Update to github.com/mtrmac/gpgme v0.1.2 #828
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
... which was for some uknown reason removed in the previous backport. Signed-off-by: Miloslav Trmač <[email protected]>
v1 is a branch, not a tag, so (make vendor) was updating it, bringing unexpected (not necessarily unwanted, but unexpected) changes. Signed-off-by: Miloslav Trmač <[email protected]>
This fixes CVE-2020-8945 by incorporating proglottis/gpgme#23 . Other changes included by the rebase: - Support for gpgme_off_t (~no-op on Linux) - Wrapping a few more GPGME functions (irrelevant if we don't call them) Given how invasive the CVE fix is (affecting basically all binding code), it seems safer to just update the package (and be verifiably equivalent with upstream) than to backport and try to back out the few other changes. Performed by updating vendor conf and $ vndr github.com/mtrmac/gpgme Signed-off-by: Miloslav Trmač <[email protected]>
the package was renamed on Fedora 31. Signed-off-by: Giuseppe Scrivano <[email protected]>
mtrmac
force-pushed
the
gpgme-update-0.1.37
branch
from
3718495 to
14f5abb
Compare
- start_registry() - use bash builtins, not curl, to test
if registry port is open.
curl on Fedora now barfs with "Received HTTP/0.9 when not
allowed" when the registry is run with SSL, because the
response is not valid HTTP. One workaround would be 'curl
--http0.9' but (surprise) that option doesn't exist on rhel8;
and even with that option we would need --output /dev/null
to silence a different curl warning. Curl is overkill
for this purpose anyway, all we really need is netcat
or some simple binary is-port-listening-or-not test.
Fortunately, bash provides a /dev/tcp/<host>/<port>
emulator that does the right thing and works on Fedora
as well as RHEL8.
- new log_and_run() helper
This is the noisiest yet least critical part of this PR.
I'm sorry. It's motivated by my frustration in trying
to reproduce the curl problem above: getting just the
right incantation of openssl + podman-run cost me time.
With this enhancement, important commands are logged
as part of the output of failing tests, making it
easy[*] for maintenance programmers to figure out a
recipe for reproducing the failure.
[*] "easy" as long as the test-writing developer
uses log_and_run() wisely.
Signed-off-by: Ed Santiago <[email protected]>
|
LGTM |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes CVE-2020-8945 by incorporating proglottis/gpgme#23 .
Other changes included by the rebase:
gpgme_off_t(~no-op on Linux)Given how invasive the CVE fix is (affecting basically all binding code), it seems safer to just update the package (and be verifiably equivalent with upstream) than to backport and try to back out the few other changes.
Performed by updating vendor.conf and
$ vndr github.com/mtrmac/gpgme