Commit Graph

781 Commits

Author SHA1 Message Date
Dan Mihai
221b9cbe5b Merge pull request #13327 from ihanzh/fix-genpolicy-dot-slash-layer-paths
genpolicy: normalize layer tar paths
2026-07-08 10:15:01 -07:00
Han Zhang
b95ab6a4e1 genpolicy: normalize layer tar paths
Layer tar entries may include current-directory components, such as
./etc/passwd, when images are produced by common tar commands.

Normalize layer paths before matching passwd, group, and whiteout
entries. This lets genpolicy handle equivalent relative paths while
skipping empty, unsafe, or absolute paths.

Fixes: #12692

Assisted-By: OpenAI Codex
Signed-off-by: Han Zhang <ihanzhzh@gmail.com>
2026-07-07 08:15:22 +08:00
stevenhorsman
54f705af69 runtime-rs: bump hyper 0.14.20 → 1.10.1 and migrate to hyper 1.x API
Update hyper to 1.10.1 and hyperlocal to 0.9.1 (required for hyper 1.x
compatibility). Add http-body-util 0.1, hyper-util 0.1 and bytes 1.0 as
workspace dependencies.

API changes applied across shim-interface, runtimes, hypervisor
(firecracker) and resource (nydus_client) crates:

- hyper::Body → http_body_util::Full<Bytes> for outgoing bodies
- hyper::body::Incoming for incoming server request bodies
- hyper::Client → hyper_util::client::legacy::Client
- hyper::Server + make_service_fn → TcpListener loop +
  hyper_util::server::conn::auto::Builder (kata-ctl http_server)
- hyper::server::conn::Http → hyper::server::conn::http1::Builder
  with hyper_util::rt::TokioIo wrapper (runtimes shim_mgmt server)
- hyper::body::to_bytes() → BodyExt::collect().await?.to_bytes()
- Client::unix() now requires explicit body type parameter Full<Bytes>
- Drop removed 'stream' feature flag from hyper dependency declarations

Generated-by: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-07-01 09:03:21 -07:00
Fabiano Fidêncio
4ce42834cf Merge pull request #13288 from kata-containers/dependabot/cargo/opentelemetry_sdk-0.32.1
build(deps): bump opentelemetry_sdk from 0.27.1 to 0.32.1
2026-07-01 14:36:32 +02:00
Hyounggyu Choi
a30c22bd64 runtime-rs: Remove hotplug_vfio_on_root_bus
The `hotplug_vfio_on_root_bus` configuration option is no longer needed
in the runtime-rs.

Remove the option from:
- `DeviceInfo` struct and its `hotplug_vfio_on_root_bus` field
- `PCIeTopology` struct and its construction in `topology.rs`
- `HypervisorInfo` struct and its `hotplug_vfio_on_root_bus` field
- `KATA_ANNO_CFG_HYPERVISOR_HOTPLUG_VFIO_ON_ROOT_BUS` annotation constant
  and its handler in `Annotation::apply()`
- DragonBall validation check in `ConfigPlugin::adjust_config()`
- All runtime-rs TOML config templates (qemu, fc, nvidia GPU variants)
- Test fixture TOML files

Update the documentation having a reference to it.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2026-07-01 04:15:26 +02:00
Fabiano Fidêncio
b5c61229c0 Merge pull request #13289 from stevenhorsman/mem-agent-rpc-policy
Mem agent rpc policy
2026-06-29 16:54:43 +02:00
Dan Mihai
d9fc56d6b3 Merge pull request #13105 from manuelh-dev/mahuber/no-guest-pull-skip-pol
genpolicy: stop skipping image UID/GID derivation for guest-pull
2026-06-29 07:06:22 -07:00
stevenhorsman
5c02ef1335 genpolicy: add missing default rules for AgentService RPCs
Six AgentService RPC request types were missing default rule entries in
rules.rego, meaning genpolicy-generated policies would not include them
in their output and the entries would be absent from reference policies.
All six already have is_allowed gates in the agent RPC handlers.

Add the missing defaults and set them all to false

Generated-By: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-06-29 10:49:26 +01:00
stevenhorsman
f490684636 policy: add missin default policy rules
Add default-deny entries for MemAgentMemcgConfig and MemAgentCompactConfig
to rules.rego, and the corresponding allow entries to the two reference
OPA policies (allow-all.rego and allow-all-except-exec-process.rego).

Generated-By: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-06-29 10:49:08 +01:00
Manuel Huber
4804a08773 genpolicy: model block-plain emptyDirs
Replace the encrypted-emptyDir boolean setting with an emptydir_type
setting that can describe shared-fs, block-encrypted, and block-plain
emptyDirs.

Add policy storage templates for block encrypted and block plain emptyDirs
with the create-filesystem driver option. Plain block emptyDirs also carry
the discard mount option. The block storage source pattern is relaxed to
match the runtime-rs values observed for block devices.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
Assisted-by: OpenAI Codex <codex@openai.com>
2026-06-26 21:05:51 +00:00
dependabot[bot]
db91f6f130 trace-forwarder: update opentelemetry dependencies to v0.32
Bump opentelemetry and opentelemetry-otlp from 0.27.0 to 0.32.0 to
align with the opentelemetry_sdk 0.32.1 upgrade. Adapt tracer.rs to
the breaking API changes introduced in that release.

Generated-by: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Signed-off-by: dependabot[bot] <support@github.com>
2026-06-26 05:01:20 -07:00
Manuel Huber
c6ee1c70a8 genpolicy: test image user group handling
Add unit coverage for image config User values that include a
group component. For Kubernetes, containerd CRI ImageStatus exposes
only the user side before kubelet creates the container security
context, so genpolicy keeps treating those values like the user-only
form.

The fixture uses in-memory passwd and group data so the test does not
rely on private reproducer images.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
Assisted-by: OpenAI Codex <codex@openai.com>
2026-06-26 00:04:17 +00:00
Manuel Huber
b843e56651 genpolicy: require guest-pull securityContext
Fail policy generation when guest-pull is enabled and genpolicy
derives UID, GID, or supplemental groups from image layers that are
not explicit in Kubernetes securityContext.

Print user-facing guidance to stderr before exiting so the failure
explains which securityContext values need to be added. Prefer
container-level securityContext in the recommendation for runAsUser
and runAsGroup, while keeping supplementalGroups in pod-level
securityContext where Kubernetes models it.

Skip the failure for the default root identity.

Refresh genpolicy fixtures and add tests so missing, incomplete,
and split pod/container securityContext values are caught during CI.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
Assisted-by: OpenAI Codex <codex@openai.com>
2026-06-25 23:22:37 +00:00
Manuel Huber
493ecccc43 genpolicy: inspect layers under guest-pull
Always parse passwd and group data from image layers when building
genpolicy container metadata, even when guest-pull is enabled.

This lets the policy derive UID, GID, and supplemental groups from
the image instead of preserving host-visible fallback values.

Refresh the affected golden policy outputs for the new identity data.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
Assisted-by: OpenAI Codex <codex@openai.com>
2026-06-25 17:36:49 +00:00
Aurélien Bombo
1217dd1584 Merge pull request #12373 from kata-containers/disable-guest-empty-dir
runtime: Set `disable_guest_empty_dir = true` by default
2026-06-24 20:09:46 -05:00
Aurélien Bombo
3acb618f6b genpolicy: Assume disable_guest_empty_dir = true
This option should be removed for 4.0, so we don't handle `false`.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2026-06-24 15:22:13 -05:00
stevenhorsman
531877f28f deps: Upgrade nix crate from 0.26.4 to 0.31.3
Upgrade the nix crate across the workspace to version 0.30.1 to address
security vulnerabilities and adopt safer file descriptor handling patterns.

### Breaking Changes in nix 0.28.0

1. **File Descriptor Type Changes**
   - Functions now return `OwnedFd` instead of `RawFd` (i32)
   - Functions requiring file descriptors now expect types implementing `AsFd` trait
   - This provides RAII-based automatic cleanup and prevents fd leaks

2. **API Signature Changes**
   - `pipe()`, `pipe2()`, `openpty()` now return `OwnedFd` tuples
   - `socket()` returns `OwnedFd` instead of `RawFd`
   - `open()`, `memfd_create()` return `OwnedFd`
   - `setns()`, `write()`, `fcntl()` require `AsFd` trait
   - `madvise()` requires `NonNull<c_void>` instead of raw pointer
   - `bind()`, `listen()`, `connect()` require `AsFd` and `Backlog` type

3. **Module Feature Flags**
   - Modules now require explicit feature flags (mman, reboot, etc.)

### Additional Breaking Changes in nix 0.30.1

1. **symlinkat() API Change**
   - `dirfd` parameter now requires `AsFd` trait instead of `Option<RawFd>`
   - Use `BorrowedFd::borrow_raw(libc::AT_FDCWD)` for current directory

2. **Type Alias Deprecation**
   - `MemFdCreateFlag` renamed to `MFdFlags` for consistency

### Changes Made

**Workspace Configuration (Cargo.toml)**
- Updated nix to 0.30.1 with features: fs, mount, sched, process, ioctl,
  signal, socket, feature, user, hostname, term, event, mman, reboot

**File Descriptor Handling Patterns**
- Use `BorrowedFd::borrow_raw(raw_fd)` to wrap RawFd for AsFd requirements
- Use `.as_fd().as_raw_fd()` to extract raw fd without ownership transfer
- Use `.into_raw_fd()` only when ownership transfer is needed
- Use `NonNull::new().unwrap()` for madvise pointer conversion

**Deprecated API Replacements**
- `eventfd()` → `EventFd::from_value_and_flags()`
- `Errno::from_i32()` → `Errno::from_raw()`
- `listen(fd, backlog)` → `listen(&fd, Backlog::new(backlog).unwrap())`
- `MemFdCreateFlag` → `MFdFlags`

Generated by: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-06-19 03:49:16 -07:00
stevenhorsman
ac508b093d runtime-rs: Use workspace nix version
See if we can sync to use the workspace version for easier
dependency management

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-06-19 03:49:16 -07:00
davidweisse
ac56ea21d8 genpolicy: support pod-level resources
Add support for resource requests and limits in the PodSpec.

Fixes #12816

Signed-off-by: davidweisse <98460960+davidweisse@users.noreply.github.com>
2026-06-16 15:30:22 +02:00
Markus Rudy
2e8f61a575 genpolicy: add missing probe fields
This commit adds fields for readiness/liveness/startup probes that were
missing so far, and adds probes to the ignored_fields test to ensure
these stay supported. None of these fields has an influence on the
generated policy, they just allow parsing valid k8s yaml.

Co-authored-by: Spyros Seimenis <sse@edgeless.systems>
Signed-off-by: Markus Rudy <mr@edgeless.systems>
2026-06-12 13:20:16 +02:00
Steve Horsman
2ac6bb173b Merge pull request #13036 from stevenhorsman/jaeger-to-otlp-tracing-switch
trace-forwarder: migrate from Jaeger to OTLP exporter
2026-06-05 14:30:26 +01:00
Steve Horsman
1624ebe362 Merge pull request #13135 from kata-containers/dependabot/cargo/tar-0.4.46
build(deps): bump tar from 0.4.45 to 0.4.46
2026-06-05 09:44:46 +01:00
stevenhorsman
b737ae48bf trace-forwarder: migrate from Jaeger to OTLP exporter
Migrate trace-forwarder from the deprecated opentelemetry-jaeger
exporter to the modern opentelemetry-otlp exporter.

