GNOME.org
 

OSTree v2016.14

https://github.com/ostreedev/ostree/releases/tag/v2016.14

First, this release adds GPG verification for the commit objects
inside deltas.  This was a vulnerability if you are fetching content
over plain HTTP, and is still important if using TLS.  More
information is available in [the 
commit](https://github.com/ostreedev/ostree/pull/589/commits/d06163038ff1ca407027d08e0f3c7d04c802810d)
and there is [continuing upstream 
discussion](https://mail.gnome.org/archives/ostree-list/2016-October/msg00002.html)
of transport integrity models.

Also regarding GPG, we now make it easier to [use a GPG ASCII 
key](https://github.com/ostreedev/ostree/pull/575/commits/9fb2d5a501660e155553d98998da87839287054c)
in a remote configuration.

Another major thing in this release is that we started making more use
of the [GCC/Clang sanitizers](https://github.com/google/sanitizers/wiki) like
`-fsanitize=address`, `-fsanitize=undefined` etc. and numerous small
memory leaks were fixed in particular.

Thanks to all contributors!

```
Abhay Kadam (1):
      Fix broken link in docs/CONTRIBUTING.md

Alexander Larsson (1):
      commit: Fix reading xattrs from OstreeRepoFile:s

Colin Walters (17):
      travis: Drop debian unstable since we can't fetch packages reliably
      pull: Add support for `http-headers` option
      pull: Redo logic for "scanning"
      lib: Define and use cleanup functions for gpgme
      lib: Split out helper function to create GPG context
      Add "gpgkeypath" option to remotes
      lib: Add an API to GPG verify a commit given a remote
      [UBSAN] deltas: Don't call memset(NULL, NULL, 0) with no xattrs
      [TSAN] main: Stop calling g_set_prgname()
      [TSAN] Rework assertions to always access refcount atomically
      pull: Dedup code for checking for > 0 valid results
      pull: Use new per-remote API for GPG verification
      pull: Do GPG verify commit objects when using deltas
      tests: Support TEST_SKIP_CLEANUP=err
      [ASAN] tests: Fix some memleaks in libarchive importer
      [ASAN] lib: Squash various leaks in library and commandline
      Release 2016.14

Jasper St. Pierre (3):
      ostree-repo: Fix parameter name
      ostree-repo-static-delta-processing: Don't close(-1)
      ostree-repo: Make the lock with a long-lasting FD

Jonathan Lebon (1):
      .redhat-ci.yml: no longer install libubsan & clang

William Manley (1):
      ostree commit: Fix combining trees with multiple --tree=ref arguments


Git-EVTag-v0-SHA512: 
6756eef81978c4a9559327972b53019f9ea214ab92af266054d303770e7a60684e73fba0870fda81b5262a0ab3aae3f89d962cd346930932a3c668f081d5726a
-----BEGIN PGP SIGNATURE-----

iQEwBAABCgAaBQJYNcd6Exx3YWx0ZXJzQHZlcmJ1bS5vcmcACgkQ3EX9WSHBPwtu
mgf/Z1rDWdTKAdvnJ4jR4eW2yKJYMrok0QUZXn2Q7MlA/1O0qtY6GudlNdScW9Tr
WFMydw6xr04PCQFMofsK14KkeD4eZqAAon2dyrnoZM1A5a6rVjfBSYLgVf8k+oIl
yZxlqHjKnKSnW985lIIrZPanFTk8aekXL2oMzQtr0xKjflcpeW6XJvm7fMIfv+dM
pyLlDQA6zfo+eQ8fgKJc9opx7MTmVACcP4Efzvj+YV3msLRVOqs5S2WE76CDhL5T
KV0AnVfSTYY1PQLfgwOmqSAyV2nCf96aUIYquHqMz/pt5p2WElxTMKuD5YYB7GoG
goDEz0dNJDER+65leUUtGCqYZg==
=n2Vt
-----END PGP SIGNATURE-----
```
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]