From aa502cc88fbe2c23316612105744b06e047e4bb1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 21 May 2021 09:55:22 -0400 Subject: [PATCH 01/11] build(deps): bump github.com/vbauerster/mpb/v6 from 6.0.3 to 6.0.4 (#48) Bumps [github.com/vbauerster/mpb/v6](https://github.com/vbauerster/mpb) from 6.0.3 to 6.0.4. - [Release notes](https://github.com/vbauerster/mpb/releases) - [Commits](https://github.com/vbauerster/mpb/compare/v6.0.3...v6.0.4) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 13 ++++++++----- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index 3a63f76cc9..f5464f7b78 100644 --- a/go.mod +++ b/go.mod @@ -51,7 +51,7 @@ require ( github.com/sylabs/sif v1.2.3 github.com/urfave/cli v1.22.5 // indirect github.com/vbauerster/mpb/v4 v4.12.2 - github.com/vbauerster/mpb/v6 v6.0.3 + github.com/vbauerster/mpb/v6 v6.0.4 github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/yvasiyarov/go-metrics v0.0.0-20150112132944-c25f46c4b940 // indirect github.com/yvasiyarov/gorelic v0.0.6 // indirect @@ -60,7 +60,7 @@ require ( golang.org/x/crypto v0.0.0-20210503195802-e9a32991a82e golang.org/x/net v0.0.0-20210510120150-4163338589ed // indirect golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect - golang.org/x/sys v0.0.0-20210511113859-b0526f3d8744 + golang.org/x/sys v0.0.0-20210514084401-e8d321eab015 google.golang.org/genproto v0.0.0-20210510173355-fb37daa5cd7a // indirect google.golang.org/grpc v1.37.0 // indirect gopkg.in/yaml.v2 v2.4.0 diff --git a/go.sum b/go.sum index 546e11b622..4aaac68b5b 100644 --- a/go.sum +++ b/go.sum @@ -71,8 +71,9 @@ github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbt github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d h1:UrqY+r/OJnIp5u0s1SbQ8dVfLCZJsnvazdBP5hS4iRs= github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ= -github.com/VividCortex/ewma v1.1.1 h1:MnEK4VOv6n0RSY4vtRe3h11qjxL3+t0B8yOL8iMXdcM= github.com/VividCortex/ewma v1.1.1/go.mod h1:2Tkkvm3sRDVXaiyucHiACn4cqf7DpdyLvmxzcbUokwA= +github.com/VividCortex/ewma v1.2.0 h1:f58SaIzcDXrSy3kWaHNvuJgJ3Nmz59Zji6XoJR/q1ow= +github.com/VividCortex/ewma v1.2.0/go.mod h1:nz4BbCtbLyFDeC9SUHbtcT5644juEuWfUAUnGx7j5l4= github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d h1:licZJFw2RwpHMqeKTCYkitsPqHNxTmd4SNR5r94FGM8= github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d/go.mod h1:asat636LX7Bqt5lYEZ27JNDcqxfjdBQuJ/MM4CN/Lzo= github.com/adigunhammedolalekan/registry-auth v0.0.0-20200730122110-8cde180a3a60 h1:1IG6ye8dellBRE2uqvG0EzQScRqjsH/n5xOw+n0OGec= @@ -551,8 +552,9 @@ github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOA github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY= github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= -github.com/mattn/go-runewidth v0.0.10 h1:CoZ3S2P7pvtP45xOtBw+/mDL2z0RKI576gSkzRRpdGg= github.com/mattn/go-runewidth v0.0.10/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk= +github.com/mattn/go-runewidth v0.0.12 h1:Y41i/hVW3Pgwr8gV+J23B9YEY0zxjptBuCWEaxmAOow= +github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk= github.com/mattn/go-shellwords v1.0.3/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o= github.com/mattn/go-shellwords v1.0.11 h1:vCoR9VPpsk/TZFW2JwK5I9S0xdrtUq2bph6/YjEPnaw= github.com/mattn/go-shellwords v1.0.11/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y= @@ -830,8 +832,9 @@ github.com/vbatts/go-mtree v0.5.0/go.mod h1:7JbaNHyBMng+RP8C3Q4E+4Ca8JnGQA2R/MB+ github.com/vbatts/tar-split v0.11.1/go.mod h1:LEuURwDEiWjRjwu46yU3KVGuUdVv/dcnpcEPSzR8z6g= github.com/vbauerster/mpb/v4 v4.12.2 h1:TsBs1nWRYF0m8cUH13pxNhOUqY6yKcOr2PeSYxp2L3I= github.com/vbauerster/mpb/v4 v4.12.2/go.mod h1:LVRGvMch8T4HQO3eg2pFPsACH9kO/O6fT/7vhGje3QE= -github.com/vbauerster/mpb/v6 v6.0.3 h1:j+twHHhSUe8aXWaT/27E98G5cSBeqEuJSVCMjmLg0PI= github.com/vbauerster/mpb/v6 v6.0.3/go.mod h1:5luBx4rDLWxpA4t6I5sdeeQuZhqDxc+wr5Nqf35+tnM= +github.com/vbauerster/mpb/v6 v6.0.4 