Update the GitHub codeowners file to automatically add tooling codeowners as reviewers to the toolkit code. Retain general dev reviewers for docs, imageconfigs, and package manifests.
Signed-off-by: Chris Co <chrco@microsoft.com>
Update the GitHub codeowners file to automatically add the cbl-mariner-kata-containers team as reviewers for kata-containers and confidential containers packages.
Signed-off-by: Chris Co <chrco@microsoft.com>
Set `CONFIG_FILE=""` as the new default instead of `CONFIG_FILE="./imageconfigs/core-efi.json"`.
For teams that use the Mariner toolkit to build custom packages or images using the Mariner toolkit:
- Previously the toolkit would default to the core-efi.json image definition for all invocations.
- This would result it building all packages required for that image definition when calling `make build-packages` in the core repo
- This would mean that `make image` would succeed without explicitly setting a desired image config
- In future versions of the toolkit, CONFIG_FILE will default to “”
- Package builds will no longer include extraneous packages that may be unneeded
- Image builds will return an error if a config is not explicitly selected
Considerations:
- Packages like the kernel will no longer build during normal package builds unless requested. Set desired packages via PACKAGE_BUILD_LIST=”pkg1 pkg2 …”
- `make image` will no longer succeed without CONFIG_FILE=”/path/to/config.json” being set explicitly
Bump actions/checkout v3 (Node 16) to v4 (Node 20) as
Node 16 reaches EoL on September 11 2023.
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
* codeowners: Add maintainers for openssl engines
Symcrypt and KeysInUse are OpenSSL engines, so changes to these should
be reviewed by our openssl maintainers groups.
Signed-off-by: Chris Co <chrco@microsoft.com>
* codeowners: Add missing wildcard
Signed-off-by: Chris Co <chrco@microsoft.com>
---------
Signed-off-by: Chris Co <chrco@microsoft.com>
* adding pip requirements file and a readme to toolchain python scripts
* updating requirements file with missed deps and updating readme file
* updating github pipelines to use requirements file to install python dependencies
* Delete README.md
Moved readme file into a wiki page
* reverted tokyocabinet url change
* upgraded tidy to 5.8.0 and deleted ming
* updating licenses to remove ming; updating cgmanifest and tidy.signatures
* fixing cgmanifest stuff
* adding cbl-mariner import to changelog
* switching branches
* verbose comments
* adding a space for a new commit
* does a 2 second timeout fix things
* Only build bond against x86_64 architecture (#1800) (#1801)
* fix bond build break for ARM64 on main branch
* fix bond build break for ARM64 on main branch
* fix bond build break for ARM64 on main branch
Co-authored-by: nicolas guibourge <nicolasg@microsoft.com>
Co-authored-by: nicolas guibourge <nicolasg@microsoft.com>
* [main extended] Enable libguestfs (#1970)
* Remove libreport support from mdadm
* Conditionally pull in perl-Sys-Virt test deps
* Fix dependency resolution for ocaml-ctypes
* Upgrade to latest ocaml-gettext
* Fix ocaml-ounit build
* Upgrade ocaml-base to latest
* Upgrade ocaml-migrate-parsetree to latest
* Upgrade ocaml-stdio to 0.15.0
* Upgrade ocaml-parsexp to 0.15.0
* Upgrade ocaml-ppxlib to 0.24.0
* Upgrade ocaml-sexplib to 0.15.0
* Upgrade ocaml-sexplib0 to 0.15.0
* Upgrade supermin to 5.2.1
* Fixup libguestfs patches and configuration
* [main extended] Fix dnf-plugins-core, ocaml-findlib builds (#1950)
* [main] Removing in-spec sources verification using `libguestfs.keyring`. (#1971)
* kernel: Update Mariner cert in kernel keyring (#1979)
* kernel: Update mariner cert in kernel keyring
* kernel-hyperv: Update mariner cert in kernel keyring
* kernel-headers: Bump to match kernel release number
* kernel-signed: Bump to match kernel release
Signed-off-by: Chris Co <chrco@microsoft.com>
* lttng-consume: disable tests to fix build break (#1980)
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
* Revert "Upgrading Parted to v3.4" (#1966)
* Revert "Upgrading Parted to v3.4 (#1898)"
This reverts commit 24382cfa6e.
