chore(trdl): server v0 #11
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
distorhead
force-pushed
the
trdl_server_0
branch
from
baf0f6e
to
e39ddce
Compare
…amework#383) Bumps [securesystemslib](https://github.com/secure-systems-lab/securesystemslib) from 0.22.0 to 0.24.0. - [Release notes](https://github.com/secure-systems-lab/securesystemslib/releases) - [Changelog](https://github.com/secure-systems-lab/securesystemslib/blob/master/CHANGELOG.md) - [Commits](secure-systems-lab/securesystemslib@v0.22.0...v0.24.0) --- updated-dependencies: - dependency-name: securesystemslib dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
alexey-igrychev
force-pushed
the
trdl_server_0
branch
2 times, most recently
from
a4d366a
to
7cf2e88
Compare
…re dates Also added unit test case performing roles expiration rotation procedure. Signed-off-by: Timofey Kirillov <timofey.kirillov@flant.com>
alexey-igrychev
force-pushed
the
trdl_server_0
branch
from
7cf2e88
to
6f59db8
Compare
) Adds a new test for this case: if a client sees a new `timestamp.json` file with the same version as its current `timestamp.json` file, it should do nothing (no update, but also no error). A few other tests were implicitly relying on the fact that the client did a full update each time, so they've been updated to commit a new timestamp. This updates go-tuf for TUF specification v1.0.30 (fixes theupdateframework#321). The only substantive change was [theupdateframework/specification#209][tuf-spec-209], which clarifies the intended behavior for updating metadata files. Updates for other roles were already in compliance: - Root metadata: https://github.com/theupdateframework/go-tuf/blob/13eff30efd6c61f165e1bf06e8c0e72f5a0e5703/client/client.go#L258 - Timestamp, checking snapshot version: https://github.com/theupdateframework/go-tuf/blob/13eff30efd6c61f165e1bf06e8c0e72f5a0e5703/client/client.go#L751 - Snapshot, must match version from timestamp: https://github.com/theupdateframework/go-tuf/blob/13eff30efd6c61f165e1bf06e8c0e72f5a0e5703/client/client.go#L667 - Snapshot, no rollback of targets: https://github.com/theupdateframework/go-tuf/blob/13eff30efd6c61f165e1bf06e8c0e72f5a0e5703/client/client.go#L685 - Targets: https://github.com/theupdateframework/go-tuf/blob/13eff30efd6c61f165e1bf06e8c0e72f5a0e5703/client/client.go#L643 [tuf-spec-209]: (theupdateframework/specification#209). Signed-off-by: Zachary Newman <z@znewman.net> Signed-off-by: Zachary Newman <z@znewman.net>
* feat: pass logger into repo and client Signed-off-by: Asra Ali <asraa@google.com>
We fixed theupdateframework#321 but forgot to update this, so now the GH actions bot is confused (theupdateframework#391). Signed-off-by: Zachary Newman <z@znewman.net>
tests: update lint CI parameters Context: linting in CI (`golangci-lint`) occasionally times out on Windows (flaky). Most of the time, it's fast enough (~1min). But occasionally it hits the 3 minute timeout. It's somewhat expected that `golangci-lint` is slow: golangci/golangci-lint-action#297 This PR does 3 things: 1. Bump the timeout from 3 to 5 minutes (why solve the problem when you can band-aid it?) 2. Add the `--verbose` flag, so if we start to see this again we'll have much better information with which to figure out what specifically is taking so long. 3. Remove the patch number from the `golangci-lint` version; it's disallowed, according to the `golangci-lint` action README. Fixes theupdateframework#390 (for now). Signed-off-by: Zachary Newman <z@znewman.net> Signed-off-by: Zachary Newman <z@znewman.net>
Fixes theupdateframework#391; see that issue for justification. Signed-off-by: Zachary Newman <z@znewman.net> Signed-off-by: Zachary Newman <z@znewman.net>
….6.0 (theupdateframework#398) chore(deps): bump amannn/action-semantic-pull-request Bumps [amannn/action-semantic-pull-request](https://github.com/amannn/action-semantic-pull-request) from 4.5.0 to 4.6.0. - [Release notes](https://github.com/amannn/action-semantic-pull-request/releases) - [Changelog](https://github.com/amannn/action-semantic-pull-request/blob/main/CHANGELOG.md) - [Commits](amannn/action-semantic-pull-request@91682d0...505e44b) --- updated-dependencies: - dependency-name: amannn/action-semantic-pull-request dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
fix: fix logging of help message Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Asra Ali <asraa@google.com>
[docs] Fix broken link Signed-off-by: Zachary Newman <z@znewman.net> Signed-off-by: Zachary Newman <z@znewman.net>
do not fail fast. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