h1:h6J5zM/2wimP5Hj00unQuV8qbo5EPcj6wbkCqgj7KcY= +github.com/vbauerster/mpb/v6 v6.0.4/go.mod h1:a/+JT57gqh6Du0Ay5jSR+uBMfXGdlR7VQlGP52fJxLM= github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk= github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE= github.com/vishvananda/netlink v1.1.1-0.20201029203352-d40f9887b852 h1:cPXZWzzG0NllBLdjWoD1nDfaqu98YMv+OneaKc8sPOA= @@ -1039,8 +1042,8 @@ golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210511113859-b0526f3d8744 h1:yhBbb4IRs2HS9PPlAg6DMC6mUOKexJBNsLf4Z+6En1Q= -golang.org/x/sys v0.0.0-20210511113859-b0526f3d8744/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210514084401-e8d321eab015 h1:hZR0X1kPW+nwyJ9xRxqZk1vx5RUObAPBdKVvXPDUH/E= +golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20191110171634-ad39bd3f0407/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= From a9efa882b3bb9f1f99e77f99a43f30f07ac3728e Mon Sep 17 00:00:00 2001 From: David Trudgian Date: Fri, 21 May 2021 14:02:54 -0500 Subject: [PATCH 02/11] fix: respect current remote for actions against library:// URIs Actions (run/shell/exec) against library:// URIs were incorrectly using the default cloud.sylabs.io library, rather than the currently configured remote. The getLibraryClient function takes an empty string as the uri argument when the currently configured remote should be used. GHSA-5mv9-q7fq-9394 --- cmd/internal/cli/actions.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/cmd/internal/cli/actions.go b/cmd/internal/cli/actions.go index 14c04a320b..43ae2fd291 100644 --- a/cmd/internal/cli/actions.go +++ b/cmd/internal/cli/actions.go @@ -21,7 +21,6 @@ import ( "github.com/sylabs/singularity/internal/pkg/client/oci" "github.com/sylabs/singularity/internal/pkg/client/oras" "github.com/sylabs/singularity/internal/pkg/client/shub" - "github.com/sylabs/singularity/internal/pkg/remote/endpoint" "github.com/sylabs/singularity/internal/pkg/util/uri" "github.com/sylabs/singularity/pkg/sylog" ) @@ -80,11 +79,10 @@ func handleLibrary(ctx context.Context, imgCache *cache.Handle, pullFrom string) return "", err } + // Default "" = use current remote endpoint var libraryURI string if r.Host != "" { libraryURI = "https://" + r.Host - } else { - libraryURI = endpoint.SCSDefaultLibraryURI } c, err := getLibraryClientConfig(libraryURI) From 301af4b8f7989fa8698dfca2c3ee9c8ff08f8f39 Mon Sep 17 00:00:00 2001 From: David Trudgian Date: Fri, 21 May 2021 14:28:31 -0500 Subject: [PATCH 03/11] e2e: if an invalid remote is set ensure library:// actions fail GHSA-5mv9-q7fq-9394 --- e2e/actions/actions.go | 3 ++ e2e/actions/regressions.go | 66 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 69 insertions(+) diff --git a/e2e/actions/actions.go b/e2e/actions/actions.go index 037ceac81d..8a036a50f5 100644 --- a/e2e/actions/actions.go +++ b/e2e/actions/actions.go @@ -2198,6 +2198,8 @@ func E2ETests(env e2e.TestEnv) testhelper.Tests { env: env, } + np := testhelper.NoParallel + return testhelper.Tests{ "action URI": c.RunFromURI, // action_URI "exec": c.actionExec, // singularity exec @@ -2230,5 +2232,6 @@ func E2ETests(env e2e.TestEnv) testhelper.Tests { "bind image": c.bindImage, // test bind image "umask": c.actionUmask, // test umask propagation "no-mount": c.actionNoMount, // test --no-mount + "invalidRemote": np(c.invalidRemote), // GHSA-5mv9-q7fq-9394 } } diff --git a/e2e/actions/regressions.go b/e2e/actions/regressions.go index 79d3a7ce5b..de65e861e3 100644 --- a/e2e/actions/regressions.go +++ b/e2e/actions/regressions.go @@ -616,3 +616,69 @@ func (c actionTests) issue5690(t *testing.T) { e2e.ExpectExit(0), ) } + +// If an invalid remote is set, we should not pull a container from the default +// library. +// GHSA-5mv9-q7fq-9394 +func (c actionTests) invalidRemote(t *testing.T) { + testEndpoint := "invalid" + testEndpointURI := "https://cloud.example.com" + testImage := "library://alpine" + + // Exec library image from the default remote... ensure