* verifying license to unblock upgrade revert pr
* Temporary: Add python3-distro to azurevm-packages packagelist (#2016)
* Upgrade libmemcached, memcached and promote to core specs (#1981)
* kernel-signed: workaround errant .build-id file (#2032)
After the upgrade to RPM 4.17, when building on ARM64 only, we are
observing an unexpected /usr/lib/debug/.build-id/xx/yyyy.debug
file being packaged into the kernel.rpm package. This errant file is causing
build errors when repackaging in the kernel-signed build phase.
This patch workarounds the build issue by specifically excluding the
/usr/lib/debug/.build-id folder when building for ARM64. More investigation
underway to identify why this unexpect /usr/lib/debug/.build-id/xx/yyyy.debug
file is being included.
Signed-off-by: Chris Co <chrco@microsoft.com>
* Fix grubby build with newer versions of RPM (#2036)
* Update libgit2 to latest upstream version 1.1.0 (#2021)
Signed-off-by: Kate Goldenring <kagold@microsoft.com>
* Fix build break (signature) for libgit2
* Fix TDNF download of packages during libguestfs build
* Replace perl(Locale::TextDomain) BR in libguestfs with actual package
* [main] Fixing tooling issues during package candidates resolution. (#2091)
* Fix dependency constraints, UUID parsing in libguestfs (#2113)
* Bring over libguestfs changes from 2.0
* Fix selinux-policy, file bugs in libguestfs
* kernel: Update input aarch64 config file (#2358)
ARM64 kernel package builds are failing due to a config diff missing
between the expected config and the actual config file.
Add missing CONFIG_USBIP_VUDC line
Signed-off-by: Chris Co <chrco@microsoft.com>
* Revert "[main] Update envoy to v1.21.0 (#2330)"
This reverts commit 5c0c47a867.
* toolkit only - use local /run folder in chroot instead of mounted tmpfs (#2435)
* toolkit - use local /run folder in chroot instead of mounted tmpfs
* address PR comments
* address PR comments
* address PR comments
Co-authored-by: Nicolas Guibourge <nicolasg@microsoft.com>
* [main] iperf3: Update to 3.11 (#2512)
* Update iperf3 to 3.11
* toolchain: Remove alsa-lib (#2543)
* Fix post-install script args in imageconfig being ignored (#2414)
* Upgrade nodejs to 16.14.0 (#2485)
* upgrade nodejs to 16.14.0
* upgrade nodejs to 16.14.0
* upgrade nodejs to 16.14.0
* upgrade nodejs
Co-authored-by: Nicolas Guibourge <nicolasg@microsoft.com>
* [main] upgrading libarchive to v3.6.0 (#2515)
* upgrading libarchive to v3.6.0
* removing patch file
* adding missing URL
* fixing URL
* [2.0] Modify pam to require audit-libs (#2572)
* update pam
* update manifests
* install audit-libs before systemd (#2584)
* Revert "install audit-libs before systemd (#2584)"
This reverts commit 2170975852.
* Build rubygems with ruby to fix build error in pipeline (#2601)
* Add rubygems to build with ruby to fix build error in pipeline
* Remove bundler requirement
* [main] Adding `--assumeyes` for TDNF calls. (#2641) (#2642)
* Fix bad ruby merge issue
* Revert "python3: Add python-unversioned-command subpackage (#2637)"
This reverts commit b62bb32bef.
* dnf-plugins-core: Fix bad python path in cmake call (#2658)
* dnf-plugins-core: Fix bad python path in cmake call
* Update license map
* Empty commit to trigger GH checks
* Unblock build, exclude SymCrypt from ARM64
* Update python requirement in azurevm packagelist for 2.0 (#2667)
* Revert "Unblock build, exclude SymCrypt from ARM64"
This reverts commit 9b0a48fc52.
* Repair toolkit merge issue
* fix boringssl license issue (#2775)
* revert arm64 exclusion workaround (#2769)
* [main] Build break workaround. (#2788)
* Revert "fix boringssl license issue (#2775)"
This reverts commit 50b3397168.
