github/distribution
1
0
Fork 0
mirror of https://github.com/distribution/distribution.git synced 2025-09-16 23:29:30 +00:00
Code Issues Projects Releases Wiki Activity
5,585 Commits 25 Branches 6 Tags
rc3-prep
Commit Graph

107 Commits

Author SHA1 Message Date
Milos Gajdos
38fd91a49e (security): Bump golang.org/x/net module 
Fixes: https://nvd.nist.gov/vuln/detail/CVE-2024-45338

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
 2024-12-20 06:21:59 +00:00
Milos Gajdos
96a3daafe9 Move a direct dependency to direct deps required modules 
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
 2024-12-12 11:34:21 +00:00
Milos Gajdos
fb3ba302d2 chore: Bump alpine and Go versions 
3.20 had a minor security vulnerability. Let's bump it.

Related:
* https://github.com/distribution/distribution-library-image/issues/171
* https://github.com/distribution/distribution/pull/4527

Bump Go version
* CI
* go.mod

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
 2024-12-12 11:29:11 +00:00
dependabot[bot]
6eba54be60 build(deps): bump golang.org/x/crypto from 0.28.0 to 0.31.0 
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.28.0 to 0.31.0.
- [Commits](https://github.com/golang/crypto/compare/v0.28.0...v0.31.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-12-12 08:34:18 +00:00
krynju
abbe03efef Upgrade go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp 
Signed-off-by: krynju <krystian.gulinski@juliahub.com>
 2024-11-13 18:27:43 +01:00
Milos Gajdos
d67b46a05b Bump dependencies (#4498) 2024-11-06 10:52:35 +00:00
Milos Gajdos
3ac2285631 Bump otel dependencies 
We want to be consistent in our deps so tracking down issue does not end
up in a murder mystery hunt. This commit picks a specific otel versions
that are unified in this codebase.

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
 2024-11-05 05:45:37 +00:00
Milos Gajdos
3996413f46 Bump google storage module 
Also bump the golangci version

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
 2024-10-26 18:19:46 +01:00
Milos Gajdos
1c26d98fbe Bump dependencies 
In preparation to the next release we're going to bump some deps such as
various cloud SDKs we can test i.e. AWS, Google Cloud, etc.

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
 2024-10-26 17:52:35 +01:00
Chun-Hung Hsiao
eed9400d26 feat: support custom exec-based credential helper in proxy mode 
This change allows users to run the registry as a pull-through cache
that can use a credential helper to authenticate against the upstream
registry.

Signed-off-by: Chun-Hung Hsiao <chhsiao@google.com>
 2024-08-16 19:42:51 -07:00
Ismail Alidzhikov
ba8e539b03 Use x.y.0 format for the go module version 
Signed-off-by: Ismail Alidzhikov <i.alidjikov@gmail.com>
 2024-07-29 13:20:39 +03:00
Milos Gajdos
c345425ff5 ci:bump Go version 
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
 2024-07-13 19:24:26 +01:00
Sebastiaan van Stijn
9ba7340601 vendor: github.com/opencontainers/image-spec v1.1.0 
full diff: https://github.com/opencontainers/image-spec/compare/v1.0.2...v1.1.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2024-07-10 14:58:09 -05:00
Milos Gajdos
5316d3bda2 Bump Go and golang linter 
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
 2024-06-30 16:50:09 +01:00
dependabot[bot]
050e1a3ee7 build(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity 
Bumps [github.com/Azure/azure-sdk-for-go/sdk/azidentity](https://github.com/Azure/azure-sdk-for-go) from 1.3.0 to 1.6.0.
- [Release notes](https://github.com/Azure/azure-sdk-for-go/releases)
- [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md)
- [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/azcore/v1.3.0...sdk/azcore/v1.6.0)

---
updated-dependencies:
- dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azidentity
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-06-11 20:09:16 +00:00
Milos Gajdos
675d7e27f5 feature: Bump go-jose and require signing algorithms in auth (#4349) 2024-05-30 20:54:20 +01:00
Milos Gajdos
52d68216c0 feature: Bump go-jose and require signing algorithms in auth 
This bumps go-jose to the latest available version: v4.0.3.
This slightly breaks the backwards compatibility with the existing
registry deployments but brings more security with it.

We now require the users to specify the list of token signing algorithms in
the configuration. We do strive to maintain the b/w compat by providing
a list of supported algorithms, though, this isn't something we
recommend due to security issues, see:
* https://github.com/go-jose/go-jose/issues/64
* https://github.com/go-jose/go-jose/pull/69

As part of this change we now return to the original flow of the token
signature validation:
1. X2C (tls) headers
2. JWKS
3. KeyID

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
 2024-05-30 20:44:35 +01:00
James Hewitt
421a359b26 Add a go.mod toolchain version 
go 1.21 added toolchain support. We should now specify a toolchain
version in go.mod.

https://go.dev/doc/toolchain

Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>
 2024-05-13 14:47:07 +01:00
Liang Zheng
a5882d6646 vendor: update manifest dependencies 
Signed-off-by: Liang Zheng <zhengliang0901@gmail.com>
 2024-04-26 22:22:49 +08:00
dependabot[bot]
2db0a598cc build(deps): bump golang.org/x/net from 0.20.0 to 0.23.0 
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.20.0 to 0.23.0.
- [Commits](https://github.com/golang/net/compare/v0.20.0...v0.23.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-04-19 12:59:08 +00:00
Milos Gajdos
bc6e81e1b9 Add Go 1.22 support to CI (#4314) 2024-04-08 12:15:39 +01:00
Austin Vazquez
21c718d58c Add Go 1.22 support to CI 
This change adds Go 1.22 to the Go version matrix in CI and updates all
Dockerfiles to use Go 1.21.8.

Signed-off-by: Austin Vazquez <macedonv@amazon.com>
 2024-03-27 15:59:13 +00:00
Milos Gajdos
167d7996be chore: bump distriution/reference dependency 
We've made a new release https://github.com/distribution/reference

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
 2024-03-26 20:19:28 +00:00
Milos Gajdos
7c7517493c build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3 (#4297) 2024-03-17 10:38:34 +00:00
dependabot[bot]
cb2b51cac9 build(deps): bump google.golang.org/protobuf from 1.31.0 to 1.33.0 
Bumps google.golang.org/protobuf from 1.31.0 to 1.33.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-03-13 23:16:02 +00:00
dependabot[bot]
1c5fe22dec build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3 
Bumps [github.com/go-jose/go-jose/v3](https://github.com/go-jose/go-jose) from 3.0.1 to 3.0.3.
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Changelog](https://github.com/go-jose/go-jose/blob/v3.0.3/CHANGELOG.md)
- [Commits](https://github.com/go-jose/go-jose/compare/v3.0.1...v3.0.3)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-03-07 23:01:05 +00:00
gotgelf
f690b3ebe2 Added Open Telemetry Tracing to Filesystem package 
Signed-off-by: gotgelf <gotgelf@gmail.com>
 2024-03-04 13:31:22 +01:00
erezrokah
11f50c034e feat: Add HTTP2 for unencrypted HTTP 
Signed-off-by: erezrokah <erezrokah@users.noreply.github.com>
 2024-01-17 20:59:02 +00:00
Milos Gajdos
6926aea0ee vendor: github.com/gorilla/handlers v1.5.2 (#4211) 2024-01-16 17:06:16 +07:00
Sebastiaan van Stijn
bdfa8324a0 vendor: github.com/mitchellh/mapstructure v1.5.0 
note that this repository will be sunset, and the "endorsed" fork will be
maintened by "go-viper". Updating the dependency to the latest version in
preparation.

full diff: https://github.com/mitchellh/mapstructure/compare/v1.1.2...v1.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2023-12-27 12:28:10 +01:00
Sebastiaan van Stijn
4f9fe183c3 vendor: github.com/gorilla/handlers v1.5.2 
full diff: https://github.com/gorilla/handlers/compare/v1.5.1...v1.5.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2023-12-22 10:23:09 +01:00
dependabot[bot]
dcee8e93a3 build(deps): bump golang.org/x/crypto from 0.15.0 to 0.17.0 
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.15.0 to 0.17.0.
- [Commits](https://github.com/golang/crypto/compare/v0.15.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-12-19 00:02:47 +00:00
Eng Zer Jun
bcbf0431d1 testing: replace legacy gopkg.in/check.v1 
This commit replaces the legacy `gopkg.in/check.v1` testing dependency
with `github.com/stretchr/testify`.