it succeeds + argv := []string{testImage, "/bin/true"} + c.env.RunSingularity( + t, + e2e.AsSubtest("exec default"), + e2e.WithProfile(e2e.UserProfile), + e2e.WithCommand("exec"), + e2e.WithArgs(argv...), + e2e.ExpectExit(0), + ) + + // Add another endpoint + argv = []string{"add", "--no-login", testEndpoint, testEndpointURI} + c.env.RunSingularity( + t, + e2e.AsSubtest("remote add"), + e2e.WithProfile(e2e.UserProfile), + e2e.WithCommand("remote"), + e2e.WithArgs(argv...), + e2e.ExpectExit(0), + ) + // Remove test remote when we are done here + defer func(t *testing.T) { + argv := []string{"remove", testEndpoint} + c.env.RunSingularity( + t, + e2e.AsSubtest("remote remove"), + e2e.WithProfile(e2e.UserProfile), + e2e.WithCommand("remote"), + e2e.WithArgs(argv...), + e2e.ExpectExit(0), + ) + }(t) + + // Set as default + argv = []string{"use", testEndpoint} + c.env.RunSingularity( + t, + e2e.AsSubtest("remote use"), + e2e.WithProfile(e2e.UserProfile), + e2e.WithCommand("remote"), + e2e.WithArgs(argv...), + e2e.ExpectExit(0), + ) + + // Exec library image from the invalid remote, should fail + argv = []string{testImage, "/bin/true"} + c.env.RunSingularity( + t, + e2e.AsSubtest("exec invalid"), + e2e.WithProfile(e2e.UserProfile), + e2e.WithCommand("exec"), + e2e.WithArgs(argv...), + e2e.ExpectExit(255), + ) + +} From f82d79203b01d1c0a67ed557ca39a30eb4dad611 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 22 May 2021 21:57:34 -0400 Subject: [PATCH 04/11] build(deps): bump github.com/containerd/containerd from 1.5.1 to 1.5.2 (#50) Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.5.1 to 1.5.2. - [Release notes](https://github.com/containerd/containerd/releases) - [Changelog](https://github.com/containerd/containerd/blob/master/RELEASES.md) - [Commits](https://github.com/containerd/containerd/compare/v1.5.1...v1.5.2) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index f5464f7b78..79abc53035 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( github.com/bugsnag/bugsnag-go v1.5.1 // indirect github.com/bugsnag/panicwrap v1.2.0 // indirect github.com/containerd/cgroups v1.0.1 - github.com/containerd/containerd v1.5.1 + github.com/containerd/containerd v1.5.2 github.com/containernetworking/cni v0.8.1 github.com/containernetworking/plugins v0.9.1 github.com/containers/image/v5 v5.12.0 diff --git a/go.sum b/go.sum index 4aaac68b5b..f89939e575 100644 --- a/go.sum +++ b/go.sum @@ -180,8 +180,8 @@ github.com/containerd/containerd v1.5.0-beta.3/go.mod h1:/wr9AVtEM7x9c+n0+stptlo github.com/containerd/containerd v1.5.0-beta.4/go.mod h1:GmdgZd2zA2GYIBZ0w09ZvgqEq8EfBp/m3lcVZIvPHhI= github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s= github.com/containerd/containerd v1.5.0-rc.3/go.mod h1:kYiJ+LvywDUKzyax6+UKCk5xwQNCfcGR6KsSdShdg5U= -github.com/containerd/containerd v1.5.1 h1:xWHPAoe6VkUiI9GAvndJM7s/0MTrmwX3AQiYTr3olf0= -github.com/containerd/containerd v1.5.1/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g= +github.com/containerd/containerd v1.5.2 h1:MG/Bg1pbmMb61j3wHCFWPxESXHieiKr2xG64px/k8zQ= +github.com/containerd/containerd v1.5.2/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g= github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= github.com/containerd/continuity v0.0.0-20191127005431-f65d91d395eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= From a796e5444e5bd55123724a128c3c908efad581c4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 May 2021 10:50:24 -0400 Subject: [PATCH 05/11] build(deps): bump github.com/fatih/color from 1.11.0 to 1.12.0 (#54) Bumps [github.com/fatih/color](https://github.com/fatih/color) from 1.11.0 to 1.12.0. - [Release notes](https://github.com/fatih/color/releases) - [Commits](https://github.com/fatih/color/compare/v1.11.0...v1.12.0) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 79abc53035..26d101a537 100644 --- a/go.mod +++ b/go.mod @@ -18,7 +18,7 @@ require ( github.com/containernetworking/cni