Merge pull request #25533 from Luap99/main-crypto

Update CI to go1.23 and golang.org/x/crypto v0.36.0
2025-07-04 10:10:32 +08:00 · 2025-03-12 13:32:07 +00:00
parent 5eeaa43728 9eb4d27c5c
commit d9d8aa49bd
13 changed files with 81 additions and 86 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@ -149,9 +149,11 @@ build_task:
              VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME}
              CTR_FQIN: ${FEDORA_CONTAINER_FQIN}
        - env:
-              DISTRO_NV: ${PRIOR_FEDORA_NAME}
+              # Note, this is changed to FEDORA_NAME temporarily as f40 contains a to old golang
-              VM_IMAGE_NAME: ${PRIOR_FEDORA_CACHE_IMAGE_NAME}
+              # Once we bump our images to f42/41 this must be turned back to PRIOR_FEDORA_NAME
-              CTR_FQIN: ${PRIOR_FEDORA_CONTAINER_FQIN}
+              DISTRO_NV: ${FEDORA_NAME}
              VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME}
              CTR_FQIN: ${FEDORA_CONTAINER_FQIN}
              CI_DESIRED_DATABASE: boltdb
              CI_DESIRED_STORAGE: vfs
        - env:
@ -666,18 +668,9 @@ container_integration_test_task:
    # Docs: ./contrib/cirrus/CIModes.md
    only_if: *only_if_int_test
    depends_on: *build
    matrix: &fedora_vm_axis
        - env:
              DISTRO_NV: ${FEDORA_NAME}
              VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME}
              CTR_FQIN: ${FEDORA_CONTAINER_FQIN}
        - env:
              DISTRO_NV: ${PRIOR_FEDORA_NAME}
              VM_IMAGE_NAME: ${PRIOR_FEDORA_CACHE_IMAGE_NAME}
              CTR_FQIN: ${PRIOR_FEDORA_CONTAINER_FQIN}
              CI_DESIRED_DATABASE: boltdb
    gce_instance: *fastvm
    env:
        <<: *stdenvars
        TEST_FLAVOR: int
        TEST_ENVIRON: container
    clone_script: *get_gosrc
--- a/.packit.yaml
+++ b/.packit.yaml
@ -32,8 +32,8 @@ jobs:
        message: "[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore."
    enable_net: true
    targets:
-      - fedora-all-x86_64
+      - fedora-latest-stable-x86_64
-      - fedora-all-aarch64
+      - fedora-development-aarch64
  - job: copr_build
    trigger: pull_request
--- a/go.mod
+++ b/go.mod
@ -3,7 +3,7 @@ module github.com/containers/podman/v5
 // Warning: if there is a "toolchain" directive anywhere in this file (and most of the
 // time there shouldn't be), its version must be an exact match to the "go" directive.
-go 1.22.8
+go 1.23.0
 require (
 	github.com/BurntSushi/toml v1.4.0
@ -71,13 +71,12 @@ require (
 	github.com/vbauerster/mpb/v8 v8.9.3
 	github.com/vishvananda/netlink v1.3.1-0.20250221194427-0af32151e72b
 	go.etcd.io/bbolt v1.3.11
-	golang.org/x/crypto v0.33.0
+	golang.org/x/crypto v0.36.0
 	golang.org/x/exp v0.0.0-20250128182459-e0ece0dbea4c
 	golang.org/x/net v0.35.0
-	golang.org/x/sync v0.11.0
+	golang.org/x/sync v0.12.0
-	golang.org/x/sys v0.30.0
+	golang.org/x/sys v0.31.0
-	golang.org/x/term v0.29.0
+	golang.org/x/term v0.30.0
-	golang.org/x/text v0.22.0
+	golang.org/x/text v0.23.0
 	google.golang.org/protobuf v1.36.5
 	gopkg.in/inf.v0 v0.9.1
 	gopkg.in/yaml.v3 v3.0.1
@ -222,6 +221,7 @@ require (
 	go.opentelemetry.io/otel/metric v1.32.0 // indirect
 	go.opentelemetry.io/otel/trace v1.32.0 // indirect
 	golang.org/x/arch v0.8.0 // indirect
 	golang.org/x/exp v0.0.0-20250128182459-e0ece0dbea4c // indirect
 	golang.org/x/mod v0.22.0 // indirect
 	golang.org/x/oauth2 v0.26.0 // indirect
 	golang.org/x/time v0.9.0 // indirect
--- a/go.sum
+++ b/go.sum
@ -584,8 +584,8 @@ golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.30.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
-golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20250128182459-e0ece0dbea4c h1:KL/ZBHXgKGVmuZBZ01Lt57yE5ws8ZPSkkihmEyq7FXc=
 golang.org/x/exp v0.0.0-20250128182459-e0ece0dbea4c/go.mod h1:tujkw807nyEEAamNbDrEGzRav+ilXA7PCRAd6xsmwiU=
@ -636,8 +636,8 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
+golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
-golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -669,8 +669,8 @@ golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
-golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@ -681,8 +681,8 @@ golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
-golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU=
+golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
-golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s=
+golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
@ -692,8 +692,8 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
-golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
--- a/pkg/trust/trust.go
+++ b/pkg/trust/trust.go
@ -2,10 +2,10 @@ package trust
 import (
 	"fmt"
 	"maps"
 	"slices"
 	"sort"
 	"strings"
 	"golang.org/x/exp/maps"
 )
 // Policy describes a basic trust policy configuration
@ -53,7 +53,7 @@ func getPolicyShowOutput(policyContentStruct policyContent, systemRegistriesDirP
 		}
 		output = append(output, descriptionsOfPolicyRequirements(policyContentStruct.Default, template, registryConfigs, "", idReader)...)
