From 03de8821135ab4a0a78e06b1ebbb62446312a5a7 Mon Sep 17 00:00:00 2001 From: Dave Dykstra <2129743+DrDaveD@users.noreply.github.com> Date: Tue, 25 May 2021 19:24:47 -0500 Subject: [PATCH 1/3] 3.7.4 CHANGELOG updates --- CHANGELOG.md | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f63ff61cb5..71ab2006b3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -54,11 +54,26 @@ of `make test` for ease of use: ---- -## v3.7.3 - [2021-04-06] +## v3.7.4 - [2021-05-26] + +**Singularity 3.7.4 is the most recent stable release of Singularity prior to Sylabs' fork from https://github.com/hpcng/singularity** -**Singularity 3.7.3 is the most recent stable release of Singularity prior to Sylabs' fork from https://github.com/hpcng/singularity** +The 3.7.4 release is identical to https://github.com/hpcng/singularity/releases/tag/v3.7.4 and is provided for convenience to users arriving from outdated links. + +### Security Related Fixes -The 3.7.3 release is identical to https://github.com/hpcng/singularity/releases/tag/v3.7.3 and is provided for convenience to users arriving from outdated links. + - [CVE-2021-32635](https://github.com/hpcng/singularity/security/advisories/GHSA-jq42-hfch-42f3): + Due to incorrect use of a default URL, singularity action commands + (run/shell/exec) specifying a container using a library:// URI will + always attempt to retrieve the container from the default remote + endpoint (cloud.sylabs.io) rather than the configured remote + endpoint. An attacker may be able to push a malicious container to + the default remote endpoint with a URI that is identical to the URI + used by a victim with a non-default remote endpoint, thus executing + the malicious container. + + +## v3.7.3 - [2021-04-06] ### Security Related Fixes From 615e18f85c95b35dd149d6e94c466dc2fb8fe84f Mon Sep 17 00:00:00 2001 From: David Trudgian Date: Wed, 26 May 2021 12:57:34 -0500 Subject: [PATCH 2/3] CE 3.8.0 changelog entries --- CHANGELOG.md | 6 +++--- INSTALL.md | 9 ++------- 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 71ab2006b3..1c83079682 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,8 @@ # SingularityCE Changelog -## v3.8.0-rc.1 [2021-05-11] +## v3.8.0 [2021-05-26] -This is the first release candidate for SingularityCE 3.8.0, the Community +This is the first release of SingularityCE 3.8.0, the Community Edition of the Singularity container runtime hosted at https://github.com/sylabs/singularity. @@ -62,7 +62,7 @@ The 3.7.4 release is identical to https://github.com/hpcng/singularity/releases/ ### Security Related Fixes - - [CVE-2021-32635](https://github.com/hpcng/singularity/security/advisories/GHSA-jq42-hfch-42f3): + - [CVE-2021-32635](https://github.com/sylabs/singularity/security/advisories/GHSA-5mv9-q7fq-9394): Due to incorrect use of a default URL, singularity action commands (run/shell/exec) specifying a container using a library:// URI will always attempt to retrieve the container from the default remote diff --git a/INSTALL.md b/INSTALL.md index 7916960766..2fe8a0c17a 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -1,10 +1,5 @@ # Installing SingularityCE -**NOTE:** *This installation guide has been updated for the release candidate of -SingularityCE 3.8.0. The `3.8.0-rc1` version that will be installed is a -pre-release of SingularityCE. To install the latest stable version, -substitute the version `3.7.3` in the instructions below. See the `release-3.7` branch for the current stable codebase.* - Since you are reading this from the SingularityCE source code, it will be assumed that you are building/compiling from source. @@ -87,7 +82,7 @@ $ mkdir -p ${GOPATH}/src/github.com/sylabs && \ To build a specific version of SingularityCE, check out a [release tag](https://github.com/sylabs/singularity/tags) before compiling: ``` -$ git checkout v3.8.0-rc.1 +$ git checkout v3.8.0 ``` ## Compiling SingularityCE @@ -130,7 +125,7 @@ as shown above. Then download the latest and use it to install the RPM like this: ``` -$ export VERSION=3.8.0-rc.1 # this is the singularity version, change as you need +$ export VERSION=3.8.0 # this is the singularity version, change as you need $ wget https://github.com/sylabs/singularity/releases/download/v${VERSION}/singularity-ce-${VERSION}.tar.gz && \ rpmbuild -tb singularity-ce-${VERSION}.tar.gz && \ From d25eaa7b4d94ebfcf2ee1a183174418310100d45 Mon Sep 17 00:00:00 2001 From: David Trudgian Date: Wed, 26 May 2021 13:11:59 -0500 Subject: [PATCH 3/3] Fix final release tag push in RELEASE_PROCEDURE.md --- .github/RELEASE_PROCEDURE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/RELEASE_PROCEDURE.md b/.github/RELEASE_PROCEDURE.md index 28f18e1593..f564765255 100644 --- a/.github/RELEASE_PROCEDURE.md +++ b/.github/RELEASE_PROCEDURE.md @@ -71,7 +71,7 @@ bug(s), and well covered by tests. 4. Modify the `README.md`, `INSTALL.md`, `CHANGELOG.md` via PR against the release branch, so that they reflect the version to be released. 5. Apply an annotated tag via `git tag -a -m "SingularityCE v3.8.0" v3.8.0`. -6. Push the tag via `git push upstream v3.8.0-rc.1`. +6. Push the tag via `git push upstream v3.8.0`. 7. Create a tarball via `mconfig -v && make dist`. 8. Test intallation from the tarball. 9. Compute the sha256sum of the tarball e.g. `sha256sum *.tar.gz > sha256sums`.