v0.8.1 github.com/containernetworking/plugins v0.9.1 github.com/containers/image/v5 v5.12.0 - github.com/fatih/color v1.11.0 + github.com/fatih/color v1.12.0 github.com/garyburd/redigo v1.6.0 // indirect github.com/go-log/log v0.2.0 github.com/godbus/dbus v4.1.0+incompatible // indirect diff --git a/go.sum b/go.sum index f89939e575..520773a85c 100644 --- a/go.sum +++ b/go.sum @@ -319,8 +319,8 @@ github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7 github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= -github.com/fatih/color v1.11.0 h1:l4iX0RqNnx/pU7rY2DB/I+znuYY0K3x6Ywac6EIr0PA= -github.com/fatih/color v1.11.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM= +github.com/fatih/color v1.12.0 h1:mRhaKNwANqRgUBGKmnI5ZxEk7QXmjQeCcuYFMX2bfcc= +github.com/fatih/color v1.12.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM= github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= From 11eb21da61499289e97263068930f4a77584194b Mon Sep 17 00:00:00 2001 From: Adam Hughes Date: Fri, 21 May 2021 15:34:25 +0000 Subject: [PATCH 06/11] refactor(ci): rename check-stretch -> check-debian --- .circleci/config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index e465bb070b..7cae03be18 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -119,7 +119,7 @@ jobs: name: Check Module Tidiness command: git diff --exit-code -- go.mod go.sum - check-stretch: + check-debian: executor: name: golang variant: stretch @@ -226,7 +226,7 @@ workflows: build_and_test: jobs: - check-go-mod - - check-stretch + - check-debian - check-alpine - check-darwin - short-unit-tests From e2f2c3839e93a8850ec2da247f13f80f8a489109 Mon Sep 17 00:00:00 2001 From: Adam Hughes Date: Fri, 21 May 2021 15:39:51 +0000 Subject: [PATCH 07/11] chore(ci): update Debian release to buster --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 7cae03be18..b46da26ff9 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -122,7 +122,7 @@ jobs: check-debian: executor: name: golang - variant: stretch + variant: buster steps: - checkout - install-deps-apt: From e8bbf5b44437d7cb8189c8b694a961f86a231cff Mon Sep 17 00:00:00 2001 From: Adam Hughes Date: Fri, 21 May 2021 15:44:27 +0000 Subject: [PATCH 08/11] chore(ci): bump Xcode to 12.4.0 --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index b46da26ff9..8e9354bd58 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -23,7 +23,7 @@ executors: password: $CIRCLE_CI_DOCKER_PASSWORD macos-machine: macos: - xcode: "10.2.0" + xcode: 12.4.0 ubuntu-machine: working_directory: ~/go/singularity machine: From 03de8821135ab4a0a78e06b1ebbb62446312a5a7 Mon Sep 17 00:00:00 2001 From: Dave Dykstra <2129743+DrDaveD@users.noreply.github.com> Date: Tue, 25 May 2021 19:24:47 -0500 Subject: [PATCH 09/11] 3.7.4 CHANGELOG updates --- CHANGELOG.md | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f63ff61cb5..71ab2006b3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -54,11 +54,26 @@ of `make test` for ease of use: ---- -## v3.7.3 - [2021-04-06] +## v3.7.4 - [2021-05-26] + +**Singularity 3.7.4 is the most recent stable release of Singularity prior to Sylabs' fork from https://github.com/hpcng/singularity** -**Singularity 3.7.3 is the most recent stable release of Singularity prior to Sylabs' fork from https://github.com/hpcng/singularity** +The 3.7.4 release is identical to https://github.com/hpcng/singularity/releases/tag/v3.7.4 and is provided for convenience to users arriving from outdated links. + +### Security Related Fixes -The 3.7.3 release is identical to https://github.com/hpcng/singularity/releases/tag/v3.7.3 and is provided for convenience to users arriving from outdated links. + - [CVE-2021-32635](https://github.com/hpcng/singularity/security/advisories/GHSA-jq42-hfch-42f3): + Due to incorrect use of a default URL, singularity action commands + (run/shell/exec) specifying a container using a library:// URI will + always attempt to retrieve the