This change remediates GHSA-2f9f-gq7v-9h6m (CVE-2026-43868), a
medium-severity vulnerability in Apache Thrift. The opentelemetry-jaeger
crate is no longer maintained and depends on vulnerable thrift versions
(0.13.0 and 0.16.0). The opentelemetry-otlp exporter does not use thrift
and is actively maintained.

Changes:
- Replace opentelemetry-jaeger with opentelemetry-otlp in Cargo.toml
- Update tracer.rs to use OTLP exporter instead of Jaeger exporter
- Replace --jaeger-host/--jaeger-port flags with --otlp-endpoint flag
- Update server.rs to use TracerProvider instead of SpanExporter
- Update documentation to reflect OTLP migration
- Add examples for common OTLP-compatible collectors

Breaking change: Users must update their trace-forwarder invocations
to use --otlp-endpoint instead of --jaeger-host and --jaeger-port.

Default endpoint: http://localhost:4317 (OTLP gRPC)

Generated-by: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Co-authored-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2026-06-04 19:39:47 +01:00
Dan Mihai
c78ccc2e9f Merge pull request #13088 from kata-containers/dependabot/cargo/openssl-0.10.80
build(deps): bump openssl from 0.10.79 to 0.10.80
2026-06-04 11:38:08 -07:00
dependabot[bot]
4ab63d0a5d build(deps): bump tar from 0.4.45 to 0.4.46
Bumps [tar](https://github.com/composefs/tar-rs) from 0.4.45 to 0.4.46.
- [Release notes](https://github.com/composefs/tar-rs/releases)
- [Commits](https://github.com/composefs/tar-rs/compare/0.4.45...0.4.46)

---
updated-dependencies:
- dependency-name: tar
  dependency-version: 0.4.46
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-04 07:52:44 +00:00
dependabot[bot]
d155f1a4ab build(deps): bump openssl from 0.10.79 to 0.10.80
Bumps [openssl](https://github.com/rust-openssl/rust-openssl) from 0.10.79 to 0.10.80.
- [Release notes](https://github.com/rust-openssl/rust-openssl/releases)
- [Commits](https://github.com/rust-openssl/rust-openssl/compare/openssl-v0.10.79...openssl-v0.10.80)

---
updated-dependencies:
- dependency-name: openssl
  dependency-version: 0.10.80
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-04 07:51:50 +00:00
stevenhorsman
879912be25 versions: bump golang to 1.25.11
Bump the go version to resolve CVEs:
- GO-2026-5037
- GO-2026-5038
- GO-2026-5039

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Generated-By: IBM Bob
2026-06-04 08:49:17 +01:00
stevenhorsman
46d704a7ab log-parser: bump golang.org/x/sys dependency
Bump golang.org/x/sys from v0.1.0 to v0.44.0 to resolve CVE:
- GO-2026-5024

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Generated-By: IBM Bob
2026-06-03 09:56:54 +01:00
stevenhorsman
08ab789d9a csi-kata-directvolume: bump golang.org/x dependencies
Bump golang.org/x/net from v0.53.0 to v0.55.0 and golang.org/x/sys
from v0.43.0 to v0.44.0 to resolve CVEs:
- GO-2026-5024
- GO-2026-5025
- GO-2026-5026
- GO-2026-5027
- GO-2026-5028
- GO-2026-5029
- GO-2026-5030

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Generated-By: IBM Bob
2026-06-03 09:56:54 +01:00
stevenhorsman
6ee43475c3 agent-ctl: Fix CLH virtio-fs queue size configuration
After commit e2240b694a ("runtime-rs: ch: source virtio-fs queue size
from toml"), Cloud Hypervisor no longer provides fallback defaults for
virtio-fs queue configuration. When queue_size or queue_num are 0, CH
now uses those values directly instead of substituting defaults, which
causes a panic in the device manager.

