Update idtools to use Mkdir funcs from moby sys/user package
Add deprecation exception to golanci until move off idtools is complete
Signed-off-by: Derek McGowan <derek@mcg.dev>
This package imports all "importable" packages, i.e., packages that:
- are not applications ("main")
- are not internal
- and that have non-test go-files
We do this to verify that our code can be consumed as a dependency
in "module mode". When using a dependency that does not have a go.mod
(i.e.; is not a "module"), go implicitly generates a go.mod. Lacking
information from the dependency itself, it assumes "go1.16" language
(see [DefaultGoModVersion]). Starting with Go1.21, go downgrades the
language version used for such dependencies, which means that any
language feature used that is not supported by go1.16 results in a
compile error;
# github.com/docker/cli/cli/context/store
/go/pkg/mod/github.com/docker/cli@v25.0.0-beta.2+incompatible/cli/context/store/storeconfig.go:6:24: predeclared any requires go1.18 or later (-lang was set to go1.16; check go.mod)
/go/pkg/mod/github.com/docker/cli@v25.0.0-beta.2+incompatible/cli/context/store/store.go:74:12: predeclared any requires go1.18 or later (-lang was set to go1.16; check go.mod)
These errors do NOT occur when using GOPATH mode, nor do they occur
when using "pseudo module mode" (the "-mod=mod -modfile=vendor.mod"
approach used in this repository).
As a workaround for this situation, we must include "//go:build" comments
in any file that uses newer go-language features (such as the "any" type
or the "min()", "max()" builtins).
From the go toolchain docs (https://go.dev/doc/toolchain):
> The go line for each module sets the language version the compiler enforces
> when compiling packages in that module. The language version can be changed
> on a per-file basis by using a build constraint.
>
> For example, a module containing code that uses the Go 1.21 language version
> should have a go.mod file with a go line such as go 1.21 or go 1.21.3.
> If a specific source file should be compiled only when using a newer Go
> toolchain, adding //go:build go1.22 to that source file both ensures that
> only Go 1.22 and newer toolchains will compile the file and also changes
> the language version in that file to Go 1.22.
This file is a generated module that imports all packages provided in
the repository, which replicates an external consumer using our code
as a dependency in go-module mode, and verifies all files in those
packages have the correct "//go:build <go language version>" set.
To test this package:
make -C ./internal/gocompat/
GO111MODULE=off go generate .
go mod tidy
go test -v
# github.com/docker/docker/libnetwork/options
../../libnetwork/options/options.go:45:25: predeclared any requires go1.18 or later (-lang was set to go1.16; check go.mod)
# github.com/docker/docker/libnetwork/internal/setmatrix
../../libnetwork/internal/setmatrix/setmatrix.go:13:16: type parameter requires go1.18 or later (-lang was set to go1.16; check go.mod)
../../libnetwork/internal/setmatrix/setmatrix.go:13:18: predeclared comparable requires go1.18 or later (-lang was set to go1.16; check go.mod)
../../libnetwork/internal/setmatrix/setmatrix.go:14:20: type instantiation requires go1.18 or later (-lang was set to go1.16; check go.mod)
../../libnetwork/internal/setmatrix/setmatrix.go:20:10: type instantiation requires go1.18 or later (-lang was set to go1.16; check go.mod)
../../libnetwork/internal/setmatrix/setmatrix.go:31:10: type instantiation requires go1.18 or later (-lang was set to go1.16; check go.mod)
../../libnetwork/internal/setmatrix/setmatrix.go:43:10: type instantiation requires go1.18 or later (-lang was set to go1.16; check go.mod)
../../libnetwork/internal/setmatrix/setmatrix.go:59:10: type instantiation requires go1.18 or later (-lang was set to go1.16; check go.mod)
../../libnetwork/internal/setmatrix/setmatrix.go:80:10: type instantiation requires go1.18 or later (-lang was set to go1.16; check go.mod)
../../libnetwork/internal/setmatrix/setmatrix.go:93:10: type instantiation requires go1.18 or later (-lang was set to go1.16; check go.mod)
../../libnetwork/internal/setmatrix/setmatrix.go:104:10: type instantiation requires go1.18 or later (-lang was set to go1.16; check go.mod)
../../libnetwork/internal/setmatrix/setmatrix.go:104:10: too many errors
# github.com/docker/docker/libnetwork/config
../../libnetwork/config/config.go:35:47: predeclared any requires go1.18 or later (-lang was set to go1.16; check go.mod)
../../libnetwork/config/config.go:47:41: predeclared any requires go1.18 or later (-lang was set to go1.16; check go.mod)
../../libnetwork/config/config.go:63:55: predeclared any requires go1.18 or later (-lang was set to go1.16; check go.mod)
../../libnetwork/config/config.go:95:63: predeclared any requires go1.18 or later (-lang was set to go1.16; check go.mod)
# github.com/docker/docker/testutil
../../testutil/helpers.go:80:9: predeclared any requires go1.18 or later (-lang was set to go1.16; check go.mod)
# github.com/docker/docker/builder/builder-next/adapters/containerimage
../../builder/builder-next/adapters/containerimage/pull.go:72:4: type instantiation requires go1.18 or later (-lang was set to go1.16; check go.mod)
../../builder/builder-next/adapters/containerimage/pull.go:200:19: type instantiation requires go1.18 or later (-lang was set to go1.16; check go.mod)
FAIL gocompat [build failed]
make: *** [Makefile:5: verify] Error 1
[DefaultGoModVersion]: 58c28ba286/src/cmd/go/internal/gover/version.go (L15-L24)
[2]: https://go.dev/doc/toolchain
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
The runc libcontainer/cgroups package was moved to a separate
module; switch our use of the runc module to use the new
location.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This release removes deprecated functions from the `label` package,
and improves documentation and error reporting of `SetCreateKey`.
