Open
Conversation
Closes #83 (see that thread for contributor approvals/discussion)
There are workarounds for this, but I will intentionally not be describing them because this is definitely not something I can endorse in any way. Please don't use gosu in this way.
Disallow installing gosu with setuid
Update to Alpine 3.14 and Debian Bullseye
Update build deps, esp. runc to v1.0.3
Update to runc 1.1.2
This builds `gosu` with an intentionally older version of runc *and* Go (but still new enough for `govulncheck` to work). The chosen version of `runc` includes opencontainers/runc@262f294, which is the last change I can find to any of the functions `gosu` invokes in all released versions of runc (up to v1.1.4). The chosen version of Go is the oldest supported by `govulncheck` but that also includes golang/go@4f45424 (because 32bit builds panic without this fix). (This also fixes a few other minor version number anomalies.)
Add SECURITY.md that points to `govulncheck`
This fixes our `mips64le` builds.
Thanks to `rpm --query --queryformat='%{ARCH}' rpm`, I feel good about documenting this "officially" again. 🚀
Add an "RPM-based" section back to `INSTALL.md`
Fix govulncheck wrapper + run govulncheck on latest release periodically too
Update broken Dockerfile.test link
…he most appropriate alternative) See also #143
…s clicked from SO's stats)
(it verifies that the downloaded modules have not been tampered with since `go mod download`, which we do literally just prior so it is verifying nothing)
Update Alpine-based images to Alpine 3.22
Update Docker Hub images and examples to Debian Trixie
This requires Go 1.24+, but allows us to embed the (semver-mangled 🙃💩) version of `gosu` in the standard Go metadata such that scanning tools can pick up the version of `gosu` directly. In theory, this will enable us to publish official VEX statements for `gosu` in a way that scanning tools can actually consume and match correctly. ```console $ go version -m ./gosu-amd64 ./gosu-amd64: go1.24rc2 path github.com/tianon/gosu mod github.com/tianon/gosu v1.17.0 dep github.com/moby/sys/user v0.1.0 h1:WmZ93f5Ux6het5iituh9x2zAG7NFY9Aqi49jjE1PaQg= dep golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= build -buildmode=exe build -compiler=gc build -trimpath=true build DefaultGODEBUG=asynctimerchan=1,gotestjsonbuildtext=1,gotypesalias=0,httplaxcontentlength=1,httpmuxgo121=1,httpservecontentkeepheaders=1,multipathtcp=0,panicnil=1,randseednop=0,rsa1024min=0,tls10server=1,tls3des=1,tlsmlkem=0,tlsrsakex=1,tlsunsafeekm=1,winreadlinkvolume=0,winsymlink=0,x509keypairleaf=0,x509negativeserial=1,x509rsacrt=0,x509usepolicies=0 build CGO_ENABLED=0 build GOARCH=amd64 build GOOS=linux build GOAMD64=v1 build vcs=git build vcs.revision=1.17 build vcs.time=1970-01-01T00:00:00Z build vcs.modified=false ```
Add `fake-git.sh` script to embed version information
This is also known as CVE-2025-47906: > If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned. https://pkg.go.dev/vuln/GO-2025-3956 I don't think this is a critical issue with `gosu` (as it requires a misconfigured environment **and** we only invoke `LookPath` _after_ we've dropped from root), but one worth updating for.
Update to Go 1.24.6 (esp. for GO-2025-3956)
This shouldn't change the binaries (in fact they should be 100% bit-for-bit identical), but it gives me warm fuzzies.
Update to Debian Trixie
Signed-off-by: yzewei <yangzewei@loongson.cn>
add loong64 support
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )