Buildpacks PMC - 2015-10-12 Notes


Mike Dalessio
 

Hello CF community,

Here is an update from the Buildpacks PMC, as of 2015-10-12. The full notes
are available at

https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-10-12-buildpacks.md

but I've reproduced them below in their entirety for your convenience.

*Please note* that there are three proposals below for which we're
requesting comments from the community. We invite comments and concerns, as
well as alternative solutions, in the Github Issues that are linked to
below.

Cheers,
-mike

-----

Buildpacks PMC Notes as of 2015-10-08

The last set of notes were sent out on 2015-09-09
<https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-10-12-buildpacks.md#table-of-contents>Table
of Contents

1. Update on Stacks
2. Update on Buildpacks
1. General
2. java-buildpack
3. go-buildpack
4. php-buildpack
5. python-buildpack

<https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-10-12-buildpacks.md#stacks>
Stacks
<https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-10-12-buildpacks.md#releases>
Releases

Released cflinuxfs2 1.9.0
<https://github.com/cloudfoundry/stacks/releases/tag/1.9.0> and 1.8.0
<https://github.com/cloudfoundry/stacks/releases/tag/1.8.0>, which address
USN-2740-1 <http://www.ubuntu.com/usn/usn-2740-1>, "ICU vulnerabilities"
and USN-2739-1 <http://www.ubuntu.com/usn/usn-2739-1>, "FreeType
vulnerabilities".
<https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-10-12-buildpacks.md#buildpacks>
Buildpacks
<https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-10-12-buildpacks.md#general>
General

The Buildpacks team has been doing further experimentation with
*extensibility* for both developers and operators. Results can be seen in
the public Tracker under the "architecture" epic
<https://www.pivotaltracker.com/epic/show/1898760>.

The Buildpacks team has also been working on a feature track to allow end
users of the core buildpacks to *verify the origin* of all binaries
vendored in the buildpack. This "chain of custody" track is intended to
allow security-minded CF operators to trust the buildpack binaries being
run in their deployment (and to regenerate the binaries themselves as
needed). This work can be viewed in the public Tracker under the "chain of
custody" epic <https://www.pivotaltracker.com/epic/show/2077742>.
<https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-10-12-buildpacks.md#java-buildpack>
java-buildpack
<https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-10-12-buildpacks.md#releases-1>
Releases

Released java-buildpack 3.2
<https://github.com/cloudfoundry/java-buildpack/releases/tag/v3.2> and 3.3
<https://github.com/cloudfoundry/java-buildpack/releases/tag/v3.3>.

These buildpacks add Luna HA support, as well as deliver improvements to
the memory calculator.

Please view the release notes
<https://github.com/cloudfoundry/java-buildpack/releases> for full details.
<https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-10-12-buildpacks.md#go-buildpack>
go-buildpack
<https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-10-12-buildpacks.md#releases-2>
Releases

Released go-buildpack v1.6.1
<https://github.com/cloudfoundry/go-buildpack/releases/tag/v1.6.1> and
v1.6.2 <https://github.com/cloudfoundry/go-buildpack/releases/tag/v1.6.2>.

These releases add support for golang 1.5.1 and golang 1.4.3, which
addresses a number of CVEs in 1.4.2 and earlier. Support for golang 1.4.1
was dropped.

Please view the release notes
<https://github.com/cloudfoundry/go-buildpack/releases> for full details.
<https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-10-12-buildpacks.md#proposals>
Proposals

*Proposal:* It is being proposed to drop support for golang 1.2.x and
1.3.x. We're using a Github Issue as an RFC, so please comment here:

https://github.com/cloudfoundry/go-buildpack/issues/22

<https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-10-12-buildpacks.md#php-buildpack>
php-buildpack
<https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-10-12-buildpacks.md#releases-3>
Releases

Released v4.1.5
<https://github.com/cloudfoundry/php-buildpack/releases/tag/v4.1.5>, v4.1.4
<https://github.com/cloudfoundry/php-buildpack/releases/tag/v4.1.4>, and
v4.1.3 <https://github.com/cloudfoundry/php-buildpack/releases/tag/v4.1.3>
which:

- updates to nginx 1.9.5,
- updates to PHP 5.6.14, 5.6.13, 5.5.30, 5.5.29, and 5.4.45.
- addresses USN-2740-1 "ICU vulnerabilities" (in combination with rootfs
1.9.0)

Please view the release notes
<https://github.com/cloudfoundry/php-buildpack/releases> for full details.
<https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-10-12-buildpacks.md#end-of-life>End
of Life

*Please note that PHP 5.4 reached "End of Life" on 2015-09-14*. We intend
to remove support for this version of PHP in the next release of the
php-buildpack.
<https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-10-12-buildpacks.md#proposals-1>
Proposals

*Proposal:* It is being proposed to drop support for nginx 1.6 (but keeping
support for nginx 1.8 and 1.9). We're using a Github Issue as an RFC, so
please comment here:

https://github.com/cloudfoundry/php-buildpack/issues/109

<https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-10-12-buildpacks.md#python-buildpack>
python-buildpack
<https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-10-12-buildpacks.md#releases-4>
Releases

Released v1.5.1
<https://github.com/cloudfoundry/python-buildpack/releases/tag/v1.5.1> which
adds support for Python 3.5.0.

Please view the release notes
<https://github.com/cloudfoundry/python-buildpack/releases> for full
details.
<https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-10-12-buildpacks.md#nodejs-buildpack>
nodejs-buildpack
<https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-10-12-buildpacks.md#proposals-2>
Proposals

*Proposal:* It is being proposed to add Node 4.x support by statically
linking against openssl 1.0.2. This introduces a requirement to restage
applications running Node 4.x to address openssl CVEs. (Currently, only a
rootfs update is needed for this scenario.) We're using a Github Issue as
an RFC, so please comment here:

https://github.com/cloudfoundry/nodejs-buildpack/issues/32

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.