* Remove boringssl to reconcile with main branch
* [main] Fixing installation paths with new version of Ruby. (#2859)
* vim: Fix vi provides with reversed EVR (#2872)
* cri-o: Replace openSUSE systemd macros with Mariner's (#2874)
* toolchain: Rebuild audit with systemd-bootstrap-rpm-macros installed (#2878)
* toolchain: Rebuild audit with systemd-bootstrap-rpm-macros installed
* audit: Add BR on systemd-bootstrap-rpm-macros
* [2.0] Cherry-pick credscan failure caused by unattended installer image config (#2908)
* minor fix to build doc (#2907)
Co-authored-by: Henry Li <lihl@microsoft.com>
* fix image config json (#2906)
Co-authored-by: Henry Li <lihl@microsoft.com>
Co-authored-by: Henry Li <lihl@microsoft.com>
* download msopenjdk-11 from prod folder (#2921)
* Cherry Pick build fixes to Extended (#3105)
* ARM64 `buildah` and `edk2` blocked packages fix. (#3101)
* Adding missing signature for `perl-Module-Install-Repository`. (#3086)
Co-authored-by: Pawel Winogrodzki <pawelwi@microsoft.com>
* Python-twisted: upgrade to version 22.4.0 to fix CVE-2022-24801 (#3079)
* python-twisted upgrade to 22.4.0 to fix CVE-2022-24801
* python-twisted upgrade to 22.4.0 to fix CVE-2022-24801
* python-twisted upgrade to 22.4.0 to fix CVE-2022-24801
* python-twisted upgrade to 22.4.0 to fix CVE-2022-24801
Co-authored-by: Nicolas Guibourge <nicolasg@microsoft.com>
* upgrading vim to 8.2.4979 for CVE-2022-1619, CVE-2022-1621, CVE-2022-… (#3087)
* upgrading vim to 8.2.4979 for CVE-2022-1619, CVE-2022-1621, CVE-2022-1629, CVE-2022-1616, CVE-2022-1733, CVE-2022-1735, CVE-2022-1769, CVE-2022-1620, CVE-2022-1674, CVE-2022-1771, CVE-2022-1785, CVE-2022-1796
* upgrading vim to 8.2.4979 for CVE-2022-1619, CVE-2022-1621, CVE-2022-1629, CVE-2022-1616, CVE-2022-1733, CVE-2022-1735, CVE-2022-1769, CVE-2022-1620, CVE-2022-1674, CVE-2022-1771, CVE-2022-1785, CVE-2022-1796
* upgrading vim to 8.2.4979 for CVE-2022-1619, CVE-2022-1621, CVE-2022-1629, CVE-2022-1616, CVE-2022-1733, CVE-2022-1735, CVE-2022-1769, CVE-2022-1620, CVE-2022-1674, CVE-2022-1771, CVE-2022-1785, CVE-2022-1796
Co-authored-by: Nicolas Guibourge <nicolasg@microsoft.com>
* Updating `vim` to version 8.2.5064. (#3112)
* Bump Mariner Release (#3140)
* Revert "Add missing e2fsprogs dep to cloud-init (#3141)"
This reverts commit 7417d8a04f.
Reverting this change temporarily because we are not ready to upgrade cloud-init
* Revert "cloud-init: uprev to 22.2 (#3104)"
This reverts commit 3bcdc43b8f.
Reverting this change temporarily because we are not ready to upgrade cloud-init.
* Fix build errors caused by ncurses 6.3 upgrade (#3184)
* Fix ARM64 Build Break (#3191)
* t1lib: Fix SRPM packing (#3192)
* Revert "cloud-init: patch for CVE-2022-2084 (#3281)"
This reverts commit e3174308e7.
* Revert "Revert "cloud-init: uprev to 22.2 (#3104)""
This reverts commit ae3a7d80af.
* Revert "Revert "Add missing e2fsprogs dep to cloud-init (#3141)""
This reverts commit 68bd0ec8d7.
* Revert "Revert "cloud-init: patch for CVE-2022-2084 (#3281)""
This reverts commit 0b1ba723bc.
* Revert "Initial KeysInUse Integration (#3182)"
This reverts commit 7de96f680a.
* Updating 'mariner-release' version for July update 2. (#3444)
* remove provides from unsigned grub2 (#3461)
Co-authored-by: Henry Li <lihl@microsoft.com>
* Updating 'mariner-release' for the August release.
* Updating licenses after the 'main' merge.