The agent-ctl tool was hardcoding queue_size=0 and queue_num=0 in
share_fs_utils.rs, relying on CH's fallback behavior. This broke the
agent-api tests for Cloud Hypervisor while QEMU tests continued to pass.

Fix by reading virtio_fs_queue_size from the hypervisor config and
falling back to sensible defaults (1024 queue size, 1 queue) when not
configured, matching the previous CH default behavior.

Generated-by: IBM Bob

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-05-19 12:05:52 +01:00
stevenhorsman
3466f888db agent-ctl: Move into root workspace
- Add agent-ctl to be a workspace member to simplify the
dependency management.
- Also add a test target as we've been running it in static-checks
without it doing anything

Assisted-by: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-05-18 09:47:15 +01:00
Markus Rudy
38948f31a7 genpolicy: include test binaries in make target build
genpolicy supports building and testing on Darwin, both for Kata
developers as well as for users of the tool. In CI, we're currently only
testing the binary build on darwin, the test is only executed on Linux.
Since we aim to support development on darwin, including test execution,
we need to prevent regressions such as [1]. This commit adds the test
binaries to the `make build` target, such that they are covered by
`ci/darwin-tests.sh`.

In order to avoid unnecessary recompilation between the build and test
target, we align the `--release` handling between the two.

[1]: 639ff3578d

Signed-off-by: Markus Rudy <mr@edgeless.systems>
2026-05-16 20:47:12 +02:00
Dan Mihai
0f3df5d1e4 Merge pull request #13025 from manuelh-dev/mahuber/img-pull-policy
tests: generate guest-pull image pull agent security policies
2026-05-15 14:09:00 -07:00
Fabiano Fidêncio
54aaa1ea2a tests: enable trusted ephemeral storage for runtime-rs
Remove the runtime-rs skip from the trusted ephemeral data storage
test now that runtime-rs implements block-encrypted emptyDir volumes.

Also remove the genpolicy drop-in that disabled encrypted_emptydir
for runtime-rs and the corresponding copy logic in tests_common.sh.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: Cursor <cursoragent@cursor.com>
2026-05-14 22:56:11 +02:00
Greg Kurz
d2dc0a923c Merge pull request #13030 from stevenhorsman/go-1.25.10-bump
Go 1.25.10 bump
2026-05-13 08:09:51 +02:00
Aurélien Bombo
dcafae9645 Merge pull request #13032 from kata-containers/sprt/fix-virtiofsd-args
runtime-rs: align virtiofsd args on runtime-go
2026-05-12 19:55:54 -05:00
Dan Mihai
3799473041 Merge pull request #13010 from microsoft/danmihai1/label-references
genpolicy: support env variable values sourced from metadata.labels values
2026-05-12 15:41:11 -07:00
Manuel Huber
93e93f36ea genpolicy: model ignored Pod node affinity fields
Add Kubernetes nodeAffinity structures so genpolicy can parse Pod
YAMLs that carry scheduling constraints ignored by policy.

Cover the shape in the ignored-fields fixture alongside the
existing Pod affinity and anti-affinity data.

Assisted-by: OpenAI Codex <codex@openai.com>
Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2026-05-12 15:03:14 -07:00
Aurélien Bombo
555b7738fe runtime-rs: align virtiofsd args on runtime-go
Runtime-go doesn't hardcode --sandbox none --seccomp none [1],
so mirror that in runtime-rs.

