Update Vendor of containers/(common, image, buildah)

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

go.mod

@@ -11,10 +11,10 @@ require (
 	github.com/container-orchestrated-devices/container-device-interface v0.5.3
 	github.com/containernetworking/cni v1.1.2
 	github.com/containernetworking/plugins v1.1.1
-	github.com/containers/buildah v1.28.1-0.20221122135051-c9f30d81ae37
-	github.com/containers/common v0.50.2-0.20221125103214-33a7a35ff671
+	github.com/containers/buildah v1.28.1-0.20221123095548-1c1fa111e4cc
+	github.com/containers/common v0.50.2-0.20221127123657-5cbd6c092582
 	github.com/containers/conmon v2.0.20+incompatible
-	github.com/containers/image/v5 v5.23.1-0.20221121174826-d8eb9dd60533
+	github.com/containers/image/v5 v5.23.1-0.20221124171848-19f10aac8007
 	github.com/containers/ocicrypt v1.1.6
 	github.com/containers/psgo v1.8.0
 	github.com/containers/storage v1.44.1-0.20221121144727-71fd3e87df7a
@@ -93,7 +93,7 @@ require (
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
-	github.com/google/go-containerregistry v0.12.0 // indirect
+	github.com/google/go-containerregistry v0.12.1 // indirect
 	github.com/google/go-intervals v0.0.2 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/imdario/mergo v0.3.13 // indirect
@@ -102,7 +102,7 @@ require (
 	github.com/klauspost/compress v1.15.12 // indirect
 	github.com/klauspost/pgzip v1.2.6-0.20220930104621-17e8dac29df8 // indirect
 	github.com/kr/fs v0.1.0 // indirect
-	github.com/letsencrypt/boulder v0.0.0-20220929215747-76583552c2be // indirect
+	github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf // indirect
 	github.com/manifoldco/promptui v0.9.0 // indirect
 	github.com/mattn/go-runewidth v0.0.13 // indirect
 	github.com/miekg/pkcs11 v1.1.1 // indirect
@@ -119,7 +119,7 @@ require (
 	github.com/proglottis/gpgme v0.1.3 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/seccomp/libseccomp-golang v0.10.0 // indirect
-	github.com/sigstore/sigstore v1.4.5 // indirect
+	github.com/sigstore/sigstore v1.4.6 // indirect
 	github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 // indirect
 	github.com/sylabs/sif/v2 v2.8.3 // indirect
 	github.com/tchap/go-patricia v2.3.0+incompatible // indirect
@@ -131,11 +131,11 @@ require (
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect
-	go.opencensus.io v0.23.0 // indirect
+	go.opencensus.io v0.24.0 // indirect
 	golang.org/x/crypto v0.3.0 // indirect
 	golang.org/x/mod v0.6.0 // indirect
 	golang.org/x/tools v0.2.0 // indirect
-	google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a // indirect
+	google.golang.org/genproto v0.0.0-20221111202108-142d8a6fa32e // indirect
 	google.golang.org/grpc v1.50.1 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect

go.sum

@@ -262,14 +262,14 @@ github.com/containernetworking/plugins v0.8.6/go.mod h1:qnw5mN19D8fIwkqW7oHHYDHV
 github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRDjeJr6FLK6vuiUwoH7P8=
 github.com/containernetworking/plugins v1.1.1 h1:+AGfFigZ5TiQH00vhR8qPeSatj53eNGz0C1d3wVYlHE=
 github.com/containernetworking/plugins v1.1.1/go.mod h1:Sr5TH/eBsGLXK/h71HeLfX19sZPp3ry5uHSkI4LPxV8=
-github.com/containers/buildah v1.28.1-0.20221122135051-c9f30d81ae37 h1:XwZSJY+6fHAFp+6/TnG6IowKSBCR2BRn4iHgrMi4ks4=
-github.com/containers/buildah v1.28.1-0.20221122135051-c9f30d81ae37/go.mod h1:0HcSoS6BHXWzMKqtxY1L0gupebEX33oPC+X62lPi6+c=
-github.com/containers/common v0.50.2-0.20221125103214-33a7a35ff671 h1:bwTTW4lq5fLvYBJcOxMovk3YX8FANhQzrZ0+1R7am4k=
-github.com/containers/common v0.50.2-0.20221125103214-33a7a35ff671/go.mod h1:rzuZglPq/5sz6n29nhyDPCXh44CZymkCR2sacEZb7zw=
+github.com/containers/buildah v1.28.1-0.20221123095548-1c1fa111e4cc h1:PhYw1PLPiaApmKmjzX338u8iJRz2KGW1DyrvaPt7LVk=
+github.com/containers/buildah v1.28.1-0.20221123095548-1c1fa111e4cc/go.mod h1:0HcSoS6BHXWzMKqtxY1L0gupebEX33oPC+X62lPi6+c=
+github.com/containers/common v0.50.2-0.20221127123657-5cbd6c092582 h1:Fq+SGDW/BRqStCIviayyZ3lAM1OHvfuzHY9EFYpSzj4=
+github.com/containers/common v0.50.2-0.20221127123657-5cbd6c092582/go.mod h1:rzuZglPq/5sz6n29nhyDPCXh44CZymkCR2sacEZb7zw=
 github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
 github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
-github.com/containers/image/v5 v5.23.1-0.20221121174826-d8eb9dd60533 h1:VxrXA+okqhSOLOBtprMwbd1oJCUFTZowW3diaRmRGQw=
-github.com/containers/image/v5 v5.23.1-0.20221121174826-d8eb9dd60533/go.mod h1:V6DfpgeUBS0W5KrbZXKpY/DmVJVSPabfBXYUfGDO3EI=
+github.com/containers/image/v5 v5.23.1-0.20221124171848-19f10aac8007 h1:UdyeWjzN5V4Gz5h5tX3l/whBHzrdvlPpZDKu4JobN68=
+github.com/containers/image/v5 v5.23.1-0.20221124171848-19f10aac8007/go.mod h1:X3pdYvY0HVW9Re73Wa6YqZt3QyuZaCEUf/iDv/dvy1k=
 github.com/containers/libtrust v0.0.0-20200511145503-9c3a6c22cd9a h1:spAGlqziZjCJL25C6F1zsQY05tfCKE9F5YwtEWWe6hU=
 github.com/containers/libtrust v0.0.0-20200511145503-9c3a6c22cd9a/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
 github.com/containers/ocicrypt v1.0.1/go.mod h1:MeJDzk1RJHv89LjsH0Sp5KTY3ZYkjXO/C+bKAeWFIrc=
@@ -491,8 +491,8 @@ github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-containerregistry v0.5.1/go.mod h1:Ct15B4yir3PLOP5jsy0GNeYVaIZs/MK/Jz5any1wFW0=
-github.com/google/go-containerregistry v0.12.0 h1:nidOEtFYlgPCRqxCKj/4c/js940HVWplCWc5ftdfdUA=
-github.com/google/go-containerregistry v0.12.0/go.mod h1:sdIK+oHQO7B93xI8UweYdl887YhuIwg9vz8BSLH3+8k=
+github.com/google/go-containerregistry v0.12.1 h1:W1mzdNUTx4Zla4JaixCRLhORcR7G6KxE5hHl5fkPsp8=
+github.com/google/go-containerregistry v0.12.1/go.mod h1:sdIK+oHQO7B93xI8UweYdl887YhuIwg9vz8BSLH3+8k=
 github.com/google/go-intervals v0.0.2 h1:FGrVEiUnTRKR8yE04qzXYaJMtnIYqobR5QbblK3ixcM=
 github.com/google/go-intervals v0.0.2/go.mod h1:MkaR3LNRfeKLPmqgJYs4E66z5InYjmCjbbr4TQlcT6Y=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -635,8 +635,8 @@ github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/letsencrypt/boulder v0.0.0-20220929215747-76583552c2be h1:Cx2bsfM27RBF/45zP1xhFN9FHDxo40LdYdE5L+GWVTw=
-github.com/letsencrypt/boulder v0.0.0-20220929215747-76583552c2be/go.mod h1:j/WMsOEcTSfy6VR1PkiIo20qH1V9iRRzb7ishoKkN0g=
+github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf h1:ndns1qx/5dL43g16EQkPV/i8+b3l5bYQwLeoSBe7tS8=
+github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf/go.mod h1:aGkAgvWY/IUcVFfuly53REpfv5edu25oij+qHRFaraA=
 github.com/linuxkit/virtsock v0.0.0-20201010232012-f8cee7dfc7a3/go.mod h1:3r6x7q95whyfWQpmGZTu3gk3v2YkMi05HEzl7Tf7YEo=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
@@ -805,8 +805,8 @@ github.com/prometheus/client_model v0.0.0-20171117100541-99fa1f4be8e5/go.mod h1:
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2dUR+/W/M=
 github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4=
 github.com/prometheus/common v0.0.0-20180110214958-89604d197083/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
@@ -848,8 +848,8 @@ github.com/seccomp/libseccomp-golang v0.10.0 h1:aA4bp+/Zzi0BnWZ2F1wgNBs5gTpm+na2
 github.com/seccomp/libseccomp-golang v0.10.0/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
 github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
-github.com/sigstore/sigstore v1.4.5 h1:x3bJ5ZQZecsQysJjTmop8XMlAgifP+Id+bIxaFdkNkc=
-github.com/sigstore/sigstore v1.4.5/go.mod h1:mg/+e74CCjEdJpWNjWRAlxMUd39VWh5t1+JI9UcepoY=
+github.com/sigstore/sigstore v1.4.6 h1:2F1LPnQf6h1lRDCyNMoBE0WCPsA+IU5kAEAbGxG8S+U=
+github.com/sigstore/sigstore v1.4.6/go.mod h1:jGHEfVTFgpfDpBz7pSY4X+Sd+g36qdAUxGufNk47k7g=
 github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
 github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
@@ -989,8 +989,9 @@ go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
-go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M=
 go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
+go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
+go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
@@ -1253,7 +1254,7 @@ golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxb
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20220922220347-f3bd1da661af h1:Yx9k8YCG3dvF87UAn2tu2HQLf2dt/eR1bXxpLMWeH+Y=
+golang.org/x/time v0.2.0 h1:52I/1L54xyEQAYdtcSuxtiT84KGYTBGXwayxmIpNJhE=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -1399,8 +1400,8 @@ google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
 google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
-google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a h1:GH6UPn3ixhWcKDhpnEC55S75cerLPdpp3hrhfKYjZgw=
-google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM=
+google.golang.org/genproto v0.0.0-20221111202108-142d8a6fa32e h1:azcyH5lGzGy7pkLCbhPe0KkKxsM7c6UA/FZIXImKE7M=
+google.golang.org/genproto v0.0.0-20221111202108-142d8a6fa32e/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg=
 google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=

vendor/github.com/containers/buildah/.cirrus.yml

@@ -140,7 +140,7 @@ cross_build_task:
         $CIRRUS_CRON != 'multiarch'
 
     osx_instance:
-        image: 'big-sur-base'
+        image: ghcr.io/cirruslabs/macos-ventura-base:latest
 
     script:
         - brew update

vendor/github.com/containers/common/pkg/config/config.go

@@ -959,11 +959,10 @@ func (c *NetworkConfig) Validate() error {
 // to first (version) matching conmon binary. If non is found, we try
 // to do a path lookup of "conmon".
 func (c *Config) FindConmon() (string, error) {
-	return findConmonPath(c.Engine.ConmonPath, "conmon", _conmonMinMajorVersion, _conmonMinMinorVersion, _conmonMinPatchVersion)
+	return findConmonPath(c.Engine.ConmonPath, "conmon")
 }
 
-func findConmonPath(paths []string, binaryName string, major int, minor int, patch int) (string, error) {
-	foundOutdatedConmon := false
+func findConmonPath(paths []string, binaryName string) (string, error) {
 	for _, path := range paths {
 		stat, err := os.Stat(path)
 		if err != nil {
@@ -972,29 +971,14 @@ func findConmonPath(paths []string, binaryName string, major int, minor int, pat
 		if stat.IsDir() {
 			continue
 		}
-		if err := probeConmon(path); err != nil {
-			logrus.Warnf("Conmon at %s invalid: %v", path, err)
-			foundOutdatedConmon = true
-			continue
-		}
 		logrus.Debugf("Using conmon: %q", path)
 		return path, nil
 	}
 
