umoci 0.5.1 -- "🖤 Yuki (2021-2025)"

This is a fairly minor update to umoci, containing a few bugfixes for some potential issues, as well as finally removing the requirement for oci-image-tool validation. We still do not support the latest image-spec release, but decoupling for oci-image-tool is a very important first step.

Fixed

For images with an empty index.json, umoci will no longer incorrectly set the manifests entry to null (which was technically a violation of the specification, though such images cannot be pushed or interacted with outside of umoci).
Based on some recent developments in the image-spec, umoci will now produce an error if it encounters descriptors with a negative size (this was a potential DoS vector previously) as well as a theoretical attack where an attacker would endlessly write to a blob (this would not be generally exploitable for images with descriptors).

Changed

We now use go:embed to fill the version information of umoci --version, allowing for users to get a reasonable binary with go install. However, we still recommend using our official binaries, using distribution binaries, or building from source with make.
Rather than using oci-image-tool validate for validating images in our tests, we now make use of some hand-written smoke tests as well as the jq-based validators maintained in docker-library/meta-scripts.

This is intended to act as a stop-gap until umoci validate is implemented (and after that, we may choose to keep the jq-based validators as a double-check that our own validators are working correctly).

Thanks to the following contributors who made this release possible:

Adam Korcz Adam@adalogics.com
Akhil Mohan akhilerm@gmail.com
Aleksa Sarai cyphar@cyphar.com

This release is dedicated to our cat Yuki who sadly passed away on Friday. Most of the code I've written in the past four years was written with him purring away on my chest, and he was the most loving cat I've ever met. Rest in peace, little buddy. I hope you enjoyed your time with us, and I'll always keep you in my heart. 🖤

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

Fixed

For images with an empty index.json, umoci will no longer incorrectly set the manifests entry to null (which was technically a violation of the specification, though such images cannot be pushed or interacted with outside of umoci).
Based on some recent developments in the image-spec, umoci will now produce an error if it encounters descriptors with a negative size (this was a potential DoS vector previously) as well as a theoretical attack where an attacker would endlessly write to a blob (this would not be generally exploitable for images with descriptors).

Changed

We now use go:embed to fill the version information of umoci --version, allowing for users to get a reasonable binary with go install. However, we still recommend using our official binaries, using distribution binaries, or building from source with make.
Rather than using oci-image-tool validate for validating images in our tests, we now make use of some hand-written smoke tests as well as the jq-based validators maintained in docker-library/meta-scripts.

This is intended to act as a stop-gap until umoci validate is implemented (and after that, we may choose to keep the jq-based validators as a double-check that our own validators are working correctly).

Thanks to the following contributors who made this release possible:

Adam Korcz Adam@adalogics.com
Akhil Mohan akhilerm@gmail.com
Aleksa Sarai cyphar@cyphar.com

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

umoci

Fixed

Changed

Related Projects

mapbox-navigation-android

ToastFish

barcodelib

JPProject.IdentityServer4.SSO

umoci 0.5.1 -- "🖤 Yuki (2021-2025)"

Fixed

Changed

Related Projects

mapbox-navigation-android

ToastFish

barcodelib

JPProject.IdentityServer4.SSO