2017.12
Release 2017.12
Quite a lot in this release. First, on the notable bugfix side,
we fixed an issue where background threads could remain alive
after an error was encountered during pulls. Particularly
for projects like flatpak that do multiple pulls in process, this
is an important fix.
PR: #1185
Another important change related to pulls is that libostree now
performs checksums when mirroring again.
The intent here was to speed up mirroring, but it led to a confusing security
story. Now it's easier to explain: for HTTP pulls we verify checksums
(and this can be disabled), for local filesystem pulls we don't,
(but it can be enabled). We've always verified checksums by
default when pulling from an archive
repository into a non-archive.
PR: #1212
Anton Gerasimov contributed a change to the libcurl backend
to support PKCS#11
URIs, useful for storing certificates in a
hardware or software enclave.
PR: #1183
The schema for the experimental OstreeRepoFinderMount API to find OSTree
repos on removable media has changed incompatibly, so that the media doesn’t
need to contain two similar lists of refs. It will now look in .ostree/repos.d,
.ostree/repo, ostree/repo and var/lib/flatpak paths on removable media.
PR: #1179
Similarly, the experimental ostree_repo_resolve_keyring_for_collection() API
has changed to return an OstreeRemote containing the keyring, rather than just
the keyring, making it more generally useful.
PR: #1202
The bloom filter used when finding refs from remote peers has been fixed to
work correctly on 32-bit architectures (such as ARM). This doesn’t change the
bloom filter format, but will require bloom filters created on 32-bit
architectures to be regenerated in order for advertisements from those machines
to work.
PR: #1231
Repositories which have a collection ID set will now put their repository
metadata in an ostree-metadata ref when ostree summary --update
is run, in
addition to putting it in the summary file. This is part of a plan to securely
allow unsigned summary files for peer-to-peer pulling of refs. This won’t
happen for repositories which don’t have a collection ID set, or if
--enable-experimental-api is not configured.
PR: #1158
A new ostree create-usb
command has been added (if configured with
--enable-experimental-api) which can be used to put refs from repositories onto
removable media in a format which can be detected by OstreeRepoFinderMount.
For example, to allow easy sharing of flatpaks or OS updates between offline
machines.
PR: #1182
OstreeRepo has gained hash() and equal() methods, so it can now easily be used
in a hash table based on its device number and inode, rather than using its
path.
PR: #1179
PR: #1205
A minor bug was fixed in rofiles-fuse, which would cause files to be
created with random mode bits if called for O_RDONLY
.
PR: #1200
For clients that use OstreeRepoDevInoCache
, a bug was fixed which
caused libostree to ignore callbacks that allow modifying file modes,
ownership, and extended attributes.
PR: #1170
libostree now supports --with-crypto=gnutls
. Like the OpenSSL
support, this is currently just checksums, but Jussi Laako
is driving this towards making the GPG
dependency optional and supporting other signature methods.
PR: #1189
In previous releases, libostree learned how to make hardlinks
for local pulls. But if we couldn't hardlink (e.g. the devices
were separate), the local pull code went through a much slower
generic path that included re-checksumming
objects. Now there's a copy/reflink fast path that uses
FICLONE
/copy_file_range()
directly if possible. This can be
substantially faster.
PR: #1197
ostree prune
learned a new --only-branch
option. This
can be a lot more convenient for release engineering tasks.
PR: #1127
As usual, more work was done to improve the testsuite. It should
now be able to better detect tmpfs
/overlayfs
environments. The
upstream CI now also runs tests in a non-overlayfs environment
for better coverage.
PR: #1217
PR: #1170
Anton Gerasimov (1):
Add support for pkcs11 URIs in TLS client key/certificate
Colin Walters (38):
lib/repo: Port gpg signing function to new code style
lib/checkout: Do UNION_FILES via atomic renameat()
lib/pull: Drop partial fetch code from libsoup backend
Update libglnx
tests/prune: Factor out a helper for counting commits in the repo
bin/prune: Add --only-branch
ci: Use distro-sync instead of upgrade
tree-wide: Some glnx_fstatat_allow_noent() porting
lib/repo: Minor cleanup to object import function
lib/pull: Wait for pending ops to complete on error
tests/libtest: Factor out user xattr detection
lib/repo: Don't syncfs or fsync() dirs if fsync opt is disabled
lib/repo: Move alloca() outside of loop
lib/checkout: Squash a gcc maybe-uninitialized warning
tree-wide: Squash a few warnings when building with no features
lib: Move bareuseronly verification into commit/core
lib/commit: Don't try to call linkat() for import on distinct devices
ci: Add an "all options disabled" context
lib/repo: Use correct name for tmpdir lockfile
tree-wide: Remove Emacs modelines
lib/core: Add static assertions for OstreeRepoMode enum values
lib: Define an alias OSTREE_REPO_MODE_ARCHIVE
lib/commit: Some misc porting to decl-after-stmnt
lib/commit: Add a copy fastpath for imports
bin/pull: Fix description of --untrusted
lib/pull: Minor refactoring of metadata scanning function
lib/pull: Refactor to use OstreeRepoImportFlags internally
lib/pull: Default checksum for archive mirror, add TRUSTED_HTTP flag
tests,ci: Move "test-basic" (bare mode) to installed test
lib/pull: Add status for imported objects
ci: Record primary context results using g-d-t-r --log-directory
lib/diff: Add compile-time ABI check on 64 bit arches
tests/commit-sign: Update a bit to more modern style
lib/pull: Don't request deltas for unchanged commits
tree-wide: Bump libglnx, port to new lockfile init
tests: Add 404 tests for dirtree objects too
libarchive: Fix assertion error if used with CANONICAL_PERMISSIONS
Release 2017.12
Jonathan Lebon (11):
build-sys: Post-release version bump
rofiles-fuse: also pass mode for O_RDONLY
tests: allow specifying tmpdir
tests/libtest: check that we have setfattr
Add a .vimrc and .editorconfig
lib/commit: add comments to explain dir commit path
lib/commit: fix using uninitialized var
tests/libtest.sh: always nuke repo and files
lib/commit: don't query devino cache for modified files
tests: check for relabeling rather than overlay
tests/installed: also run test-basic-c
Jussi Laako (1):
Add --with-crypto=gnutls
Matthew Leeds (1):
lib/pull: Clarify use of unsigned summary support
Philip Withnall (21):
lib/repo: Add ostree_repo_equal() for comparing repos
lib/repo-finder-mount: Change the schema for finding repos on volumes
lib/repo: Drop outdated FIXME comment from ostree-repo.h
lib/repo: Add ostree_repo_hash() and tests
lib/repo-finder-mount: Add var/lib/flatpak as a well-known directory
src/pull: Support local pulls for collection–refs
create-usb: Add a create-usb command to complement OstreeRepoFinderMount
lib/repo-refs: Add first version of ostree_repo_resolve_collection_ref()
lib/repo-pull: Use resolve() instead of list() in fetch_ref_contents()
lib/repo-pull: Fix a potential minor leak
lib/repo: Change resolve_keyring_for_collection() to return a remote
lib/remote: Store name of remote providing keyring for dynamic remotes
lib/repo-pull: Fix remote names in refspecs from non-mirror P2P pulls
tests: Add a manual integration test for OstreeRepoFinderMount
tests: Update some tests to use OSTREE_REPO_MODE_ARCHIVE not ARCHIVE_Z2
tests/repo: Drop modeline from top of file
lib/bloom: Fix bloom hashing on 32-bit architectures
lib/bloom: Fix a -Wconversion warning in OstreeBloom
man: Fix a copypasta error in ostree-summary.xml
ostree/summary: Eliminate redundant gotos from error handling path
ostree/summary: Generate an ostree-metadata ref when updating summary
Simon McVittie (4):
tests: Fix JavaScript tests with gjs 1.50.0
test-help.sh: Skip trivial-httpd if enabled
tests: Explicitly unset LANGUAGE after setting LC_ALL
tests: Reset umask to 022 while creating test repository
yceh (1):
bin/commit: Fix build failure when libarchive is not used
Git-EVTag-v0-SHA512: bfa0b7eceb4e4ac915d7ed0a352fa778e47d2ac2bac75fd895ede1f5bcbb65c44848505eb785bac45d57c5574f0ac1d3accb6c323617582cb25c55bc229a3294