 	// Search the $PATH as last fallback
 	if path, err := exec.LookPath(binaryName); err == nil {
-		if err := probeConmon(path); err != nil {
-			logrus.Warnf("Conmon at %s is invalid: %v", path, err)
-			foundOutdatedConmon = true
-		} else {
-			logrus.Debugf("Using conmon from $PATH: %q", path)
-			return path, nil
-		}
-	}
-
-	if foundOutdatedConmon {
-		return "", fmt.Errorf("please update to v%d.%d.%d or later: %w",
-			major, minor, patch, ErrConmonOutdated)
+		logrus.Debugf("Using conmon from $PATH: %q", path)
+		return path, nil
 	}
 
 	return "", fmt.Errorf("could not find a working conmon binary (configured options: %v: %w)",
@@ -1005,7 +989,7 @@ func findConmonPath(paths []string, binaryName string, major int, minor int, pat
 // to first (version) matching conmonrs binary. If non is found, we try
 // to do a path lookup of "conmonrs".
 func (c *Config) FindConmonRs() (string, error) {
-	return findConmonPath(c.Engine.ConmonRsPath, "conmonrs", _conmonrsMinMajorVersion, _conmonrsMinMinorVersion, _conmonrsMinPatchVersion)
+	return findConmonPath(c.Engine.ConmonRsPath, "conmonrs")
 }
 
 // GetDefaultEnv returns the environment variables for the container.

vendor/github.com/containers/common/pkg/config/default.go

@@ -1,15 +1,11 @@
 package config
 
 import (
-	"bytes"
 	"errors"
 	"fmt"
 	"net"
 	"os"
-	"os/exec"
 	"path/filepath"
-	"regexp"
-	"strconv"
 	"strings"
 
 	nettypes "github.com/containers/common/libnetwork/types"
@@ -24,28 +20,6 @@ import (
 )
 
 const (
-	// _conmonMinMajorVersion is the major version required for conmon.
-	_conmonMinMajorVersion = 2
-
-	// _conmonMinMinorVersion is the minor version required for conmon.
-	_conmonMinMinorVersion = 0
-
-	// _conmonMinPatchVersion is the sub-minor version required for conmon.
-	_conmonMinPatchVersion = 1
-
-	// _conmonrsMinMajorVersion is the major version required for conmonrs.
-	_conmonrsMinMajorVersion = 0
-
-	// _conmonrsMinMinorVersion is the minor version required for conmonrs.
-	_conmonrsMinMinorVersion = 1
-
-	// _conmonrsMinPatchVersion is the sub-minor version required for conmonrs.
-	_conmonrsMinPatchVersion = 0
-
-	// _conmonVersionFormatErr is used when the expected versio-format of conmon
-	// has changed.
-	_conmonVersionFormatErr = "conmon version changed format: %w"
-
 	// _defaultGraphRoot points to the default path of the graph root.
 	_defaultGraphRoot = "/var/lib/containers/storage"
 
@@ -470,70 +444,6 @@ func defaultTmpDir() (string, error) {
 	return filepath.Join(libpodRuntimeDir, "tmp"), nil
 }
 
-// probeConmon calls conmon --version and verifies it is a new enough version for
-// the runtime expectations the container engine currently has.
-func probeConmon(conmonBinary string) error {
-	cmd := exec.Command(conmonBinary, "--version")
-	var out bytes.Buffer
-	cmd.Stdout = &out
-	if err := cmd.Run(); err != nil {
-		return err
-	}
-	r := regexp.MustCompile(`^(version:|conmon version)? (?P<Major>\d+).(?P<Minor>\d+).(?P<Patch>\d+)`)
-
-	matches := r.FindStringSubmatch(out.String())
-	if len(matches) != 5 {
-		return fmt.Errorf(_conmonVersionFormatErr, errors.New("invalid version format"))
-	}
-	major, err := strconv.Atoi(matches[2])
-
-	var minMajor, minMinor, minPatch int
-	// conmon-rs returns "^version:"
-	if matches[1] == "version:" {
-		minMajor = _conmonrsMinMajorVersion
-		minMinor = _conmonrsMinMinorVersion
-		minPatch = _conmonrsMinPatchVersion
-	} else {
-		minMajor = _conmonMinMajorVersion
-		minMinor = _conmonMinMinorVersion
-		minPatch = _conmonMinPatchVersion
-	}
-
-	if err != nil {
-		return fmt.Errorf(_conmonVersionFormatErr, err)
-	}
-	if major < minMajor {
-		return ErrConmonOutdated
-	}
-	if major > minMajor {
-		return nil
-	}
-
-	minor, err := strconv.Atoi(matches[3])
-	if err != nil {
-		return fmt.Errorf(_conmonVersionFormatErr, err)
-	}
-	if minor < minMinor {
-		return ErrConmonOutdated
-	}
-	if minor > minMinor {
-		return nil
-	}
-
-	patch, err := strconv.Atoi(matches[4])
-	if err != nil {
-		return fmt.Errorf(_conmonVersionFormatErr, err)
-	}
-	if patch < minPatch {
-		return ErrConmonOutdated
-	}
-	if patch > minPatch {
-		return nil
-	}
-
-	return nil
-}
-
 // NetNS returns the default network namespace.
 func (c *Config) NetNS() string {
 	return c.Containers.NetNS

vendor/github.com/letsencrypt/boulder/core/objects.go

@@ -175,11 +175,6 @@ type ValidationRecord struct {
 	//   ...
 	// }
 	AddressesTried []net.IP `json:"addressesTried,omitempty"`
-
-	// OldTLS is true if any request in the validation chain used HTTPS and negotiated
-	// a TLS version lower than 1.2.
-	// TODO(#6011): Remove once TLS 1.0 and 1.1 support is gone.
-	OldTLS bool `json:"oldTLS,omitempty"`
 }
 
 func looksLikeKeyAuthorization(str string) error {

vendor/github.com/letsencrypt/boulder/core/util.go

@@ -26,6 +26,8 @@ import (
 	jose "gopkg.in/square/go-jose.v2"
 )
 