* KeysInUse: re-introduce package back to 2.0. (#3531)
* Update helm version 3.9.3 (#3586)
* Update helm version 3.9.3
* Fix helm version info not displaying correctly
* fix cloud-init dependency issue (#3606)
* `mariadb`: update to v10.6.9 to fix CVE-2022-32091, CVE-2022-32081 (#3645)
* fix npm version in nodejs.spec (#3571)
* upgrade vim to 9.0.0232 (#3580)
* qemu : fix CVE-2022-35414 (#3597)
* qemu : fix CVE-2022-35414
* address PR comment
Co-authored-by: Nicolas Guibourge <nicolasg@microsoft.com>
* libxml2 and python-lxml: fix CVE-2022-2309 (#3583)
* libxml2 and python-lxml: fix CVE-2022-2309
* libxml2 and python-lxml: fix CVE-2022-2309
* address PR comments
Co-authored-by: Nicolas Guibourge <nicolasg@microsoft.com>
* rubygem-yajl-ruby: fix CVE 2022 24795 (#3598)
* rubygem-yajl-ruby : fix CVE-2022-24795
* rubygem-yajl-ruby : fix CVE-2022-24795
* back port patch from 1.4.1
* fix spec issue
* address PR comments
Co-authored-by: Nicolas Guibourge <nicolasg@microsoft.com>
* Update cert-manager to v1.7.3. (#3575)
- Update cert-manager to v1.7.3.
- Split cert-manager binaries into separate packages.
- Remove cert-manager build dependency on Bazel and just build the
binaries directly using `go build`. This makes building easier. Also,
the latest upstream version of cert-manager does this.
- Use the Go "vendor" directory for Go dependencies instead of dumping
files in the global Go cache.
* Bump supported go versions to 1.17.13, 1.18.5 to fix fifteen CVEs (#3600)
Co-authored-by: Pawel Winogrodzki <pawelwi@microsoft.com>
* dpkd: bump version to 21.11.2 to address CVE-2022-2132 (#3631)
* dpkd: bump version to 21.11.2 to address CVE-2022-2132
* dpdk: cgmanifest: update entry
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
* `vim`: upgrade to 9.0.0325 to fix CVE-2022-2980, CVE-2022-2982, CVE-2022-2923, CVE-2022-2946 (#3643)
* `python3`: fix CVE-2015-20107 (#3644)
* `python3`: fix CVE-2021-28861 (#3654)
* `colord`: fix CVE-2021-42523 (#3675)
* `virglrenderer`: fix CVE-2022-0135 (#3674)
* libtar: Pull misc Fedora patches, fix CVE-2021-33643, CVE-2021-33644, CVE-2021-33645, CVE-2021-33646 (#3686)
* Apply Fedora patches
* Apply linter
* Use upstream patch
* Patch qemu CVE-2021-4158 (#3696)
* libtar: Fixup spec formatting, remove .la files, remove explicit provides (#3698)
* Fixup libtar spec formatting, .la files, provides
* Add comment so we can track CVE fixes
* update mariner-release to 2.0-19 (#3723)
* fix br in libvirt (#3726)
* Added nopatch to libtirpc for CVE-2021-46828 (#3779)
Co-authored-by: Nick Samson <nisamson@microsoft.com>
* update mariner-release to 2.0-21 (#3778)
* revert changes for adding sysinit.target dependency (#3777)
* Expat fix CVE-2022-40674 (#3799)
Co-authored-by: Betty Lakes <bettylakes@microsoft.com>
* bump mariner-release to 2.0-21
* switching branches
* Ensure rpm-* ABI compatibility (#3880)
* Ensure `python3-rpm` pulls in appropriate libs
* Add rpm-build-libs -> rpm-libs dependency too
* Declare release `4.18.0-2` with fixes
* toolkit.mk: fix 'clean-rpms-snapshot' target. (#3843)
* 7.4.14 to 8.1.11; need to delete the old SPECS-EXTENDED folders
* php 8.1.11 build now
* removed libraries from SPECS-EXTENDED
* merged current 2.0; added changelog for php & updated other licenses; need to verify changelog for php & version thing olivia said
* update cgmanifest.json
* reresolving old mr comments
* updated hunspell to fix CVE; added aspell patch to fix CVE; fixed some PHP linting issues
* one linting fix
* removed commented-out modphp code; updated changelog
* debugging url issues
* trying 2sec timeout instead of 1sec
* echoing to txt log
* undoing validate-cg-manifests.sh changes; trying new url
* resolving mr comments
* updating malaga in cgmanifest
* trying source-git's mirror
* trying with local tarball
* trying with local tarball
* using blob storage
