[1.4] *: libpathrs cherry-picks#5167
Merged
kolyshkin merged 6 commits intoopencontainers:release-1.4from Mar 12, 2026
Merged
Conversation
Debian 13 (trixie) was released a few months ago and it's probably prudent to just upgrade. This is also necessary to get access to riscv64 repositories when we build libpathrs for inclusion in our runc binaries. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (cherry picked from commit 6b757b6) Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
The intention of commit 531e29e ("script/lib.sh: set GOARM=5 for armel, GOARM=6 for armhf") was to properly support older ARM platforms with our release builds. However, we have never been able to support ARMv6 for our builds because we use the Debian compiler to build the libseccomp we statically compile into our binaries and (as per the now-deleted comment itself) Debian treats armhf as being ARMv7 so the final binaries we produced were always only ever compatible with ARMv7+. This was a bit of an oddity before but when building libpathrs for releases we will need to use Rust which makes the target more explicit (and while it does support armhf, we are using the Debian-packaged Rust cross-compiler and thus are in the same dilemma with what Debian considers "armhf" to be). All-in-all, it's better to just bite the bullet and just follow Debian here properly. Fixes: 531e29e ("script/lib.sh: set GOARM=5 for armel, GOARM=6 for armhf") Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (cherry picked from commit 51ae8de) Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
In a future patch this will contain other cdylibs so it deserves a slightly more general name. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (cherry picked from commit 8292574) Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
This name is far more descriptive. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (cherry picked from commit b1a9047) Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Ever since v0.6.0 of github.com/cyphar/filepath-securejoin, pathrs-lite has been able to transparently switch to using libpathrs as the backend for safe path resolution (at compile-time, using a build tag). Note that because build-tags apply globally, this allows for us to easily opt pure-Go dependencies into all using libpathrs as well for our binaries. In a future patch this will likely be enabled by default, but document that this is an option for downstreams that want to opt-in to using libpathrs. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (cherry picked from commit ab6f75d) Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
This includes a few fixes for 32-bit builds. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (cherry picked from commit b58e342) Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Merged
rata
approved these changes
Mar 12, 2026
Member
There was a problem hiding this comment.
LGTM, thanks!
I don't have an opinion if this should be in 1.4.1 or 1.4.2, I'm fine either way. I'd just like to get 1.4.1 and 1.5.0-rc.1 out ASAP :)
If this is just to simplify cherry-picks, I think even if we merge it after 1.4.1, the branch will have it and cherry-picks will simple anyways.
Member
Author
|
Good point, I should make a milestone for 1.4.2... |
kolyshkin
reviewed
Mar 12, 2026
| Unfortunately, this has effectively always been broken (because we | ||
| cross-compile `libseccomp` within a Debian container and statically link to | ||
| it) and so we are now officially matching [the Debian definition of `armhf`][debian-armhf] | ||
| (that is, ARMv7). (#5103) |
Contributor
There was a problem hiding this comment.
Suggested change
| (that is, ARMv7). (#5103) | |
| (that is, ARMv7). (#5167, #5103) |
kolyshkin
approved these changes
Mar 12, 2026
Contributor
kolyshkin
left a comment
There was a problem hiding this comment.
LGTM except for a single changelog nit. Can make it into 1.4.1 I guess.
Contributor
|
Merging this as is. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is a partial cherry-pick of some patches in #5103 in order to make future cherry-picks a little easier as well as adding documentation about the opt-in
libpathrsbuild tag.