We moved to the major release branches with a `.x` suffix and forgot to
adjust this workflow to run on branches like `27.x`.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Non-distributable artifacts (also called foreign layers) were introduced in
docker v1.12 to accommodate Windows images for which the EULA did not allow
layers to be distributed through registries other than those hosted by Microsoft.
The concept of foreign / non-distributable layers was adopted by the OCI distribution
spec in [oci#233]. These restrictions were relaxed later to allow distributing
these images through non-public registries, for which a configuration was added
in Docker v17.0.6.0.
In 2022, Microsoft updated the EULA and [removed these restrictions][msft-3645201],
followed by the OCI distribution specification deprecating foreign layers in [oci#965].
In 2023, Microsoft [removed the use of foreign data layers][msft-3846833] for their images,
making this functionality obsolete.
Docker v28.0 deprecates the `--allow-nondistributable-artifacts` daemon flag and
corresponding `allow-nondistributable-artifacts` field in `daemon.json`. Setting
either option no longer takes an effect, but a deprecation warning log is added
to raise awareness about the deprecation. This warning is planned to become an
error in the Docker v29.0.
Users currently using these options are therefore recommended to remove this
option from their configuration to prevent the daemon from starting when
upgrading to Docker v29.0.
The `AllowNondistributableArtifactsCIDRs` and `AllowNondistributableArtifactsHostnames`
fields in the `RegistryConfig` of the `GET /info` API response are also deprecated.
For API version v1.48 and lower, the fields are still included in the response
but always `null`. In API version v1.49 and higher, the field will be omitted
entirely.
[oci#233]: https://github.com/opencontainers/image-spec/pull/233
[oci#965]: https://github.com/opencontainers/image-spec/pull/965
[msft-3645201]: https://techcommunity.microsoft.com/blog/containers/announcing-windows-container-base-image-redistribution-rights-change/3645201
[msft-3846833]: https://techcommunity.microsoft.com/blog/containers/announcing-removal-of-foreign-layers-from-windows-container-images/3846833
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- update github.com/Azure/go-ansiterm to v0.0.0-20250102033503-faa5f7b0171c
to fix OSC string terminator parsing.
- add security policy
- update github actions and test against go1.22, go1.23
full diff: https://github.com/moby/term/compare/v0.5.0...v0.5.2
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This flag was deprecated in docker v24.0, and no longer functional
since v25.0; fully removed in v26.0, so we can remove the docs
for this.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This flag was deprecated in docker v24.0, and no longer functional
since v25.0; fully removed in v26.0, so we can remove the docs
for this.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The use of pools here is unnecessary and creates a code dependency on
moby library which will move to internal.
The pool does not provide any value here since it is only done for a
single operation and unlikely performed in alongside other operations
which are re-using the buffers many times between garbage collections.
Signed-off-by: Derek McGowan <derek@mcg.dev>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This snippet was added in [docker@38ec5d8][1]. The intent was to indicate
that an empty value is equivalent to passing "default" as value. However,
passing the `--isolation` flag _without a value_ (i.e., no `=` specified)
will fail in many cases, as any string after it will be parsed as value
(e.g. `docker run --isolation busybox` would consider `busybox` as value).
This patch removes these lines as they add more confusion than addressing.
[1]: 38ec5d86a3
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Currently the cp will tar from the same directory it will untar into
simultaneously. There is a race between reading the file and truncating
the file for write, however, the race will not show up with a large
enough buffer on the tar side if buffered before the copy begins.
Also removes the unnecessary deferred removal, the removal is handled by
cleanup and respects the no cleanup env.
Signed-off-by: Derek McGowan <derek@mcg.dev>
contains a fix for CVE-2024-45338 / https://go.dev/issue/70906,
but it doesn't affect our codebase:
govulncheck -show=verbose ./...
Scanning your code and 1260 packages across 211 dependent modules for known vulnerabilities...
...
Vulnerability #1: GO-2024-3333
Non-linear parsing of case-insensitive content in golang.org/x/net/html
More info: https://pkg.go.dev/vuln/GO-2024-3333
Module: golang.org/x/net
Found in: golang.org/x/net@v0.32.0
Fixed in: golang.org/x/net@v0.33.0
Your code is affected by 0 vulnerabilities.
This scan also found 0 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.
full diff: https://github.com/golang/net/compare/v0.32.0...v0.33.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
update to the latest version of this dependency, which has a fix for a
authorization bypass in the ssh package. We don't use this functionality,
so there's no need to backport this change (other than de-noising false positives).
This is CVE-2024-45337 and Go issue https://go.dev/issue/70779.
full diff: https://github.com/golang/crypto/compare/v0.29.0...v0.31.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
