Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

go.mod: update dependencies #1657

Draft
wants to merge 24 commits into
base: master
Choose a base branch
from

Conversation

thaJeztah
Copy link
Contributor

This PR updates most dependencies to a more current version, better reflecting
the versions of these dependencies that are used in code consuming the notary
module. By updating, we're able to verify that the code in this repository doesn't
break with the newer versions.

There's a couple more dependencies to update, but some of those may require local
changes, so doing that separately.

I split the updates into many commits, picking an order of updates that allowed
for individual dependencies to be updated (using a different order often led to
many dependencies to be updated at once, which makes reviewing the changes more
difficult). I included a link to the "full" diff for each update to assist in
reviewing as well.

I'm keeping this in draft for now, as I'm planning to do a round of "draft" PRs
in repositories that use notary as a dependency, to verify these updates are all
compatible (there's some indirect dependencies that are known to be problemeatic).

go.mod: github.com/spf13/cobra v1.6.1

Fixes a panic when AddGroup isn't called before AddCommand(my-sub-command) is executed

full diff: spf13/cobra@v1.6.0...v1.6.1

go.mod: golang.org/x/term v0.1.0

The golang.org/x/ projects now tag releases.

full diff: golang/term@f5c789d...v0.1.0

go.mod: golang.org/x/sys v0.1.0

The golang.org/x/ projects now tag releases.

full diff: golang/sys@bc2c85a...v0.1.0

go.mod: golang.org/x/text v0.4.0

The golang.org/x/ projects now tag releases.

includes fixes for CVE-2022-32149 (v0.3.8)

full diff: golang/text@v0.3.3...v0.4.0

go.mod: golang.org/x/net v0.1.0

The golang.org/x/ projects now tag releases.

full diff: golang/net@f585440...v0.1.0

go.mod: golang.org/x/crypto v0.1.0

The golang.org/x/ projects now tag releases.

Also removing uses of golang.org/x/crypto/ed25519, which is now part of stdlib:

Beginning with Go 1.13, the functionality of this package was moved to the
standard library as crypto/ed25519. This package only acts as a compatibility
wrapper.

full diff: golang/crypto@f585440...v0.1.0

go.mod: github.com/dvsekhvalnov/jose2go v1.5.0

Adds go.mod support

full diff: dvsekhvalnov/jose2go@248326c...v1.5.0

go.mod: github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d

full diff: Shopify/logrus-bugsnag@6dbc35f...577dee2

go.mod: github.com/sirupsen/logrus v1.9.0

full diff: sirupsen/logrus@v1.7.1...v1.9.0

go.mod: github.com/miekg/pkcs11 v1.0.3

full diff: miekg/pkcs11@v1.0.3...v1.1.1

go.mod: github.com/stretchr/testify v1.8.1

go.mod: google.golang.org/protobuf v1.28.0

go.mod: github.com/gogo/protobuf v1.3.2

contains fixes for CVE-2021-3121 "skippy peanut butter"

full diff: gogo/protobuf@v1.0.0...v1.3.2

go.mod: github.com/spf13/viper v1.13.0

removes the deprecated github.com/BurntSushi/toml dependency

full diff: spf13/viper@be5ff3e...v1.13.0

go.mod: github.com/opencontainers/image-spec v1.0.2

This is a dependency for docker/distribution, which does not yet use go modules,
so indirect dependencies aren't updated automatically.

image-spec v1.0.2 contains mitigations for CVE-2021-41190.

full diff: opencontainers/image-spec@v1.0.1...v1.0.2

go.mod: github.com/docker/distribution v2.8.1

full diff: distribution/distribution@v2.7.1...v2.8.1

go.mod: github.com/gorilla/mux v1.8.0

full diff: gorilla/mux@v1.7.0...v1.8.0

go.mod: github.com/prometheus/client_golang v1.12.1

not the latest version, but this version looks to be commonly used in various
projects. Also contains fixes for CVE-2022-21698 (affects versions < 1.11.1)

full diff: prometheus/client_golang@c332b6f...v1.12.1

go.mod: github.com/docker/go-metrics v0.0.1

adds go.mod

full diff: docker/go-metrics@c332b6f...v0.0.1

go.mod: github.com/cloudflare/cfssl v1.5.0

  • not using latest version, as that brings many indirect dependencies (through cobra)
  • removes github.com/gogo/protobuf dependency
  • unfortunately, brings back golang.org/x/crypto/ed25519 (will open a PR for that)

go.mod: github.com/matttproud/golang_protobuf_extensions v1.0.2

updating the indirect dependency to match other projects; this version adds
a go.mod;

full diff: matttproud/golang_protobuf_extensions@v1.0.1...v1.0.2

thaJeztah added a commit to thaJeztah/buildx that referenced this pull request Nov 6, 2022
@thaJeztah
Copy link
Contributor Author

Ah, I think this may be the "good ol" permissions issue; go mod does not persist executable permissions; golang/go#45231

We defined the Go module representation to be absolutely least common denominator across systems for portability. The Go module zip file is for dependencies that need to be downloaded and built by the go command. It is not meant to support anything more. By design, there are no permission bits, nor special files like symlinks, nor modification times.

