Tianon Gravi
9dc5d8d755
Update stackoverflow link with credit (so I can ~see how often it gets clicked from SO's stats)
2025-03-17 14:20:11 -07:00
Tianon Gravi
641f4fa617
Adjust README order to put setpriv first in Alternatives (as it's the most appropriate alternative)
...
See also https://github.com/tianon/gosu/pull/143
2025-03-17 14:13:44 -07:00
Tianon Gravi
e157efb749
Update govulncheck to v1.1.4
2025-01-22 12:47:34 -08:00
Tianon Gravi
4233b796ee
Update to Alpine 3.20
2024-09-27 01:20:36 -07:00
Tianon Gravi
9842436d3b
Add "suite" aliases to published images (bookworm, alpine3.19)
2024-09-27 00:47:11 -07:00
Tianon Gravi
052c5c2b18
Merge pull request #147 from LukeParky/fix-dockerfile-test-link
...
Update broken Dockerfile.test link
2024-07-19 22:53:24 -07:00
Luke Parkinson
46d62581ab
Update broken dockerfile.test link
2024-07-16 12:45:53 +12:00
Tianon Gravi
dcb68b295a
Merge pull request #145 from tianon/govulncheck-latest
...
Fix govulncheck wrapper + run govulncheck on latest release periodically too
2024-06-06 12:05:08 -07:00
Tianon Gravi
7b1b498b98
Fix govulncheck wrapper + run govulncheck on latest release periodically too
2024-06-06 11:23:59 -07:00
Tianon Gravi
a094511005
Fix version reference
2024-06-03 13:51:42 -07:00
Tianon Gravi
68286328f5
Adjust su-exec references, especially to note the severe years-long issue with 0.3
2024-06-03 13:51:06 -07:00
Tianon Gravi
2189d77b74
Merge pull request #142 from self-five/rpm-install
...
Add an "RPM-based" section back to `INSTALL.md`
2024-05-29 14:10:44 -07:00
Tianon Gravi
08ad027f40
Add an "RPM-based" section back to INSTALL.md
...
Thanks to `rpm --query --queryformat='%{ARCH}' rpm`, I feel good about documenting this "officially" again. 🚀
2024-05-29 09:57:39 -07:00
Tianon Gravi
a1f38cab3a
Improve grammar around tooling in SECURITY
2024-03-21 11:30:35 -07:00
Tianon Gravi
1cd234d3a5
Update govulncheck to 1.0.4, actions versions
2024-03-20 21:21:48 -07:00
Tianon Gravi
75129e18c1
Merge pull request #140 from self-five/go1.20.5
...
Update to Go 1.20.5
2024-03-20 21:13:53 -07:00
Tianon Gravi
ccc5c46e5f
Switch from io.Writer to explicit *os.File (shaving off a tiny amount more bytes)
2024-03-20 09:41:19 -07:00
Tianon Gravi
ea17b7978d
Add a reference to the blog post about Go's "Minimal Version Selection"
2024-03-20 09:36:11 -07:00
Tianon Gravi
21b5265195
Adjust minimum required golang.org/x/sys down to v0.1.0
2024-03-20 05:05:50 -07:00
Tianon Gravi
9ea56fefdd
Update to Go 1.20.5
...
This allows us to drop the mips64le upstream patch we've been applying (fixed in Go 1.20.0) and the GO-2023-1840 / CVE-2023-29403 govulncheck exclusion (which still doesn't apply, but was fixed in Go in 1.20.5 and thus we no longer need to ignore).
Also:
- update the tests to Debian Bookworm and Alpine 3.19
- update `SECURITY.md` to make our Go version update policy explicit and written down (including the parallel to how Linux distributions handle similar situations)
2024-03-20 04:40:27 -07:00
Tianon Gravi
64a0cd92b7
Update SECURITY.md to better reflect the move to github.com/moby/sys/user
2024-03-20 04:27:56 -07:00
Tianon Gravi
0396450a9d
Slightly better / more up-to-date comment in setup-user.go
2024-03-20 04:17:26 -07:00
Tianon Gravi
2176ec2214
Add COPY --from=tianon/gosu to INSTALL.md
2024-03-20 04:06:59 -07:00
Tianon Gravi
f0ea85bbe8
Update tianon/gosu Alpine images to 3.19
2024-03-20 03:56:27 -07:00
Tianon Gravi
53c4966927
Merge pull request #139 from self-five/no-log-fmt-strings
...
Ditch `fmt`, `log`, `path/filepath`, and `strings` for ~17KB more savings
2024-03-20 03:45:04 -07:00
Tianon Gravi
04fac5a03d
Ditch fmt, log, path/filepath, and strings for ~17KB more savings
...
```console
$ stat --format '% 11n %s' gosu-before gosu-after
gosu-before 1495254
gosu-after 1478001
```
2024-03-20 03:30:30 -07:00
Tianon Gravi
a7a1ca6c70
Merge pull request #138 from AlexanderYastrebov/remove-template
...