Closes https://github.com/distribution/distribution/issues/3884.

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
 2023-12-13 09:22:43 +00:00
gotgelf
0e3018f2cf Otel tracing MVP: vendor changes 
Signed-off-by: gotgelf <gotgelf@gmail.com>
 2023-12-11 21:18:42 +01:00
Milos Gajdos
60e7e87889 vendor: github.com/spf13/cobra v1.8.0 (#4182) 2023-12-01 12:09:15 +00:00
Milos Gajdos
6f84e87803 update: AWS Go SDK bump to the latest release 
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
 2023-12-01 11:24:44 +00:00
Sebastiaan van Stijn
1f6afab6e0 vendor: github.com/spf13/cobra v1.8.0 
updating to current version.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2023-12-01 12:05:31 +01:00
Milos Gajdos
a2613975a1 vendor: github.com/sirupsen/logrus v1.9.3 (#4179) 2023-12-01 10:51:38 +00:00
Milos Gajdos
3b58737bb6 vendor: github.com/gorilla/mux v1.8.1 (#4180) 2023-12-01 10:51:20 +00:00
Sebastiaan van Stijn
79976446f7 vendor: github.com/klauspost/compress v1.17.4 
newer versions continue to include performance improvements, so it's good
to stay up-to-date.

full diff: https://github.com/klauspost/compress/compare/v1.16.5...v1.17.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2023-12-01 10:33:39 +01:00
Sebastiaan van Stijn
db187ae55c vendor: github.com/gorilla/mux v1.8.1 
full diff: https://github.com/gorilla/mux/compare/v1.8.0...v1.8.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2023-12-01 10:26:51 +01:00
Sebastiaan van Stijn
d6dd652f5a vendor: github.com/sirupsen/logrus v1.9.3 
full diff: https://github.com/sirupsen/logrus/compare/v1.8.1...v1.9.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2023-12-01 10:21:44 +01:00
dependabot[bot]
b8b390f4cd build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 
Bumps [github.com/go-jose/go-jose/v3](https://github.com/go-jose/go-jose) from 3.0.0 to 3.0.1.
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Changelog](https://github.com/go-jose/go-jose/blob/v3/CHANGELOG.md)
- [Commits](https://github.com/go-jose/go-jose/compare/v3.0.0...v3.0.1)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-11-21 22:25:08 +00:00
Milos Gajdos
d8d14ca363 Switch to github.com/google/uuid (#4132) 2023-10-26 13:36:12 +01:00
dependabot[bot]
32316367c8 Bump google.golang.org/grpc from 1.53.0 to 1.56.3 
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.53.0 to 1.56.3.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.53.0...v1.56.3)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-10-25 22:26:53 +00:00
James Hewitt
ef8651ec2a Switch to github.com/google/uuid 
Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>
 2023-10-25 12:15:21 +01:00
Milos Gajdos
fe21f43911 feat: replace docker/libtrust with go-jose/go-jose 
docker/libtrust repository has been archived for several years now.
This commit replaces all the libtrust JWT machinery with go-jose/go-jose module.
Some of the code has been adopted from libtrust and adjusted for some of
the use cases covered by the token authorization flow especially in the
tests.

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
 2023-10-19 15:32:59 +01:00
dependabot[bot]
758c0f9d77 Bump golang.org/x/net from 0.8.0 to 0.17.0 
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.8.0 to 0.17.0.
- [Commits](https://github.com/golang/net/compare/v0.8.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-10-11 23:39:45 +00:00
Geoffrey Hausheer
2435def474 Support systemd socket-activation 
Signed-off-by: Geoffrey Hausheer <rc2012@pblue.org>
 2023-09-20 09:37:22 -07:00
dependabot[bot]
e4dd28b886 Bump github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4 
Bumps [github.com/cyphar/filepath-securejoin](https://github.com/cyphar/filepath-securejoin) from 0.2.3 to 0.2.4.
- [Release notes](https://github.com/cyphar/filepath-securejoin/releases)
- [Commits](https://github.com/cyphar/filepath-securejoin/compare/v0.2.3...v0.2.4)

---
updated-dependencies:
- dependency-name: github.com/cyphar/filepath-securejoin
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-09-07 13:06:27 +00:00