* Delete bad_registrations.txt
* updating tokyocabinet url
* changing branches
* resolving conflicts with upstream/main
* mr comments
* updating cgmanifest
* actually fixing validate_cg_manifest.sh
* Delete php-8.1.11.tar.xz.asc
* Delete php-keyring.gpg
Signed-off-by: Chris Co <chrco@microsoft.com>
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
Signed-off-by: Kate Goldenring <kagold@microsoft.com>
Co-authored-by: nicolas guibourge <nicogbg@gmail.com>
Co-authored-by: nicolas guibourge <nicolasg@microsoft.com>
Co-authored-by: Jon Slobodzian <joslobo@microsoft.com>
Co-authored-by: Thomas Crain <thcrain@microsoft.com>
Co-authored-by: Pawel Winogrodzki <pawelwi@microsoft.com>
Co-authored-by: Christopher Co <35273088+christopherco@users.noreply.github.com>
Co-authored-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
Co-authored-by: Max Brodeur-Urbas <35381493+MaxBrodeurUrbas@users.noreply.github.com>
Co-authored-by: Kate Goldenring <kate.goldenring@microsoft.com>
Co-authored-by: rlmenge <rachelmenge@microsoft.com>
Co-authored-by: Vince Perri <5596945+vinceaperri@users.noreply.github.com>
Co-authored-by: Andrew Phelps <anphel31@users.noreply.github.com>
Co-authored-by: Neha Agarwal <58672330+neha170@users.noreply.github.com>
Co-authored-by: Olivia Crain <olivia@olivia.dev>
Co-authored-by: Henry Li <69694695+henryli001@users.noreply.github.com>
Co-authored-by: Henry Li <lihl@microsoft.com>
Co-authored-by: CBL-Mariner Servicing Account <cblmargh@microsoft.com>
Co-authored-by: chalamalasetty <42326515+chalamalasetty@users.noreply.github.com>
Co-authored-by: Nan Liu <108544011+liunan-ms@users.noreply.github.com>
Co-authored-by: Henry Beberman <henry.beberman@microsoft.com>
Co-authored-by: Cameron E Baird <cameronbaird@microsoft.com>
Co-authored-by: Chris Gunn <chrisgun@microsoft.com>
Co-authored-by: Daniel McIlvaney <damcilva@microsoft.com>
Co-authored-by: Nick Samson <nick.samson@microsoft.com>
Co-authored-by: Nick Samson <nisamson@microsoft.com>
Co-authored-by: Minghe Ren <mingheren@microsoft.com>
Co-authored-by: Betty <38226164+BettyRain@users.noreply.github.com>
Co-authored-by: Betty Lakes <bettylakes@microsoft.com>
Co-authored-by: Andrew Phelps <anphel@microsoft.com>
Co-authored-by: Andy Caldwell <andycaldwell@microsoft.com>
* Make `glibc-static` a real package and police its version
* Add version bounds to all mentions of `glibc-static` in spec files
* Bump releases for all affected packages
* Add pipeline job to check static glibc versions
* Release new glibc packages with split out glibc-static
* Include distribution in requirement bounds
* Don't implicitly install glibc-static in pkggen chroot
* Correctly split up the static libraries between devel/static
* Consistent use of f-strings
* Allow libacvp to build without depending on `glibc-static`
* Remove `libhugetlbfs-tests` package
* Update kernel configs to not support static linking
* Declare `glibc-static` dependency for flannel
* Enable `-pie` by default in `clang`
* Rebuild SymCrypt with `-pie` enabled `clang`
* Use `glibc-static` on all platforms for `busybox`
* Tidy up libacvp Source lines
* Clang can't default to `-pie` so move `crt1.o` to `glibc-devel`
* Fix libacvp Source0 syntax
* Don't build static binaries in libhugetlbfs-tests
* Update kernel config signatures
* Kubevirt needs glibc-static too
* dnf: start dnf-automatic-notifyonly timer and emit via motd
* check-restart: Add package
* validate-cg-manifest: add check-restart to ignore list
* licenses: Add check-restart as MIT
* check-restart: verify license
Signed-off-by: Chris Co <chrco@microsoft.com>
Aurélien
Pawel Winogrodzki
Muhammad Falak R Wani
Christopher Co
Mitch Zhu
jslobodzian
Andrew Phelps
Trung
Daniel McIlvaney
Chris Gunn
rlmenge
Dan Streetman
Mykhailo Bykhovtsev
aadhar-agarwal
osamaesmailmsft
Olivia Crain
Andy Caldwell
Henry Beberman
msftbot[bot]
Olivia Crain