Permalink
Comparing changes
Choose two branches to see what’s changed or to start a new pull request.
If you need to, you can also or
learn more about diff comparisons.
Open a pull request
Create a new pull request by comparing changes across two branches. If you need to, you can also .
Learn more about diff comparisons here.
...
- 14 commits
- 12 files changed
- 4 contributors
Commits on Apr 11, 2023
-
VERSION: go back to development
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Commits on Apr 22, 2023
-
release: add runc.keyring file and script
In order to allow any of the maintainers to cut releases for runc, create a keyring file that distributions can use to verify that releases are signed by one of the maintainers. The format matches the gpg-offline format used by openSUSE packaging, but it can be easily imported with "gpg --import" so any distribution should be able to handle this keyring format wtihout issues. Each key includes the GitHub handle of the associated user. There isn't any way for this information to be automatically verified (outside of using something like keybase.io) but since all changes of this file need to be approved by maintainers this is okay for now. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
-
scripts: release: add verification checks for signing keys
We need to make sure the release is being signed by a key that is actually listed as a trusted signing key, and we also need to ask the person cutting the release whether the list of trusted keys is acceptable. Also add some verification checks after a release is signed to make sure everything was signed with the correct keys. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
-
keyring: verify runc.keyring has legitimate maintainer keys
These checks ensure that all of the keys in the runc.keyring list are actually the keys of the specified user and that the users themselves are actually maintainers. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
-
keyring: add Aleksa's <asarai@suse.com> signing key
keyid 5F36C6C61B5460124A75F5A69E18AA267DDB8DB4 This is the signing key I have used for all previous runc releases. You can also verify that this is the key trusted by openSUSE for all of our releases. Ref: https://keyserver.ubuntu.com/pks/lookup?search=5F36C6C61B5460124A75F5A69E18AA267DDB8DB4&fingerprint=on&op=index Ref: https://build.opensuse.org/package/view_file/openSUSE:Factory/runc/runc.keyring?expand=1&rev=54 Signed-off-by: Aleksa Sarai <asarai@suse.de>
-
keyring: add Aleksa's <cyphar@cyphar.com> signing key
keyid C9C370B246B09F6DBCFC744C34401015D1D2D386 This is my personal signing key, which I've used to sign the vast majority of my commits on GitHub. While I usually sign releases using my <asarai@suse.de> signing key, it doesn't hurt to include this key too. Ref: https://keyserver.ubuntu.com/pks/lookup?search=C9C370B246B09F6DBCFC744C34401015D1D2D386&fingerprint=on&op=index Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
-
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Commits on Apr 25, 2023
-
libct/cg/sd: use systemd version when generating dev props
Commit 343951a added a call to os.Stat for the device path when generating systemd device properties, to avoid systemd warning for non-existing devices. The idea was, since systemd uses stat(2) to look up device properties for a given path, it will fail anyway. In addition, this allowed to suppress a warning like this from systemd: > Couldn't stat device /dev/char/10:200 NOTE that this was done because: - systemd could not add the rule anyway; - runs puts its own set of rules on top of what systemd does. Apparently, the above change broke some setups, resulting in inability to use e.g. /dev/null inside a container. My guess is this is because in cgroup v2 we add a second eBPF program, which is not used if the first one (added by systemd) returns "access denied". Next, commit 3b95828 fixed that by adding a call to os.Stat for "/sys/"+path (meaning, if "/dev/char/10:200" does not exist, we retry with "/sys/dev/char/10:200", and if it exists, proceed with adding a device rule with the original (non-"/sys") path). How that second fix ever worked was a mystery, because the path we gave to systemd still doesn't exist. Well, I think now I know. Since systemd v240 (commit 74c48bf5a8005f20) device access rules specified as /dev/{block|char}/MM:mm are no longer looked up on the filesystem, instead, if possible, those are parsed from the string. So, we need to do different things, depending on systemd version: - for systemd >= v240, use the /dev/{char,block}/MM:mm as is, without doing stat() -- since systemd doesn't do stat() either; - for older version, check if the path exists, and skip passing it on to systemd otherwise. - the check for /sys/dev/{block,char}/MM:mm is not needed in either case. Pass the systemd version to the function that generates the rules, and fix it accordingly. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> (cherry picked from commit d7208f5) Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
-
scripts: keyring validate: print some more information
Add a little bit more diagnostic information to "make validate-keyring". Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
-
runc.keyring: add Akihiro Suda
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Commits on Apr 26, 2023
-
Merge pull request #3845 from kolyshkin/1.1-rm-warning
[1.1] libct/cg/sd: use systemd version when generating dev props
-
Merge pull request #3838 from cyphar/1.1-release-gpgkeys
[1.1] release: add runc.keyring file
-
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Loading
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff v1.1.6...v1.1.7