Skip to content
This repository has been archived by the owner on Oct 2, 2023. It is now read-only.

Update go-containerregsitry dependency to 0.4.1 #1829

Merged
merged 1 commit into from
Apr 26, 2021
Merged

Update go-containerregsitry dependency to 0.4.1 #1829

merged 1 commit into from
Apr 26, 2021

Conversation

imjasonh
Copy link
Contributor

PR Checklist

Please check if your PR fulfills the following requirements:

  • [n] Tests for the changes have been added (for bug fixes / features)
  • [n] Docs have been added / updated (for bug fixes / features)

PR Type

What kind of change does this PR introduce?

  • Bugfix
  • Feature
  • Code style update (formatting, local variables)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • CI related changes
  • Documentation content changes
  • Other... Please describe:

What is the current behavior?

Issue Number: #1814

What is the new behavior?

This updates the go-containerregistry dependency from 0.1.4 (October 2020) to 0.4.1 (March 2021)

This removes a dependency on a non-deterministic package resulting in inconsistent archive SHAs generated by GitHub's archive server. That upstream issue was also fixed in kubernetes/kubernetes#99376.

Other than removing this non-determinism, no major functional changes are expected. Some performance improvements and bugfixes have been added since 0.1.4, which might be beneficial.

Does this PR introduce a breaking change?

  • Yes
  • No

Other information

@google-cla google-cla bot added the cla: yes label Apr 26, 2021
@imjasonh imjasonh mentioned this pull request Apr 26, 2021
Closed
@rockwotj rockwotj mentioned this pull request Apr 26, 2021
Closed
@steeve
Copy link

steeve commented Apr 26, 2021

Thank you for being so reactive, but 👎

Github branch/commit tarballs are dynamically generated. Don't depend on them having a stable SHA256. If the upstream rule is not distributing built artefacts, you'll need to use git_repository or go_repository or whatever rule that is stable.

In this case, use go_repository's commit and remote to pin a specific commit.

@imjasonh
Update go-containerregsitry dependency to 0.4.1
7ed4277 
Fetch repository using commit and importpath, instead of using
dynamically generated archive.
@imjasonh
Copy link
Contributor Author

I've updated this PR to use commit and importpath for go-containerregistry.

I haven't touched the other dependencies, but I can update those if you'd like.

@steeve
Copy link

steeve commented Apr 26, 2021

Not my call, but I feel this could be a good idea. Or let go_repository pull them as in module mode maybe?

@alexeagle alexeagle merged commit 881e779 into bazelbuild:master Apr 26, 2021
@imjasonh imjasonh mentioned this pull request Apr 26, 2021
Merged
12 tasks
@uhthomas
Copy link
Collaborator

The go_repository target is missing the sum attribute. The module downloaded through this rule will not be verified and poses a security risk.

@steeve
Copy link

steeve commented Apr 27, 2021

The go_repository target is missing the sum attribute. The module downloaded through this rule will not be verified and poses a security risk.

It is not downloaded as a module, but via a git commit, which is safe.

@uhthomas
Copy link
Collaborator

The go_repository target is missing the sum attribute. The module downloaded through this rule will not be verified and poses a security risk.

It is not downloaded as a module, but via a git commit, which is safe.

Downloading an archive just based on a git commit is not safe. All content must be verified, whether it be through the sum or sha256 attributes.

@imjasonh imjasonh mentioned this pull request Apr 29, 2021
Open
tcinbis added a commit to tcinbis/scion that referenced this pull request May 1, 2021
@tcinbis
Updating bazel rules_docker to version 0.17.0
7e3ef5a 
Previously the bazel build would fail because the sha on github's side
changed.
The fix was merged upstream in PR bazelbuild/rules_docker#1829 and
released with version 0.17.0.
@tcinbis tcinbis mentioned this pull request May 1, 2021
Closed
martaver pushed a commit to cleric-sh/rules_docker that referenced this pull request May 18, 2021
@imjasonh @martaver
Update go-containerregsitry dependency to 0.4.1 (bazelbuild#1829)
15aa838 
Fetch repository using commit and importpath, instead of using
dynamically generated archive.
peterjasc added a commit to squzy/squzy that referenced this pull request Jan 9, 2022
@peterjasc
update rules_docker github.com/bazelbuild/rules_docker/pull/1829
95c47a3
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@alexeagle alexeagle alexeagle approved these changes

@gravypod gravypod gravypod approved these changes

@pcj pcj Awaiting requested review from pcj pcj is a code owner

@smukherj1 smukherj1 Awaiting requested review from smukherj1 smukherj1 is a code owner

Assignees
No one assigned
Labels
cla: yes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@imjasonh @steeve @uhthomas @alexeagle @gravypod