 	}
-	transports := maps.Keys(policyContentStruct.Transports)
+	transports := slices.Collect(maps.Keys(policyContentStruct.Transports))
 	sort.Strings(transports)
 	for _, transport := range transports {
 		transval := policyContentStruct.Transports[transport]
@ -61,7 +61,7 @@ func getPolicyShowOutput(policyContentStruct policyContent, systemRegistriesDirP
 			transport = "repository"
 		}
-		scopes := maps.Keys(transval)
+		scopes := slices.Collect(maps.Keys(transval))
 		sort.Strings(scopes)
 		for _, repo := range scopes {
 			repoval := transval[repo]
--- a/vendor/golang.org/x/crypto/ssh/handshake.go
+++ b/vendor/golang.org/x/crypto/ssh/handshake.go
@ -25,6 +25,11 @@ const debugHandshake = false
 // quickly.
 const chanSize = 16
 // maxPendingPackets sets the maximum number of packets to queue while waiting
 // for KEX to complete. This limits the total pending data to maxPendingPackets
 // * maxPacket bytes, which is ~16.8MB.
 const maxPendingPackets = 64
 // keyingTransport is a packet based transport that supports key
 // changes. It need not be thread-safe. It should pass through
 // msgNewKeys in both directions.
@ -73,11 +78,19 @@ type handshakeTransport struct {
 	incoming  chan []byte
 	readError error
-	mu               sync.Mutex
+	mu sync.Mutex
-	writeError       error
+	// Condition for the above mutex. It is used to notify a completed key
-	sentInitPacket   []byte
+	// exchange or a write failure. Writes can wait for this condition while a
-	sentInitMsg      *kexInitMsg
+	// key exchange is in progress.
-	pendingPackets   [][]byte // Used when a key exchange is in progress.
+	writeCond      *sync.Cond
 	writeError     error
 	sentInitPacket []byte
 	sentInitMsg    *kexInitMsg
 	// Used to queue writes when a key exchange is in progress. The length is
 	// limited by pendingPacketsSize. Once full, writes will block until the key
 	// exchange is completed or an error occurs. If not empty, it is emptied
 	// all at once when the key exchange is completed in kexLoop.
 	pendingPackets   [][]byte
 	writePacketsLeft uint32
 	writeBytesLeft   int64
 	userAuthComplete bool // whether the user authentication phase is complete
@ -134,6 +147,7 @@ func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion,
 		config: config,
 	}
 	t.writeCond = sync.NewCond(&t.mu)
 	t.resetReadThresholds()
 	t.resetWriteThresholds()
@ -260,6 +274,7 @@ func (t *handshakeTransport) recordWriteError(err error) {
 	defer t.mu.Unlock()
 	if t.writeError == nil && err != nil {
 		t.writeError = err
 		t.writeCond.Broadcast()
 	}
 }
@ -363,6 +378,8 @@ write:
 			}
 		}
 		t.pendingPackets = t.pendingPackets[:0]
 		// Unblock writePacket if waiting for KEX.
 		t.writeCond.Broadcast()
 		t.mu.Unlock()
 	}
@ -577,11 +594,20 @@ func (t *handshakeTransport) writePacket(p []byte) error {
 	}
 	if t.sentInitMsg != nil {
-		// Copy the packet so the writer can reuse the buffer.
+		if len(t.pendingPackets) < maxPendingPackets {
-		cp := make([]byte, len(p))
+			// Copy the packet so the writer can reuse the buffer.