Bumps [iso8601](https://github.com/micktwomey/pyiso8601) from 1.0.2 to 1.1.0. - [Release notes](https://github.com/micktwomey/pyiso8601/releases) - [Commits](micktwomey/pyiso8601@1.0.2...1.1.0) --- updated-dependencies: - dependency-name: iso8601 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Abhisman <abhisman.sarkar@gmail.com>
…framework#397) * Add Filesystem based remote store to support airgap. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Try with T.Cleanup too. Wonder if this goes to 11 at some point? Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * close the file. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * t.Cleanup vs. defer. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * omit one initializing test for windows. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> Signed-off-by: Ville Aikas <vaikas@chainguard.dev> Co-authored-by: Joshua Lock <jlock@vmware.com>
…updateframework#408) Bumps [arnested/go-version-action](https://github.com/arnested/go-version-action) from 1.1.5 to 1.1.6. - [Release notes](https://github.com/arnested/go-version-action/releases) - [Commits](arnested/go-version-action@6d27c59...b556f8d) --- updated-dependencies: - dependency-name: arnested/go-version-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
add back SnapshotFileMeta.custom Signed-off-by: Arthur Bellal <arthur.bellal@datadoghq.com> Signed-off-by: Arthur Bellal <arthur.bellal@datadoghq.com>
…#409) Signed-off-by: Zachary Newman <z@znewman.net> Signed-off-by: Zachary Newman <z@znewman.net>
…ork#410) fix: fix delegation null json value Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Asra Ali <asraa@google.com> Co-authored-by: Radoslav Dimitrov <dimitrovr@vmware.com>
…framework#414) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.2.0 to 4.3.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@b55428b...13ae5bb) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….0.0 (theupdateframework#415) chore(deps): bump amannn/action-semantic-pull-request Bumps [amannn/action-semantic-pull-request](https://github.com/amannn/action-semantic-pull-request) from 4.6.0 to 5.0.0. - [Release notes](https://github.com/amannn/action-semantic-pull-request/releases) - [Changelog](https://github.com/amannn/action-semantic-pull-request/blob/main/CHANGELOG.md) - [Commits](amannn/action-semantic-pull-request@505e44b...5369185) --- updated-dependencies: - dependency-name: amannn/action-semantic-pull-request dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….0.1 (theupdateframework#416) chore(deps): bump amannn/action-semantic-pull-request Bumps [amannn/action-semantic-pull-request](https://github.com/amannn/action-semantic-pull-request) from 5.0.0 to 5.0.1. - [Release notes](https://github.com/amannn/action-semantic-pull-request/releases) - [Changelog](https://github.com/amannn/action-semantic-pull-request/blob/main/CHANGELOG.md) - [Commits](amannn/action-semantic-pull-request@5369185...570204e) --- updated-dependencies: - dependency-name: amannn/action-semantic-pull-request dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….0.2 (theupdateframework#419) chore(deps): bump amannn/action-semantic-pull-request Bumps [amannn/action-semantic-pull-request](https://github.com/amannn/action-semantic-pull-request) from 5.0.1 to 5.0.2. - [Release notes](https://github.com/amannn/action-semantic-pull-request/releases) - [Changelog](https://github.com/amannn/action-semantic-pull-request/blob/main/CHANGELOG.md) - [Commits](amannn/action-semantic-pull-request@570204e...01d5fd8) --- updated-dependencies: - dependency-name: amannn/action-semantic-pull-request dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ework#421) Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3.3.0 to 3.3.1. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@268d8c0...c4a742c) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…heupdateframework#420) Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 3.1.0 to 3.2.0. - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@ff11ca2...b508e2e) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…heupdateframework#423) Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3.2.0 to 3.3.0. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@537aa19...07db538) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…eupdateframework#424) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.0 to 1.8.1. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.8.0...v1.8.1) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…#418) * fix: fix verification to continue on invalid sigs Signed-off-by: Asra Ali <asraa@google.com>