 [1]: 733ccb3254/src/runtime/virtcontainers/virtiofsd.go (L183)

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2026-05-12 12:51:32 -05:00
stevenhorsman
7cc72b933d versions: bump golang.org/x/net to v0.53.0
Bump golang.org/x/net to resolve CVE:
- GO-2026-4918

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Assisted-by: IBM Bob
2026-05-12 11:56:26 +01:00
stevenhorsman
4a65aca9cf versions: bump golang to 1.25.10
Bump the go version to resolve CVEs:
- GO-2026-4918
- GO-2026-4971
- GO-2026-4976
- GO-2026-4977
- GO-2026-4980
- GO-2026-4981
- GO-2026-4982
- GO-2026-4986

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Assisted-by: IBM Bob
2026-05-12 11:56:13 +01:00
Ubuntu
b95be5332a genpolicy: env variables from metadata.labels
Add basic genpolicy support for container environment variables sourced
from metadata.labels.

In this implementation, the relevant labels must be available as input
to the policy tool. This is slightly different from the way variables
sourced from metadata.annotations are treated by the tool: when the
relevant annotation is not available as input, the generated Policy
allows any value. Depending on metadata.labels use cases that we might
encounter maybe the labels will be handled the same way as the
annotations in the future.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2026-05-07 23:35:56 +00:00
Dan Mihai
e71cf4d4ca genpolicy: call get_annotations() when/if needed
Call get_annotations() only when/if the annotations get used.

The new structure of the code fits better with the future calls to a
similar get_labels() function.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2026-05-07 22:55:54 +00:00
stevenhorsman
e92d954b51 agent-ctl: Swap rootfs bundle pull implementation
Switch the rootfs bundle pull implementatio from using image-rs to
use skopeo and umoci to remove the really long crate dependency
tail that image-rs brings.

Generated-by: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-05-07 21:11:27 +01:00
Alex Lyn
4f618d09d5 runtime-rs: Add Pod Resources CDI discovery in sandbox
Query the kubelet Pod Resources API during sandbox setup to discover
which GPU devices have been allocated to the pod. When cold_plug_vfio
is enabled, the sandbox resolves CDI device specs, extracts host PCI
addresses and IOMMU groups from sysfs, and creates VfioModernCfg
device entries that get passed to the hypervisor for cold-plug.

Add pod-resources and cdi crate dependencies to the runtimes and
virt_container workspace members.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-05-07 10:33:26 +02:00
Alex Lyn
0bb9b66815 kata-sys-util: Add PCI helpers for VFIO cold-plug paths
The VFIO cold-plug path needs to resolve a PCI device's sysfs address
from its /dev/vfio/ group or iommufd cdev node. Extend the PCI helpers
in kata-sys-util to support this: add a function that walks
/sys/bus/pci/devices to find a device by its IOMMU group, and expose the
guest BDF that the QEMU command line will reference.

These helpers are consumed by the runtime-rs hypervisor crate when
building VFIO device descriptors for the QEMU command line.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-05-07 10:33:26 +02:00
manuelh-dev
8473144ee5 Merge pull request #12989 from microsoft/danmihai1/ignore-unnecessary-fields
genpolicy: ignore additional irrelevant fields
2026-05-06 23:54:39 -07:00
dependabot[bot]
8cc9325fee build(deps): bump openssl from 0.10.78 to 0.10.79
Bumps [openssl](https://github.com/rust-openssl/rust-openssl) from 0.10.78 to 0.10.79.
- [Release notes](https://github.com/rust-openssl/rust-openssl/releases)
- [Commits](https://github.com/rust-openssl/rust-openssl/compare/openssl-v0.10.78...openssl-v0.10.79)

---
updated-dependencies:
- dependency-name: openssl
  dependency-version: 0.10.79
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-05-06 10:19:15 +00:00
Fabiano Fidêncio
7f31fb4c58 Merge pull request #12873 from gkurz/lean-code-vendoring
Lean code vendoring
2026-05-06 12:15:02 +02:00
Greg Kurz
bb933f65e4 vendor: Remove make vendor across the repo
`make vendor` isn't required anymore. People who need vendored code should
use the `tools/packaging/release/generate_vendor.sh` script instead.

Assisted-by: Claude AI
Signed-off-by: Greg Kurz <groug@kaod.org>
2026-05-06 09:49:52 +02:00