Executing busybox-1.35.0-r15.trigger
OK: 22 MiB in 25 packages
go: downloading github.com/docker/distribution v2.8.1+incompatible
...
go: downloading github.com/cespare/xxhash v1.1.0

These files were modified:

?? vendor/github.com/docker/go-metrics/LICENSE

This is an actual failure; looks like some changes are needed for compatibility with Prometheus updates;

pkcs11 import was not found anywhere without a build tag, yay
+ /go/src/github.com/theupdateframework/notary/bin/static/notary-server
# github.com/theupdateframework/notary/server
server/server.go:127:9: undefined: prometheus.InstrumentHandlerWithOpts
server/server.go:235:44: undefined: prometheus.Handler
make: *** [Makefile:76: /go/src/github.com/theupdateframework/notary/bin/static/notary-server] Error 2

@thaJeztah
Copy link
Contributor Author

Ah, I think this may be the "good ol" permissions issue; go mod does not persist executable permissions

whoops, nope, was my mistake, didn't stage a file 😂

The old code was no longer compatible with current versions of prometheus.
This switches the code to use docker/go-metrics, which is compatible with
current versions of prometheus, and already in use in other code in the
dependency tree.

I tried to keep the metrics the same as before, but there may be some
differences.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
Fixes a panic when AddGroup isn't called before AddCommand(my-sub-command) is executed

Signed-off-by: Sebastiaan van Stijn <[email protected]>
The golang.org/x/ projects now tag releases.

full diff: golang/term@f5c789d...v0.1.0

Signed-off-by: Sebastiaan van Stijn <[email protected]>
The golang.org/x/ projects now tag releases.

full diff: golang/sys@bc2c85a...v0.1.0

Signed-off-by: Sebastiaan van Stijn <[email protected]>
The golang.org/x/ projects now tag releases.

includes fixes for CVE-2022-32149 (v0.3.8)

full diff: golang/text@v0.3.3...v0.4.0

Signed-off-by: Sebastiaan van Stijn <[email protected]>
The golang.org/x/ projects now tag releases.

- updates to a version that fixes CVE-2022-27664

full diff: golang/net@f585440...v0.1.0

Signed-off-by: Sebastiaan van Stijn <[email protected]>
The golang.org/x/ projects now tag releases.

Also removing uses of golang.org/x/crypto/ed25519, which is now part of stdlib:

    Beginning with Go 1.13, the functionality of this package was moved to the
    standard library as crypto/ed25519. This package only acts as a compatibility
    wrapper.

full diff: golang/crypto@f585440...v0.1.0

Signed-off-by: Sebastiaan van Stijn <[email protected]>
Adds go.mod support

full diff: dvsekhvalnov/jose2go@248326c...v1.5.0

Signed-off-by: Sebastiaan van Stijn <[email protected]>
contains fixes for CVE-2021-3121 "skippy peanut butter"

full diff: gogo/protobuf@v1.0.0...v1.3.2

Signed-off-by: Sebastiaan van Stijn <[email protected]>
removes the deprecated github.com/BurntSushi/toml dependency

full diff: spf13/viper@be5ff3e...v1.13.0

Signed-off-by: Sebastiaan van Stijn <[email protected]>
This is a dependency for docker/distribution, which does not yet use go modules,
so indirect dependencies aren't updated automatically.

image-spec v1.0.2 contains mitigations for CVE-2021-41190.

full diff: opencontainers/image-spec@v1.0.1...v1.0.2

Signed-off-by: Sebastiaan van Stijn <[email protected]>
not the latest version, but this version looks to be commonly used in various
projects. Also contains fixes for CVE-2022-21698 (affects versions < 1.11.1)

full diff: prometheus/client_golang@c332b6f...v1.12.1

Signed-off-by: Sebastiaan van Stijn <[email protected]>
adds go.mod

full diff: docker/go-metrics@c332b6f...v0.0.1

Signed-off-by: Sebastiaan van Stijn <[email protected]>
not using latest version, as that brings many indirect dependencies (through cobra)

- removes github.com/gogo/protobuf dependency
- unfortunately, brings back golang.org/x/crypto/ed25519 (will open a PR for that)

Signed-off-by: Sebastiaan van Stijn <[email protected]>
updating the indirect dependency to match other projects; this version adds
a go.mod;

matttproud/golang_protobuf_extensions@v1.0.1...v1.0.2

Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah
Copy link
Contributor Author

Interesting; breaking change in golang/x/sys?

+ go build -o /go/src/github.com/theupdateframework/notary/cross/darwin/amd64/notary -a -tags 'pkcs11 netgo' -ldflags '-w -X github.com/theupdateframework/notary/version.GitCommit=1c7f7186 -X github.com/theupdateframework/notary/version.NotaryVersion=0.7.0 ' ./cmd/notary
# golang.org/x/sys/unix
vendor/golang.org/x/sys/unix/syscall.go:83:16: undefined: unsafe.Slice
vendor/golang.org/x/sys/unix/syscall_darwin.go:95:8: undefined: unsafe.Slice
vendor/golang.org/x/sys/unix/syscall_unix.go:118:7: undefined: unsafe.Slice
vendor/golang.org/x/sys/unix/sysvshm_unix.go:33:7: undefined: unsafe.Slice
make: *** [Makefile:224: cross] Error 2

Exited with code exit status 2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant