skopeo-1.2.2-2.el9

- use rhel-shortnames only from trusted registries
- sync with config files from current versions of vendored projects

Signed-off-by: Jindrich Novy <jnovy@redhat.com>

containers-policy.json.5.md

@@ -65,7 +65,8 @@ The `atomic:` transport refers to images in an Atomic Registry.
 
 Supported scopes use the form _hostname_[`:`_port_][`/`_namespace_[`/`_imagestream_ [`:`_tag_]]],
 i.e. either specifying a complete name of a tagged image, or prefix denoting
-a host/namespace/image stream.
+a host/namespace/image stream or a wildcarded expression for matching all
+subdomains. For wildcarded subdomain matching, `*.example.com` is a valid case, but `example*.*.com` is not.
 
 *Note:* The _hostname_ and _port_ refer to the Docker registry host and port (the one used
 e.g. for `docker pull`), _not_ to the OpenShift API host and port.
@@ -90,7 +91,9 @@ Scopes matching individual images are named Docker references *in the fully expa
 using a tag or digest. For example, `docker.io/library/busybox:latest` (*not* `busybox:latest`).
 
 More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest),
-a repository namespace, or a registry host (by only specifying the host name).
+a repository namespace, or a registry host (by only specifying the host name)
+or a wildcarded expression for matching all subdomains. For wildcarded subdomain
+matching, `*.example.com` is a valid case, but `example*.*.com` is not.
 
 ### `oci:`
 
@@ -253,6 +256,8 @@ selectively allow individual transports and scopes as desired.
             /* Similarly, allow installing the “official” busybox images.  Note how the fully expanded
                form, with the explicit /library/, must be used. */
             "docker.io/library/busybox": [{"type": "insecureAcceptAnything"}]
+            /* Allow installing images from all subdomains */
+            "*.temporary-project.example.com": [{"type": "insecureAcceptAnything"}]
             /* Other docker: images use the global default policy and are rejected */
         },
         "dir": {

containers-registries.conf.5.md

@@ -164,10 +164,10 @@ If `short-name-mode` is not specified at all or left empty, default to the
 `permissive` mode.  If the user-specified short name was not aliased already,
 the `enforcing` and `permissive` mode if prompted, will record a new alias
 after a successful pull.  Note that the recorded alias will be written to
-`$XDG_CONFIG_HOME/containers/short-name-aliases.conf` to have a clear
+`/var/cache/containers/short-name-aliases.conf` for root to have a clear
 separation between possibly human-edited registries.conf files and the
-machine-generated `short-name-aliases-conf`.  Note that `$HOME/.config` is used
+machine-generated `short-name-aliases-conf`.  Note that `$HOME/.cache` is used
-if `$XDG_CONFIG_HOME` is not set.  If an alias is specified in a
+for rootless users.  If an alias is specified in a
 `registries.conf` file and also the machine-generated
 `short-name-aliases.conf`, the `short-name-aliases.conf` file has precedence.
 

seccomp.json

@@ -89,6 +89,7 @@
 				"epoll_ctl",
 				"epoll_ctl_old",
 				"epoll_pwait",
+				"epoll_pwait2",
 				"epoll_wait",
 				"epoll_wait_old",
 				"eventfd",
@@ -117,7 +118,11 @@
 				"flock",
 				"fork",
 				"fremovexattr",
+				"fsconfig",
 				"fsetxattr",
+				"fsmount",
+				"fsopen",
+				"fspick",
 				"fstat",
 				"fstat64",
 				"fstatat64",
@@ -205,6 +210,7 @@
 				"mmap",
 				"mmap2",
 				"mount",
+				"move_mount",
 				"mprotect",
 				"mq_getsetattr",
 				"mq_notify",
@@ -227,6 +233,7 @@
 				"open",
 				"openat",
 				"openat2",
+				"open_tree",
 				"pause",
 				"pidfd_getfd",
 				"pidfd_open",
@@ -730,6 +737,7 @@
 		{
 			"names": [
 				"kcmp",
+				"process_madvise",
 				"process_vm_readv",
 				"process_vm_writev",
 				"ptrace"

skopeo.spec

@@ -1,4 +1,3 @@
-%global _lto_cflags %{nil}
 %global with_check 0
 
 %global _find_debuginfo_dwz_opts %{nil}
@@ -12,16 +11,16 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl
 %endif
 
 %global import_path github.com/containers/skopeo
-%global branch release-1.2
+#%%global branch release-1.2
 # Bellow definitions are used to deliver config files from a particular branch
 # of c/image, c/common, c/storage vendored in all podman, skopeo, buildah.
 # These vendored components must have the same version. If it is not the case,
 # pick the oldest version on c/image, c/common, c/storage vendored in
 # podman/skopeo/podman.
-%global podman_branch v3.0
+%global podman_branch master
-%global image_branch  v5.9.0
+%global image_branch  v5.10.2
-%global common_branch v0.33.0
+%global common_branch v0.33.4
-%global storage_branch v1.24.5
+%global storage_branch v1.24.6
 %global shortnames_branch main
 %global commit0 e72dd9c5c834f3cd7fb8b1aab4021d9d4412f305
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
@@ -29,7 +28,7 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl
 Epoch: 1
 Name: skopeo
 Version: 1.2.2
-Release: 1%{?dist}
+Release: 2%{?dist}
 Summary: Inspect container images and repositories on registries
 License: ASL 2.0
 URL: %{git0}
@@ -234,6 +233,10 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
 %{_datadir}/%{name}/test
 
 %changelog
+* Wed Mar 03 2021 Jindrich Novy <jnovy@redhat.com> - 1:1.2.2-2
+- use rhel-shortnames only from trusted registries
+- sync with config files from current versions of vendored projects
+
 * Fri Feb 19 2021 Jindrich Novy <jnovy@redhat.com> - 1:1.2.2-1
 - update to the latest content of https://github.com/containers/skopeo/tree/release-1.2
   (https://github.com/containers/skopeo/commit/e72dd9c)

sources

@@ -1 +1 @@
-SHA512 (release-1.2-e72dd9c.tar.gz) = 6702b81450eb33a5e079f545e3c38656356d76ef284e7674566ad48185798ba91e7980f88247a3ba6e6a38af9b57faa4f5c433d10b0430b8268c9655ab296b3e
+SHA512 (skopeo-1.2.2-e72dd9c.tar.gz) = a9d2b0ef07f5be8a2873285d8c4078d6a5334df69207248ff8a725a5744a99f1c577c5a7c2da3bd8c4b394f445c6c14b25464626148ad7a205a55c636b39d068