Signed-off-by: Ethan Lowman <ethan.lowman@datadoghq.com> Signed-off-by: Ethan Lowman <ethan.lowman@datadoghq.com>
Update MAINTAINERS Remove @hosseinsia from list of maintainers. Thanks for your service! Signed-off-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com> Signed-off-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com>
…heupdateframework#433) Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3.3.0 to 3.3.1. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@07db538...0ad9a09) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…teframework#434) Update interop tests for new python-tuf release 2.0.0 Simply re-ran the generation scripts with the newest python-tuf release, renamed the directory to reflect the updated version and updated any references to the directory. Fixes theupdateframework#367 Signed-off-by: Joshua Lock <jlock@vmware.com>
* use Github's vulnerability reporting Signed-off-by: Marina Moore <mnm678@gmail.com> * Update docs/SECURITY.md Co-authored-by: Joshua Lock <jlock@vmware.com> Signed-off-by: Marina Moore <mnm678@users.noreply.github.com> Signed-off-by: Marina Moore <mnm678@gmail.com> Signed-off-by: Marina Moore <mnm678@users.noreply.github.com> Co-authored-by: Joshua Lock <jlock@vmware.com>
…ework#435) Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3.3.1 to 3.4.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@c4a742c...d0a58c1) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…updateframework#437) Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com>
…mework#384) * upgrade(localMeta): Verify delegated targets Adds verification of delegated targets when they go from the local store to the localMeta structure. The verification is done by selecting one target file per delegated targets that verify at least one, then build the delegation path from the top targets to that specific delegated file. Building the path is already verifying every targets in the path, so the whole path is safe to add to the localMeta. Doing so for every delegated targets lets us verify every delegated targets that is used at least once. Signed-off-by: Baptiste Foy <baptiste.foy@datadoghq.com>
…framework#443) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.3.0 to 4.4.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@13ae5bb...5ccb29d) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ework#441) Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3.4.0 to 3.5.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@d0a58c1...6edd440) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…heupdateframework#442) Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 3.2.0 to 4.1.0. - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@b508e2e...8f67e59) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…framework#445) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.4.0 to 4.5.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@5ccb29d...d27e3f3) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
) Bumps [requests](https://github.com/psf/requests) from 2.28.1 to 2.28.2. - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](psf/requests@v2.28.1...v2.28.2) --- updated-dependencies: - dependency-name: requests dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: asraa <asraa@google.com>
…amework#448) Bumps [securesystemslib](https://github.com/secure-systems-lab/securesystemslib) from 0.25.0 to 0.26.0. - [Release notes](https://github.com/secure-systems-lab/securesystemslib/releases) - [Changelog](https://github.com/secure-systems-lab/securesystemslib/blob/master/CHANGELOG.md) - [Commits](secure-systems-lab/securesystemslib@v0.25.0...v0.26.0) --- updated-dependencies: - dependency-name: securesystemslib dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…heupdateframework#447) Bumps [github.com/dustin/go-humanize](https://github.com/dustin/go-humanize) from 1.0.0 to 1.0.1. - [Release notes](https://github.com/dustin/go-humanize/releases) - [Commits](dustin/go-humanize@v1.0.0...v1.0.1) --- updated-dependencies: - dependency-name: github.com/dustin/go-humanize dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: asraa <asraa@google.com>
…ions (theupdateframework#450) * test: add tests for rollback protection Signed-off-by: Asra Ali <asraa@google.com> * golangci-lint Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Asra Ali <asraa@google.com>
Signed-off-by: Ilya Lesikov <ilya@lesikov.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.