-		copy(cp, p)
+			cp := make([]byte, len(p))
-		t.pendingPackets = append(t.pendingPackets, cp)
+			copy(cp, p)
-		return nil
+			t.pendingPackets = append(t.pendingPackets, cp)
 			return nil
 		}
 		for t.sentInitMsg != nil {
 			// Block and wait for KEX to complete or an error.
 			t.writeCond.Wait()
 			if t.writeError != nil {
 				return t.writeError
 			}
 		}
 	}
 	if t.writeBytesLeft > 0 {
@ -598,6 +624,7 @@ func (t *handshakeTransport) writePacket(p []byte) error {
 	if err := t.pushPacket(p); err != nil {
 		t.writeError = err
 		t.writeCond.Broadcast()
 	}
 	return nil
--- a/vendor/golang.org/x/crypto/ssh/messages.go
+++ b/vendor/golang.org/x/crypto/ssh/messages.go
@ -818,6 +818,8 @@ func decode(packet []byte) (interface{}, error) {
 		return new(userAuthSuccessMsg), nil
 	case msgUserAuthFailure:
 		msg = new(userAuthFailureMsg)
 	case msgUserAuthBanner:
 		msg = new(userAuthBannerMsg)
 	case msgUserAuthPubKeyOk:
 		msg = new(userAuthPubKeyOkMsg)
 	case msgGlobalRequest:
--- a/vendor/golang.org/x/crypto/ssh/tcpip.go
+++ b/vendor/golang.org/x/crypto/ssh/tcpip.go
@ -459,7 +459,7 @@ func (c *Client) dial(laddr string, lport int, raddr string, rport int) (Channel
 		return nil, err
 	}
 	go DiscardRequests(in)
-	return ch, err
+	return ch, nil
 }
 type tcpChan struct {
--- a/vendor/golang.org/x/sync/errgroup/errgroup.go
+++ b/vendor/golang.org/x/sync/errgroup/errgroup.go
@ -46,7 +46,7 @@ func (g *Group) done() {
 // returns a non-nil error or the first time Wait returns, whichever occurs
 // first.
 func WithContext(ctx context.Context) (*Group, context.Context) {
-	ctx, cancel := withCancelCause(ctx)
+	ctx, cancel := context.WithCancelCause(ctx)
 	return &Group{cancel: cancel}, ctx
 }
--- a/vendor/golang.org/x/sync/errgroup/go120.go
+++ b/vendor/golang.org/x/sync/errgroup/go120.go
@ -1,13 +0,0 @@
 // Copyright 2023 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build go1.20
 package errgroup
 import "context"
 func withCancelCause(parent context.Context) (context.Context, func(error)) {
 	return context.WithCancelCause(parent)
 }
--- a/vendor/golang.org/x/sync/errgroup/pre_go120.go
+++ b/vendor/golang.org/x/sync/errgroup/pre_go120.go
@ -1,14 +0,0 @@
 // Copyright 2023 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build !go1.20
 package errgroup
 import "context"
 func withCancelCause(parent context.Context) (context.Context, func(error)) {
 	ctx, cancel := context.WithCancel(parent)
 	return ctx, func(error) { cancel() }
 }
--- a/vendor/golang.org/x/text/language/parse.go
+++ b/vendor/golang.org/x/text/language/parse.go
@ -59,7 +59,7 @@ func (c CanonType) Parse(s string) (t Tag, err error) {
 	if changed {
 		tt.RemakeString()
 	}
-	return makeTag(tt), err
+	return makeTag(tt), nil
 }
 // Compose creates a Tag from individual parts, which may be of type Tag, Base,
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -1183,8 +1183,8 @@ go.opentelemetry.io/otel/trace/embedded
 # golang.org/x/arch v0.8.0
 ## explicit; go 1.18
 golang.org/x/arch/x86/x86asm
-# golang.org/x/crypto v0.33.0
+# golang.org/x/crypto v0.36.0
-## explicit; go 1.20
+## explicit; go 1.23.0
 golang.org/x/crypto/argon2
 golang.org/x/crypto/blake2b
 golang.org/x/crypto/blowfish
@ -1241,23 +1241,23 @@ golang.org/x/net/trace
 ## explicit; go 1.18
 golang.org/x/oauth2
 golang.org/x/oauth2/internal
-# golang.org/x/sync v0.11.0
+# golang.org/x/sync v0.12.0
-## explicit; go 1.18
+## explicit; go 1.23.0
 golang.org/x/sync/errgroup
 golang.org/x/sync/semaphore
-# golang.org/x/sys v0.30.0
+# golang.org/x/sys v0.31.0
-## explicit; go 1.18
+## explicit; go 1.23.0
 golang.org/x/sys/cpu
 golang.org/x/sys/plan9
 golang.org/x/sys/unix
 golang.org/x/sys/windows
 golang.org/x/sys/windows/registry
 golang.org/x/sys/windows/svc/eventlog
-# golang.org/x/term v0.29.0
+# golang.org/x/term v0.30.0
-## explicit; go 1.18
+## explicit; go 1.23.0
 golang.org/x/term
-# golang.org/x/text v0.22.0
+# golang.org/x/text v0.23.0
-## explicit; go 1.18
+## explicit; go 1.23.0
 golang.org/x/text/encoding
 golang.org/x/text/encoding/charmap
 golang.org/x/text/encoding/htmlindex