Relevant changes:
-label: remove deprecated stuff
-Improve SetKeyCreate error reporting
full diff: https://github.com/opencontainers/selinux/compare/v1.11.1...v1.12.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This is the sixth patch release in the 1.2.z series of runc.
It primarily fixes an issue with runc exec vs time namespace,
and a compatibility issue with older kernels.
* Fix a stall issue that would happen if setting `O_CLOEXEC` with
`CloseExecFrom` failed.
* `runc` now properly handles joining time namespaces (such as with
`runc exec`). Previously we would attempt to set the time offsets
when joining, which would fail.
* Handle `EINTR` retries correctly for socket-related direct
`golang.org/x/sys/unix` system calls.
* We no longer use `F_SEAL_FUTURE_WRITE` when sealing the runc binary, as it
turns out this had some unfortunate bugs in older kernel versions and was
never necessary in the first place.
* Remove `Fexecve` helper from `libcontainer/system`. Runc 1.2.1 removed
runc-dmz, but we forgot to remove this helper added only for that.
* Use Go 1.23 for official builds, run CI with Go 1.24 and drop Ubuntu 20.04
from CI. We need to drop Ubuntu 20.04 from CI because Github Actions
announced it's already deprecated and it will be discontinued soon.
full diff: https://github.com/opencontainers/runc/compare/v1.2.5...v1.2.6
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/golang/net/compare/v0.35.0...v0.36.0
Version v0.36.0 of golang.org/x/net fixes a vulnerability in the
golang.org/x/net/proxy and golang.org/x/net/http/httpproxy packages
which could cause the proxy to be bypassed.
Matching of hosts against proxy patterns could improperly treat an IPv6
zone ID as a hostname component. For example, when the NO_PROXY
environment variable was set to "*.example.com", a request to
"[::1%25.example.com]:80` would incorrectly match and not be proxied.
Thanks to Juho Forsén of Mattermost for reporting this issue.
This is CVE-2025-22870 and Go issue https://go.dev/issue/71984.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
We have tagged version v0.27.0 of golang.org/x/oauth2 in order to address
a security issue.
jws: unexpected memory consumption during token parsing
Version v0.27.0 of golang.org/x/oauth2 fixes a vulnerability in the
golang.org/x/oauth2/jws package which could cause a denial of service.
An attacker can pass a malicious malformed token which causes unexpected
memory to be consumed during parsing.
Thanks to jub0bs for reporting this issue.
This is CVE-2025-22868 and Go issue https://go.dev/issue/71490.
full diff: https://github.com/golang/oauth2/compare/v0.26.0...v0.27.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
No code changes, only comments (warnings) added;
- google: add warning about externally-provided credentials
> Important: If you accept a credential configuration (credential JSON/File/Stream) from an
> external source for authentication to Google Cloud Platform, you must validate it before
> providing it to any Google API or library. Providing an unvalidated credential configuration to
> Google APIs can compromise the security of your systems and data. For more information, refer to
> [Validate credential configurations from external sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials).
full diff: https://github.com/golang/oauth2/compare/v0.23.0...v0.26.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
We have tagged version v0.35.0 of golang.org/x/crypto in order to address
a security issue. Version v0.35.0 of golang.org/x/crypto fixes a vulnerability
in the golang.org/x/crypto/ssh package which could cause a denial of service.
SSH servers which implement file transfer protocols are vulnerable to a denial
of service attack from clients which complete the key exchange slowly, or not
at all, causing pending content to be read into memory, but never transmitted.
Thanks to Yuichi Watanabe for reporting this issue.
This is CVE-2025-22869 and Go issue https://go.dev/issue/71931.
full diff: https://github.com/golang/crypto/compare/v0.31.0...v0.35.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Relevant changes:
- Update remote content to break up writes to avoid grpc message size limits
- Move CDI device spec out of the OCI package
- Remove deprecated WithCDIDevices in oci spec opts
full diff: https://github.com/containerd/containerd/compare/v2.0.2...v2.0.3
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Changes in runc code are not impacting code we use;
- libcontainer/utils.MkdirAllInRootOpen is not used
- libcontainer/utils.MkdirAllInRoot is not used
Similarly, while filepath-securejoin is imported, the functions using it
in runc (cgroups.FindCgroupMountpoint, are not used in our codebase, so
these changes don't affect our code; `tryDefaultPath` uses securejoin,
which is used by `FindCgroupMountpoint`, but not used in our codebase.
diffs:
- https://github.com/opencontainers/runc/compare/v1.2.4...v1.2.5
- https://github.com/cyphar/filepath-securejoin/compare/v0.3.5...v0.4.1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
not the latest-latest version, but v1.1.58 is used elsewhere, and I saw
some fixes in v1.1.59 and v1.1.60, and v1.1.61 was docs-only changes.
- Allow use of fs.FS for $INCLUDE and wrap errors
- Add NXT record
- Add ISDN record
- Fix counting of escape sequences when splitting TXT string
- IsDomainName: check for escape as last character
- Add a hook to catch invalid messages
- Fix possible out-of-bounds read in endingToTxtSlice
full diff: https://github.com/miekg/dns/compare/v1.1.57...v1.1.61
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