+const Unspecified = "Unspecified"
+
 // Package Variables Variables
 
 // BuildID is set by the compiler (using -ldflags "-X core.BuildID $(git rev-parse --short HEAD)")
@@ -182,7 +184,7 @@ func ValidSerial(serial string) bool {
 func GetBuildID() (retID string) {
 	retID = BuildID
 	if retID == "" {
-		retID = "Unspecified"
+		retID = Unspecified
 	}
 	return
 }
@@ -191,7 +193,7 @@ func GetBuildID() (retID string) {
 func GetBuildTime() (retID string) {
 	retID = BuildTime
 	if retID == "" {
-		retID = "Unspecified"
+		retID = Unspecified
 	}
 	return
 }
@@ -200,7 +202,7 @@ func GetBuildTime() (retID string) {
 func GetBuildHost() (retID string) {
 	retID = BuildHost
 	if retID == "" {
-		retID = "Unspecified"
+		retID = Unspecified
 	}
 	return
 }

vendor/github.com/letsencrypt/boulder/errors/errors.go

@@ -12,6 +12,7 @@ package errors
 
 import (
 	"fmt"
+	"time"
 
 	"github.com/letsencrypt/boulder/identifier"
 )
@@ -56,6 +57,10 @@ type BoulderError struct {
 	Type      ErrorType
 	Detail    string
 	SubErrors []SubBoulderError
+
+	// RetryAfter the duration a client should wait before retrying the request
+	// which resulted in this error.
+	RetryAfter time.Duration
 }
 
 // SubBoulderError represents sub-errors specific to an identifier that are
@@ -77,9 +82,10 @@ func (be *BoulderError) Unwrap() error {
 // provided subErrs to the existing BoulderError.
 func (be *BoulderError) WithSubErrors(subErrs []SubBoulderError) *BoulderError {
 	return &BoulderError{
-		Type:      be.Type,
-		Detail:    be.Detail,
-		SubErrors: append(be.SubErrors, subErrs...),
+		Type:       be.Type,
+		Detail:     be.Detail,
+		SubErrors:  append(be.SubErrors, subErrs...),
+		RetryAfter: be.RetryAfter,
 	}
 }
 
@@ -107,31 +113,35 @@ func NotFoundError(msg string, args ...interface{}) error {
 	return New(NotFound, msg, args...)
 }
 
-func RateLimitError(msg string, args ...interface{}) error {
+func RateLimitError(retryAfter time.Duration, msg string, args ...interface{}) error {
 	return &BoulderError{
-		Type:   RateLimit,
-		Detail: fmt.Sprintf(msg+": see https://letsencrypt.org/docs/rate-limits/", args...),
+		Type:       RateLimit,
+		Detail:     fmt.Sprintf(msg+": see https://letsencrypt.org/docs/rate-limits/", args...),
+		RetryAfter: retryAfter,
 	}
 }
 
-func DuplicateCertificateError(msg string, args ...interface{}) error {
+func DuplicateCertificateError(retryAfter time.Duration, msg string, args ...interface{}) error {
 	return &BoulderError{
-		Type:   RateLimit,
-		Detail: fmt.Sprintf(msg+": see https://letsencrypt.org/docs/duplicate-certificate-limit/", args...),
+		Type:       RateLimit,
+		Detail:     fmt.Sprintf(msg+": see https://letsencrypt.org/docs/duplicate-certificate-limit/", args...),
+		RetryAfter: retryAfter,
 	}
 }
 
-func FailedValidationError(msg string, args ...interface{}) error {
+func FailedValidationError(retryAfter time.Duration, msg string, args ...interface{}) error {
 	return &BoulderError{
-		Type:   RateLimit,
-		Detail: fmt.Sprintf(msg+": see https://letsencrypt.org/docs/failed-validation-limit/", args...),
+		Type:       RateLimit,
+		Detail:     fmt.Sprintf(msg+": see https://letsencrypt.org/docs/failed-validation-limit/", args...),
+		RetryAfter: retryAfter,
 	}
 }
 
-func RegistrationsPerIPError(msg string, args ...interface{}) error {
+func RegistrationsPerIPError(retryAfter time.Duration, msg string, args ...interface{}) error {
 	return &BoulderError{
-		Type:   RateLimit,
-		Detail: fmt.Sprintf(msg+": see https://letsencrypt.org/docs/too-many-registrations-for-this-ip/", args...),
+		Type:       RateLimit,
+		Detail:     fmt.Sprintf(msg+": see https://letsencrypt.org/docs/too-many-registrations-for-this-ip/", args...),
+		RetryAfter: retryAfter,
 	}
 }
 

vendor/github.com/letsencrypt/boulder/features/featureflag_string.go

@@ -16,36 +16,37 @@ func _() {
 	_ = x[StreamlineOrderAndAuthzs-5]
 	_ = x[V1DisableNewValidations-6]
 	_ = x[ExpirationMailerDontLookTwice-7]
-	_ = x[CAAValidationMethods-8]
-	_ = x[CAAAccountURI-9]
-	_ = x[EnforceMultiVA-10]
-	_ = x[MultiVAFullResults-11]
-	_ = x[MandatoryPOSTAsGET-12]
-	_ = x[AllowV1Registration-13]
-	_ = x[StoreRevokerInfo-14]
-	_ = x[RestrictRSAKeySizes-15]
-	_ = x[FasterNewOrdersRateLimit-16]
-	_ = x[ECDSAForAll-17]
-	_ = x[ServeRenewalInfo-18]
-	_ = x[GetAuthzReadOnly-19]
-	_ = x[GetAuthzUseIndex-20]
-	_ = x[CheckFailedAuthorizationsFirst-21]
-	_ = x[AllowReRevocation-22]
-	_ = x[MozRevocationReasons-23]
-	_ = x[OldTLSOutbound-24]
-	_ = x[OldTLSInbound-25]
-	_ = x[SHA1CSRs-26]
-	_ = x[AllowUnrecognizedFeatures-27]
-	_ = x[RejectDuplicateCSRExtensions-28]
-	_ = x[ROCSPStage1-29]
-	_ = x[ROCSPStage2-30]
-	_ = x[ROCSPStage3-31]
+	_ = x[OldTLSInbound-8]
+	_ = x[OldTLSOutbound-9]
+	_ = x[ROCSPStage1-10]
+	_ = x[ROCSPStage2-11]
+	_ = x[ROCSPStage3-12]
+	_ = x[CAAValidationMethods-13]
+	_ = x[CAAAccountURI-14]
+	_ = x[EnforceMultiVA-15]
+	_ = x[MultiVAFullResults-16]
+	_ = x[MandatoryPOSTAsGET-17]
+	_ = x[AllowV1Registration-18]
+	_ = x[StoreRevokerInfo-19]
+	_ = x[RestrictRSAKeySizes-20]
+	_ = x[FasterNewOrdersRateLimit-21]
+	_ = x[ECDSAForAll-22]
+	_ = x[ServeRenewalInfo-23]
+	_ = x[GetAuthzReadOnly-24]
+	_ = x[GetAuthzUseIndex-25]
+	_ = x[CheckFailedAuthorizationsFirst-26]
+	_ = x[AllowReRevocation-27]
+	_ = x[MozRevocationReasons-28]
+	_ = x[SHA1CSRs-29]
+	_ = x[AllowUnrecognizedFeatures-30]
+	_ = x[RejectDuplicateCSRExtensions-31]
 	_ = x[ROCSPStage6-32]
+	_ = x[ROCSPStage7-33]
 }
 
-const _FeatureFlag_name = "unusedPrecertificateRevocationStripDefaultSchemePortNonCFSSLSignerStoreIssuerInfoStreamlineOrderAndAuthzsV1DisableNewValidationsExpirationMailerDontLookTwiceCAAValidationMethodsCAAAccountURIEnforceMultiVAMultiVAFullResultsMandatoryPOSTAsGETAllowV1RegistrationStoreRevokerInfoRestrictRSAKeySizesFasterNewOrdersRateLimitECDSAForAllServeRenewalInfoGetAuthzReadOnlyGetAuthzUseIndexCheckFailedAuthorizationsFirstAllowReRevocationMozRevocationReasonsOldTLSOutboundOldTLSInboundSHA1CSRsAllowUnrecognizedFeaturesRejectDuplicateCSRExtensionsROCSPStage1ROCSPStage2ROCSPStage3ROCSPStage6"
+const _FeatureFlag_name = "unusedPrecertificateRevocationStripDefaultSchemePortNonCFSSLSignerStoreIssuerInfoStreamlineOrderAndAuthzsV1DisableNewValidationsExpirationMailerDontLookTwiceOldTLSInboundOldTLSOutboundROCSPStage1ROCSPStage2ROCSPStage3CAAValidationMethodsCAAAccountURIEnforceMultiVAMultiVAFullResultsMandatoryPOSTAsGETAllowV1RegistrationStoreRevokerInfoRestrictRSAKeySizesFasterNewOrdersRateLimitECDSAForAllServeRenewalInfoGetAuthzReadOnlyGetAuthzUseIndexCheckFailedAuthorizationsFirstAllowReRevocationMozRevocationReasonsSHA1CSRsAllowUnrecognizedFeaturesRejectDuplicateCSRExtensionsROCSPStage6ROCSPStage7"
 
-var _FeatureFlag_index = [...]uint16{0, 6, 30, 52, 66, 81, 105, 128, 157, 177, 190, 204, 222, 240, 259, 275, 294, 318, 329, 345, 361, 377, 407, 424, 444, 458, 471, 479, 504, 532, 543, 554, 565, 576}
+var _FeatureFlag_index = [...]uint16{0, 6, 30, 52, 66, 81, 105, 128, 157, 170, 184, 195, 206, 217, 237, 250, 264, 282, 300, 319, 335, 354, 378, 389, 405, 421, 437, 467, 484, 504, 512, 537, 565, 576, 587}
 
 func (i FeatureFlag) String() string {
 	if i < 0 || i >= FeatureFlag(len(_FeatureFlag_index)-1) {

vendor/github.com/letsencrypt/boulder/features/features.go

@@ -20,6 +20,11 @@ const (
 	StreamlineOrderAndAuthzs
 	V1DisableNewValidations
 	ExpirationMailerDontLookTwice
+	OldTLSInbound
+	OldTLSOutbound
+	ROCSPStage1
+	ROCSPStage2
+	ROCSPStage3
 
 	//   Currently in-use features
 	// Check CAA and respect validationmethods parameter.
@@ -79,14 +84,6 @@ const (
 	//   with the certificate's keypair, the cert will be revoked with reason
 	//   keyCompromise, regardless of what revocation reason they request.
 	MozRevocationReasons
-	// OldTLSOutbound allows the VA to negotiate TLS 1.0 and TLS 1.1 during
-	// HTTPS redirects. When it is set to false, the VA will only connect to
-	// HTTPS servers that support TLS 1.2 or above.
-	OldTLSOutbound
-	// OldTLSInbound controls whether the WFE rejects inbound requests using
-	// TLS 1.0 and TLS 1.1. Because WFE does not terminate TLS in production,
-	// we rely on the TLS-Version header (set by our reverse proxy).
-	OldTLSInbound
 	// SHA1CSRs controls whether the /acme/finalize endpoint rejects CSRs that
 	// are self-signed using SHA1.
 	SHA1CSRs
@@ -98,25 +95,15 @@ const (
 	// go1.19.
 	RejectDuplicateCSRExtensions
 
-	// ROCSPStage1 enables querying Redis, live-signing response, and storing
-	// to Redis, but doesn't serve responses from Redis.
-	ROCSPStage1
-	// ROCSPStage2 enables querying Redis, live-signing a response, and storing
-	// to Redis, and does serve responses from Redis when appropriate (when
-	// they are fresh, and agree with MariaDB's status for the certificate).
-	ROCSPStage2
-	// ROCSPStage3 enables querying Redis, live-signing a response, and serving
-	// from Redis, without any fallback to serving bytes from MariaDB. In this
-	// mode we still make a parallel request to MariaDB to cross-check the
-	// _status_ of the response. If that request indicates a different status
-	// than what's stored in Redis, we'll trigger a fresh signing and serve and
-	// store the result.
-	ROCSPStage3
 	// ROCSPStage6 disables writing full OCSP Responses to MariaDB during
 	// (pre)certificate issuance and during revocation. Because Stage 4 involved
 	// disabling ocsp-updater, this means that no ocsp response bytes will be
 	// written to the database anymore.
 	ROCSPStage6
+	// ROCSPStage7 disables generating OCSP responses during issuance and
+	// revocation. This affects codepaths in both the RA (revocation) and the CA
+	// (precert "birth certificates").
+	ROCSPStage7
 )
 
 // List of features and their default value, protected by fMu
@@ -154,6 +141,7 @@ var features = map[FeatureFlag]bool{
 	ROCSPStage2:                    false,
 	ROCSPStage3:                    false,
 	ROCSPStage6:                    false,
+	ROCSPStage7:                    false,
 }
 
 var fMu = new(sync.RWMutex)

vendor/github.com/letsencrypt/boulder/sa/proto/sa.proto

@@ -7,56 +7,89 @@ import "core/proto/core.proto";
 import "google/protobuf/empty.proto";
 import "google/protobuf/timestamp.proto";
 
-service StorageAuthority {
-  // Getters
-  rpc GetRegistration(RegistrationID) returns (core.Registration) {}
-  rpc GetRegistrationByKey(JSONWebKey) returns (core.Registration) {}
-  rpc GetSerialMetadata(Serial) returns (SerialMetadata) {}
-  rpc GetCertificate(Serial) returns (core.Certificate) {}
-  rpc GetPrecertificate(Serial) returns (core.Certificate) {}
-  rpc GetCertificateStatus(Serial) returns (core.CertificateStatus) {}
-  rpc GetRevocationStatus(Serial) returns (RevocationStatus) {}
+// StorageAuthorityReadOnly exposes only those SA methods which are read-only.
+service StorageAuthorityReadOnly {
   rpc CountCertificatesByNames(CountCertificatesByNamesRequest) returns (CountByNames) {}
+  rpc CountFQDNSets(CountFQDNSetsRequest) returns (Count) {}
+  rpc CountInvalidAuthorizations2(CountInvalidAuthorizationsRequest) returns (Count) {}
+  rpc CountOrders(CountOrdersRequest) returns (Count) {}
+  rpc CountPendingAuthorizations2(RegistrationID) returns (Count) {}
   rpc CountRegistrationsByIP(CountRegistrationsByIPRequest) returns (Count) {}
   rpc CountRegistrationsByIPRange(CountRegistrationsByIPRequest) returns (Count) {}
-  rpc CountOrders(CountOrdersRequest) returns (Count) {}
-  // Return a count of authorizations with status "invalid" that belong to
-  // a given registration ID and expire in the given time range.
-  rpc CountFQDNSets(CountFQDNSetsRequest) returns (Count) {}
-  rpc FQDNSetTimestampsForWindow(CountFQDNSetsRequest) returns (Timestamps) {}
   rpc FQDNSetExists(FQDNSetExistsRequest) returns (Exists) {}
-  rpc PreviousCertificateExists(PreviousCertificateExistsRequest) returns (Exists) {}
+  rpc FQDNSetTimestampsForWindow(CountFQDNSetsRequest) returns (Timestamps) {}
   rpc GetAuthorization2(AuthorizationID2) returns (core.Authorization) {}
   rpc GetAuthorizations2(GetAuthorizationsRequest) returns (Authorizations) {}
+  rpc GetCertificate(Serial) returns (core.Certificate) {}
+  rpc GetCertificateStatus(Serial) returns (core.CertificateStatus) {}
+  rpc GetMaxExpiration(google.protobuf.Empty) returns (google.protobuf.Timestamp) {}
+  rpc GetOrder(OrderRequest) returns (core.Order) {}
+  rpc GetOrderForNames(GetOrderForNamesRequest) returns (core.Order) {}
   rpc GetPendingAuthorization2(GetPendingAuthorizationRequest) returns (core.Authorization) {}
-  rpc CountPendingAuthorizations2(RegistrationID) returns (Count) {}
-  rpc GetValidOrderAuthorizations2(GetValidOrderAuthorizationsRequest) returns (Authorizations) {}
-  rpc CountInvalidAuthorizations2(CountInvalidAuthorizationsRequest) returns (Count) {}
-  rpc GetValidAuthorizations2(GetValidAuthorizationsRequest) returns (Authorizations) {}
-  rpc KeyBlocked(KeyBlockedRequest) returns (Exists) {}
-  rpc SerialsForIncident (SerialsForIncidentRequest) returns (stream IncidentSerial) {}
+  rpc GetPrecertificate(Serial) returns (core.Certificate) {}
+  rpc GetRegistration(RegistrationID) returns (core.Registration) {}
+  rpc GetRegistrationByKey(JSONWebKey) returns (core.Registration) {}
+  rpc GetRevocationStatus(Serial) returns (RevocationStatus) {}
   rpc GetRevokedCerts(GetRevokedCertsRequest) returns (stream core.CRLEntry) {}
+  rpc GetSerialMetadata(Serial) returns (SerialMetadata) {}
+  rpc GetValidAuthorizations2(GetValidAuthorizationsRequest) returns (Authorizations) {}
+  rpc GetValidOrderAuthorizations2(GetValidOrderAuthorizationsRequest) returns (Authorizations) {}
   rpc IncidentsForSerial(Serial) returns (Incidents) {}
+  rpc KeyBlocked(KeyBlockedRequest) returns (Exists) {}
+  rpc PreviousCertificateExists(PreviousCertificateExistsRequest) returns (Exists) {}
+  rpc SerialsForIncident (SerialsForIncidentRequest) returns (stream IncidentSerial) {}
+}
+
+// StorageAuthority provides full read/write access to the database.
+service StorageAuthority {
+  // Getters: this list must be identical to the StorageAuthorityReadOnly rpcs.
+  rpc CountCertificatesByNames(CountCertificatesByNamesRequest) returns (CountByNames) {}
+  rpc CountFQDNSets(CountFQDNSetsRequest) returns (Count) {}
+  rpc CountInvalidAuthorizations2(CountInvalidAuthorizationsRequest) returns (Count) {}
+  rpc CountOrders(CountOrdersRequest) returns (Count) {}
+  rpc CountPendingAuthorizations2(RegistrationID) returns (Count) {}
+  rpc CountRegistrationsByIP(CountRegistrationsByIPRequest) returns (Count) {}
+  rpc CountRegistrationsByIPRange(CountRegistrationsByIPRequest) returns (Count) {}
+  rpc FQDNSetExists(FQDNSetExistsRequest) returns (Exists) {}
+  rpc FQDNSetTimestampsForWindow(CountFQDNSetsRequest) returns (Timestamps) {}
+  rpc GetAuthorization2(AuthorizationID2) returns (core.Authorization) {}
+  rpc GetAuthorizations2(GetAuthorizationsRequest) returns (Authorizations) {}
+  rpc GetCertificate(Serial) returns (core.Certificate) {}
+  rpc GetCertificateStatus(Serial) returns (core.CertificateStatus) {}
+  rpc GetMaxExpiration(google.protobuf.Empty) returns (google.protobuf.Timestamp) {}
+  rpc GetOrder(OrderRequest) returns (core.Order) {}
+  rpc GetOrderForNames(GetOrderForNamesRequest) returns (core.Order) {}
+  rpc GetPendingAuthorization2(GetPendingAuthorizationRequest) returns (core.Authorization) {}
+  rpc GetPrecertificate(Serial) returns (core.Certificate) {}
+  rpc GetRegistration(RegistrationID) returns (core.Registration) {}
+  rpc GetRegistrationByKey(JSONWebKey) returns (core.Registration) {}
+  rpc GetRevocationStatus(Serial) returns (RevocationStatus) {}
+  rpc GetRevokedCerts(GetRevokedCertsRequest) returns (stream core.CRLEntry) {}
+  rpc GetSerialMetadata(Serial) returns (SerialMetadata) {}
+  rpc GetValidAuthorizations2(GetValidAuthorizationsRequest) returns (Authorizations) {}
+  rpc GetValidOrderAuthorizations2(GetValidOrderAuthorizationsRequest) returns (Authorizations) {}
+  rpc IncidentsForSerial(Serial) returns (Incidents) {}
+  rpc KeyBlocked(KeyBlockedRequest) returns (Exists) {}
+  rpc PreviousCertificateExists(PreviousCertificateExistsRequest) returns (Exists) {}
+  rpc SerialsForIncident (SerialsForIncidentRequest) returns (stream IncidentSerial) {}
   // Adders
-  rpc NewRegistration(core.Registration) returns (core.Registration) {}
-  rpc UpdateRegistration(core.Registration) returns (google.protobuf.Empty) {}
+  rpc AddBlockedKey(AddBlockedKeyRequest) returns (google.protobuf.Empty) {}
   rpc AddCertificate(AddCertificateRequest) returns (AddCertificateResponse) {}
   rpc AddPrecertificate(AddCertificateRequest) returns (google.protobuf.Empty) {}
   rpc AddSerial(AddSerialRequest) returns (google.protobuf.Empty) {}
+  rpc DeactivateAuthorization2(AuthorizationID2) returns (google.protobuf.Empty) {}
   rpc DeactivateRegistration(RegistrationID) returns (google.protobuf.Empty) {}
+  rpc FinalizeAuthorization2(FinalizeAuthorizationRequest) returns (google.protobuf.Empty) {}
+  rpc FinalizeOrder(FinalizeOrderRequest) returns (google.protobuf.Empty) {}
+  rpc NewAuthorizations2(AddPendingAuthorizationsRequest) returns (Authorization2IDs) {}
   rpc NewOrder(NewOrderRequest) returns (core.Order) {}
   rpc NewOrderAndAuthzs(NewOrderAndAuthzsRequest) returns (core.Order) {}
-  rpc SetOrderProcessing(OrderRequest) returns (google.protobuf.Empty) {}
-  rpc SetOrderError(SetOrderErrorRequest) returns (google.protobuf.Empty) {}
-  rpc FinalizeOrder(FinalizeOrderRequest) returns (google.protobuf.Empty) {}
-  rpc GetOrder(OrderRequest) returns (core.Order) {}
-  rpc GetOrderForNames(GetOrderForNamesRequest) returns (core.Order) {}
+  rpc NewRegistration(core.Registration) returns (core.Registration) {}
   rpc RevokeCertificate(RevokeCertificateRequest) returns (google.protobuf.Empty) {}
+  rpc SetOrderError(SetOrderErrorRequest) returns (google.protobuf.Empty) {}
+  rpc SetOrderProcessing(OrderRequest) returns (google.protobuf.Empty) {}
+  rpc UpdateRegistration(core.Registration) returns (google.protobuf.Empty) {}
   rpc UpdateRevokedCertificate(RevokeCertificateRequest) returns (google.protobuf.Empty) {}
-  rpc NewAuthorizations2(AddPendingAuthorizationsRequest) returns (Authorization2IDs) {}
-  rpc FinalizeAuthorization2(FinalizeAuthorizationRequest) returns (google.protobuf.Empty) {}
-  rpc DeactivateAuthorization2(AuthorizationID2) returns (google.protobuf.Empty) {}
-  rpc AddBlockedKey(AddBlockedKeyRequest) returns (google.protobuf.Empty) {}
 }
 
 message RegistrationID {
@@ -124,6 +157,7 @@ message CountCertificatesByNamesRequest {
 
 message CountByNames {
   map<string, int64> counts = 1;
+  google.protobuf.Timestamp earliest = 2; // Unix timestamp (nanoseconds)
 }
 
 message CountRegistrationsByIPRequest {

vendor/go.opencensus.io/Makefile

@@ -91,7 +91,7 @@ embedmd:
 
 .PHONY: install-tools
 install-tools:
-	go get -u golang.org/x/lint/golint
-	go get -u golang.org/x/tools/cmd/cover
-	go get -u golang.org/x/tools/cmd/goimports
-	go get -u github.com/rakyll/embedmd
+	go install golang.org/x/lint/golint@latest
+	go install golang.org/x/tools/cmd/cover@latest
+	go install golang.org/x/tools/cmd/goimports@latest
+	go install github.com/rakyll/embedmd@latest

vendor/go.opencensus.io/opencensus.go

@@ -17,5 +17,5 @@ package opencensus // import "go.opencensus.io"
 
 // Version is the current release version of OpenCensus in use.
 func Version() string {
-	return "0.23.0"
+	return "0.24.0"
 }

vendor/go.opencensus.io/trace/doc.go

@@ -18,24 +18,23 @@ Package trace contains support for OpenCensus distributed tracing.
 The following assumes a basic familiarity with OpenCensus concepts.
 See http://opencensus.io
 
-
-Exporting Traces
+# Exporting Traces
 
 To export collected tracing data, register at least one exporter. You can use
 one of the provided exporters or write your own.
 
-    trace.RegisterExporter(exporter)
+	trace.RegisterExporter(exporter)
 
 By default, traces will be sampled relatively rarely. To change the sampling
 frequency for your entire program, call ApplyConfig. Use a ProbabilitySampler
 to sample a subset of traces, or use AlwaysSample to collect a trace on every run:
 
-    trace.ApplyConfig(trace.Config{DefaultSampler: trace.AlwaysSample()})
+	trace.ApplyConfig(trace.Config{DefaultSampler: trace.AlwaysSample()})
 
 Be careful about using trace.AlwaysSample in a production application with
 significant traffic: a new trace will be started and exported for every request.
 
-Adding Spans to a Trace
+# Adding Spans to a Trace
 
 A trace consists of a tree of spans. In Go, the current span is carried in a
 context.Context.
@@ -44,8 +43,8 @@ It is common to want to capture all the activity of a function call in a span. F
 this to work, the function must take a context.Context as a parameter. Add these two
 lines to the top of the function:
 
-    ctx, span := trace.StartSpan(ctx, "example.com/Run")
-    defer span.End()
+	ctx, span := trace.StartSpan(ctx, "example.com/Run")
+	defer span.End()
 
 StartSpan will create a new top-level span if the context
 doesn't contain another span, otherwise it will create a child span.

vendor/go.opencensus.io/trace/lrumap.go

@@ -44,7 +44,7 @@ func (lm lruMap) len() int {
 }
 
 func (lm lruMap) keys() []interface{} {
-	keys := make([]interface{}, len(lm.cacheKeys))
+	keys := make([]interface{}, 0, len(lm.cacheKeys))
 	for k := range lm.cacheKeys {
 		keys = append(keys, k)
 	}

vendor/go.opencensus.io/trace/trace_go11.go

@@ -12,6 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+//go:build go1.11
 // +build go1.11
 
 package trace

vendor/go.opencensus.io/trace/trace_nongo11.go

@@ -12,6 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+//go:build !go1.11
 // +build !go1.11
 
 package trace

vendor/modules.txt

@@ -95,7 +95,7 @@ github.com/containernetworking/cni/pkg/version
 # github.com/containernetworking/plugins v1.1.1
 ## explicit; go 1.17
 github.com/containernetworking/plugins/pkg/ns
-# github.com/containers/buildah v1.28.1-0.20221122135051-c9f30d81ae37
+# github.com/containers/buildah v1.28.1-0.20221123095548-1c1fa111e4cc
 ## explicit; go 1.17
 github.com/containers/buildah
 github.com/containers/buildah/bind
@@ -118,7 +118,7 @@ github.com/containers/buildah/pkg/rusage
 github.com/containers/buildah/pkg/sshagent
 github.com/containers/buildah/pkg/util
 github.com/containers/buildah/util
-# github.com/containers/common v0.50.2-0.20221125103214-33a7a35ff671
+# github.com/containers/common v0.50.2-0.20221127123657-5cbd6c092582
 ## explicit; go 1.17
 github.com/containers/common/libimage
 github.com/containers/common/libimage/define
@@ -172,7 +172,7 @@ github.com/containers/common/version
 # github.com/containers/conmon v2.0.20+incompatible
 ## explicit
 github.com/containers/conmon/runner/config
-# github.com/containers/image/v5 v5.23.1-0.20221121174826-d8eb9dd60533
+# github.com/containers/image/v5 v5.23.1-0.20221124171848-19f10aac8007
 ## explicit; go 1.17
 github.com/containers/image/v5/copy
 github.com/containers/image/v5/directory
@@ -440,7 +440,7 @@ github.com/google/go-cmp/cmp/internal/diff
 github.com/google/go-cmp/cmp/internal/flags
 github.com/google/go-cmp/cmp/internal/function
 github.com/google/go-cmp/cmp/internal/value
-# github.com/google/go-containerregistry v0.12.0
+# github.com/google/go-containerregistry v0.12.1
 ## explicit; go 1.17
 github.com/google/go-containerregistry/pkg/name
 # github.com/google/go-intervals v0.0.2
@@ -499,7 +499,7 @@ github.com/klauspost/pgzip
 # github.com/kr/fs v0.1.0
 ## explicit
 github.com/kr/fs
-# github.com/letsencrypt/boulder v0.0.0-20220929215747-76583552c2be
+# github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf
 ## explicit; go 1.18
 github.com/letsencrypt/boulder/core
 github.com/letsencrypt/boulder/core/proto
@@ -672,7 +672,7 @@ github.com/rootless-containers/rootlesskit/pkg/port/portutil
 # github.com/seccomp/libseccomp-golang v0.10.0
 ## explicit; go 1.14
 github.com/seccomp/libseccomp-golang
-# github.com/sigstore/sigstore v1.4.5
+# github.com/sigstore/sigstore v1.4.6
 ## explicit; go 1.18
 github.com/sigstore/sigstore/pkg/cryptoutils
 github.com/sigstore/sigstore/pkg/signature
@@ -757,7 +757,7 @@ go.etcd.io/bbolt
 # go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352
 ## explicit; go 1.11
 go.mozilla.org/pkcs7
-# go.opencensus.io v0.23.0
+# go.opencensus.io v0.24.0
 ## explicit; go 1.13
 go.opencensus.io
 go.opencensus.io/internal
@@ -862,7 +862,7 @@ golang.org/x/tools/internal/gocommand
 golang.org/x/tools/internal/packagesinternal
 golang.org/x/tools/internal/typeparams
 golang.org/x/tools/internal/typesinternal
-# google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a
+# google.golang.org/genproto v0.0.0-20221111202108-142d8a6fa32e
 ## explicit; go 1.19
 google.golang.org/genproto/googleapis/rpc/status
 # google.golang.org/grpc v1.50.1