container from the default remote + endpoint (cloud.sylabs.io) rather than the configured remote + endpoint. An attacker may be able to push a malicious container to + the default remote endpoint with a URI that is identical to the URI + used by a victim with a non-default remote endpoint, thus executing + the malicious container. + + +## v3.7.3 - [2021-04-06] ### Security Related Fixes From 615e18f85c95b35dd149d6e94c466dc2fb8fe84f Mon Sep 17 00:00:00 2001 From: David Trudgian Date: Wed, 26 May 2021 12:57:34 -0500 Subject: [PATCH 10/11] CE 3.8.0 changelog entries --- CHANGELOG.md | 6 +++--- INSTALL.md | 9 ++------- 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 71ab2006b3..1c83079682 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,8 @@ # SingularityCE Changelog -## v3.8.0-rc.1 [2021-05-11] +## v3.8.0 [2021-05-26] -This is the first release candidate for SingularityCE 3.8.0, the Community +This is the first release of SingularityCE 3.8.0, the Community Edition of the Singularity container runtime hosted at https://github.com/sylabs/singularity. @@ -62,7 +62,7 @@ The 3.7.4 release is identical to https://github.com/hpcng/singularity/releases/ ### Security Related Fixes - - [CVE-2021-32635](https://github.com/hpcng/singularity/security/advisories/GHSA-jq42-hfch-42f3): + - [CVE-2021-32635](https://github.com/sylabs/singularity/security/advisories/GHSA-5mv9-q7fq-9394): Due to incorrect use of a default URL, singularity action commands (run/shell/exec) specifying a container using a library:// URI will always attempt to retrieve the container from the default remote diff --git a/INSTALL.md b/INSTALL.md index 7916960766..2fe8a0c17a 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -1,10 +1,5 @@ # Installing SingularityCE -**NOTE:** *This installation guide has been updated for the release candidate of -SingularityCE 3.8.0. The `3.8.0-rc1` version that will be installed is a -pre-release of SingularityCE. To install the latest stable version, -substitute the version `3.7.3` in the instructions below. See the `release-3.7` branch for the current stable codebase.* - Since you are reading this from the SingularityCE source code, it will be assumed that you are building/compiling from source. @@ -87,7 +82,7 @@ $ mkdir -p ${GOPATH}/src/github.com/sylabs && \ To build a specific version of SingularityCE, check out a [release tag](https://github.com/sylabs/singularity/tags) before compiling: ``` -$ git checkout v3.8.0-rc.1 +$ git checkout v3.8.0 ``` ## Compiling SingularityCE @@ -130,7 +125,7 @@ as shown above. Then download the latest and use it to install the RPM like this: ``` -$ export VERSION=3.8.0-rc.1 # this is the singularity version, change as you need +$ export VERSION=3.8.0 # this is the singularity version, change as you need $ wget https://github.com/sylabs/singularity/releases/download/v${VERSION}/singularity-ce-${VERSION}.tar.gz && \ rpmbuild -tb singularity-ce-${VERSION}.tar.gz && \ From d25eaa7b4d94ebfcf2ee1a183174418310100d45 Mon Sep 17 00:00:00 2001 From: David Trudgian Date: Wed, 26 May 2021 13:11:59 -0500 Subject: [PATCH 11/11] Fix final release tag push in RELEASE_PROCEDURE.md --- .github/RELEASE_PROCEDURE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/RELEASE_PROCEDURE.md b/.github/RELEASE_PROCEDURE.md index 28f18e1593..f564765255 100644 --- a/.github/RELEASE_PROCEDURE.md +++ b/.github/RELEASE_PROCEDURE.md @@ -71,7 +71,7 @@ bug(s), and well covered by tests. 4. Modify the `README.md`, `INSTALL.md`, `CHANGELOG.md` via PR against the release branch, so that they reflect the version to be released. 5. Apply an annotated tag via `git tag -a -m "SingularityCE v3.8.0" v3.8.0`. -6. Push the tag via `git push upstream v3.8.0-rc.1`. +6. Push the tag via `git push upstream v3.8.0`. 7. Create a tarball via `mconfig -v && make dist`. 8. Test intallation from the tarball. 9. Compute the sha256sum of the tarball e.g. `sha256sum *.tar.gz > sha256sums`.