Remove use of text/template
2024-03-19 21:32:26 -07:00
Alexander Yastrebov
96e1ec4c99
Remove use of text/template
...
Use of text/template inhibits dead code elimination, see https://github.com/golang/go/issues/62024
Building with go1.22.1 via `go build -v -trimpath -ldflags '-d -w'`
results in binary size reduction from 2704725 to 1652718 bytes (-39%).
2024-03-19 16:26:13 +01:00
Tianon Gravi
b73cc93b6f
Merge pull request #137 from self-five/trimpath
...
Add `-trimpath` to builds for cleaner embedded paths
2023-12-21 12:14:04 -08:00
Tianon Gravi
056c5dc2dd
Add -trimpath to builds for cleaner embedded paths
2023-12-21 11:56:12 -08:00
Tianon Gravi
2dada3bb5d
Rewrite gsl.sh so it relies less on SharedTags
...
This should make our "version" provenance metadata more correct
2023-11-02 16:25:39 -07:00
Tianon Gravi
bd5b5e8237
Update published images to Debian Bookworm, Alpine 3.18
2023-11-02 15:17:30 -07:00
Tianon Gravi
0d1847490b
Update to 1.17
2023-11-02 14:34:38 -07:00
Tianon Gravi
d1265292c7
Update "tianon/gosu" Docker Hub image to build via bashbrew instead of bespoke script
...
This gives us nice provenance, etc; see https://explore.ggcr.dev/?image=tianon/gosu:1.16
2023-11-02 14:30:48 -07:00
Tianon Gravi
99f2f7578f
Merge pull request #134 from neersighted/dep_cleanup
...
setup-user: use github.com/moby/sys/user
2023-11-02 14:23:27 -07:00
Bjorn Neergaard
165a750e27
setup-user: use github.com/moby/sys/user
...
Break the dependency on runc by using the new canonical source of the
`user` package at github.com/moby/sys.
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-10-27 07:32:05 +02:00
Bjorn Neergaard
f7d40f009b
setup-user: use golang.org/x/sys/unix
...
Prefer to use the latest syscall implementation, instead of the one that
was shipped with the Go compiler. As this was an indirect dependency,
this aligns all syscalls in the package to a common implementation.
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-10-27 07:32:04 +02:00
Bjorn Neergaard
512d5e6bdc
setup-user: use syscall instead of libcontainer/system
...
Since Go 1.16, [Go issue 1435][1] is solved, and the stdlib syscall
implementations work on Linux.
[1]: https://github.com/golang/go/issues/1435
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-10-27 07:31:46 +02:00
Tianon Gravi
7059acbd2e
Update govulncheck to v1.0.1
2023-09-04 20:13:31 -07:00
Tianon Gravi
a430ca0e10
Update govulncheck JSON parsing for v1.0.0
2023-07-13 10:24:27 -07:00
Tianon Gravi
facd58e00a
Update to govulncheck v1.0.0
2023-07-13 09:27:23 -07:00
Tianon Gravi
d347213bc4
Merge pull request #129 from self-five/govulncheck-with-excludes
...
Add new "govulncheck-with-excludes.sh" wrapper script
2023-06-27 13:04:30 -07:00
Tianon Gravi
d0aba5203f
Add new "govulncheck-with-excludes.sh" wrapper script
...
This allows us to exclude GO-2023-1840 (aka CVE-2023-29403) from our report since we already refuse to operate when users have enabled the `setuid` bit on the binary.
Additionally, this updates our in-code check for `setuid` to also disallow `setgid`, but the impact of that configuration is lesser (so this is considered a best-effort pre-emptive mitigation -- hopefully the block on `setuid` has already discouraged users from using `gosu` in this way).
2023-06-27 12:52:15 -07:00
Tianon Gravi
4f8f3870cf
Merge pull request #126 from self-five/govulncheck-0.1.0
...
Update govulncheck to the explicit new v0.1.0 release
2023-05-03 16:09:12 +00:00
Tianon Gravi
bfab97a4a3
Update govulncheck to the explicit new v0.1.0 release
2023-05-02 17:12:47 -07:00
Tianon Gravi
93cfc61c55
Remove explicit dirmngr reference
...
This is pulled in automatically via `gnupg`, and moved from `Recommends` to `Depends` in 99474ad900😇 ).
2023-04-28 15:41:37 -07:00
Tianon Gravi
bf158f3b52
Update "govulncheck" and add "-mode=binary"
...
See https://go-review.googlesource.com/c/vuln/+/481137 🙃
2023-04-14 16:13:48 -07:00
Tianon Gravi
6a1967c98c
Update CI's govulncheck (to a42f9910da)
2023-03-31 11:51:58 -07:00
Tianon Gravi
0e73477143
Update to 1.16
2022-12-19 16:41:18 -08:00
Tianon Gravi
bb69d2a31d
Merge pull request #121 from self-five/qemu
...
Use QEMU and "arch-test" to avoid bad binaries in the future
2022-12-19 16:39:49 -08:00
