These annotations can have security implications - crun, for
example, allows rootless containers to preserve the user's groups
through an annotation. We absolutely should not include
annotations from an untrusted image off the internet by default.
We may consider whitelisting some annotations (e.g. the legacy
WASM annotations), but given that there is now a more explicit
way of specifying an image uses the WASM runtime in the OCI image
spec, I'm just tearing this out entirely for now.
Signed-off-by: Matt Heon <mheon@redhat.com>
Currently pull policy is set incorrectly when users set --pull-never.
Also pull-policy is not being translated correctly when using
podman-remote.
Fixes: #9573
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Most build testing should be done in Buildah's test
suites, but we should have a minimal amount of tests,
especially testing the parts that are different like
layers and squash. Also the CLI argument handling
of things like the context directory that we've had
issues reported.
This first chunk does a basic test and then checks for
context directory being a file and squash iterations.
More to be added as time goes by.
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
