.version}}-bin/bin/*.cmd + mv apache-zookeeper-${{package.version}}-bin/lib/* ${{targets.destdir}}/usr/share/java/zookeeper/lib + mv apache-zookeeper-${{package.version}}-bin/bin/* ${{targets.destdir}}/usr/share/java/zookeeper/bin + mv apache-zookeeper-${{package.version}}-bin/conf/* ${{targets.destdir}}/usr/share/java/zookeeper/conf + + # Setup a sample conf + cp ${{targets.destdir}}/usr/share/java/zookeeper/conf/zoo_sample.cfg ${{targets.destdir}}/usr/share/java/zookeeper/conf/zoo.cfg diff --git a/zot.yaml b/zot.yaml index e5e5c24aafc..38278760e9e 100644 --- a/zot.yaml +++ b/zot.yaml @@ -1,42 +1,34 @@ -package: - name: zot - version: 1.4.3 - epoch: 0 - description: A production-ready vendor-neutral OCI-native container image registry (purely based on OCI Distribution Specification) - copyright: - - license: Apache-2.0 - dependencies: - runtime: - - ca-certificates-bundle -environment: - contents: - packages: - - ca-certificates-bundle - - busybox - - go - - curl -pipeline: - - uses: git-checkout - with: - repository: https://github.com/project-zot/zot - tag: v${{package.version}} - destination: zot - expected-commit: 69f0cf6bb4727884af42f38c92858fdb114104de - - assertions: - required-steps: 1 - pipeline: - - if: ${{build.arch}} == 'x86_64' - runs: | - cd zot - make OS=linux ARCH=amd64 binary - make OS=linux ARCH=amd64 cli - install -m755 -D ./bin/zli-linux-amd64 "${{targets.destdir}}"/usr/bin/zli - install -m755 -D ./bin/zot-linux-amd64 "${{targets.destdir}}"/usr/bin/zot - - if: ${{build.arch}} == 'aarch64' - runs: | - cd zot - make OS=linux ARCH=arm64 binary - make OS=linux ARCH=arm64 cli - install -m755 -D ./bin/zli-linux-arm64 "${{targets.destdir}}"/usr/bin/zli - install -m755 -D ./bin/zot-linux-arm64 "${{targets.destdir}}"/usr/bin/zot - - uses: strip +package: + name: zot + version: 1.4.3 + epoch: 2 + description: A production-ready vendor-neutral OCI-native container image registry (purely based on OCI Distribution Specification) + copyright: + - license: Apache-2.0 + dependencies: + runtime: + - ca-certificates-bundle +environment: + contents: + packages: + - ca-certificates-bundle + - busybox + - go + - curl +pipeline: + - uses: git-checkout + with: + repository: https://github.com/project-zot/zot + tag: v${{package.version}} + destination: zot + expected-commit: 69f0cf6bb4727884af42f38c92858fdb114104de + - runs: | + cd zot + GOARCH=$(go env GOARCH) + + make OS=linux ARCH=${GOARCH} binary + install -m755 -D ./bin/zot-linux-${GOARCH} "${{targets.destdir}}"/usr/bin/zot + + make OS=linux ARCH=${GOARCH} cli + install -m755 -D ./bin/zli-linux-${GOARCH} "${{targets.destdir}}"/usr/bin/zli + - uses: strip