Buildpacks PMC - 2015-11-09 Notes
|
Mike Dalessio
Hello CF community!
Here is an update from the Buildpacks PMC, as of 2015-11-09. The full notes are available at: https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-11-09-buildpacks.md but I've reproduced them below for your convenience. Note that in addition to the releases below, we'll also be cutting a cflinuxfs2 release today to include a recent CVE update. Cheers, -mike ---- Stacks We've been continuing to make updates to the cflinuxfs2 rootfs at least weekly, with additional turnaround of CVE updates within 48 hours. <https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-11-09-buildpacks.md#releases> Releases Released cflinuxfs2 versions 1.10.0 <https://github.com/cloudfoundry/stacks/releases/tag/1.10.0>, 1.11.0 <https://github.com/cloudfoundry/stacks/releases/tag/1.11.0>, 1.12.0 <https://github.com/cloudfoundry/stacks/releases/tag/1.12.0>, 1.13.0 <https://github.com/cloudfoundry/stacks/releases/tag/1.13.0>, 1.14.0 <https://github.com/cloudfoundry/stacks/releases/tag/1.14.0>, and 1.15.0 <https://github.com/cloudfoundry/stacks/releases/tag/1.15.0>, addressing: USN-2788-1 <http://www.ubuntu.com/usn/usn-2788-1> "unzip vulnerabilities", which is related to: - CVE-2015-7696 "Heap buffer overflow when extracting password-protected archive" - CVE-2015-7697 "Infinite loop when extracting password-protected archive" USN-2787-1 <http://www.ubuntu.com/usn/usn-2787-1>, "audiofile vulnerability", which is related to: - CVE-2015-7747 "made to crash or run programs as your login if it opened a specially crafted file" USN-2767-1 <http://www.ubuntu.com/usn/usn-2767-1>, "GDK-PixBuf vulnerabilities", which is related to: - CVE-2015-7673 <http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7673.html> "Heap overflow and DoS with a tga file in gdk-pixbuf < 2.32.1" - CVE-2015-7674 <http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7674.html> "Heap overflow with a gif file in gdk-pixbuf < 2.32.1" <https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-11-09-buildpacks.md#buildpacks> Buildpacks <https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-11-09-buildpacks.md#general> General Continuing on the track of work to provide a "chain of custody" <https://www.pivotaltracker.com/epic/show/2077742> for everything shipped in the buildpacks, each buildpack released is now published with a SHA256 checksum in the release notes. <https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-11-09-buildpacks.md#go-buildpack> go-buildpack <https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-11-09-buildpacks.md#releases-1> Releases Released v1.6.3 <https://github.com/cloudfoundry/go-buildpack/releases/tag/v1.6.3> adding support for Go 1.4.1 for upgrade paths, adding a Godep binary to the manifest, and supporting the linker's -X option format for go1.5. <https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-11-09-buildpacks.md#proposals> Proposals In the last set of PMC notes, it was proposed to drop golang v1.2.x and v1.3.x <https://github.com/cloudfoundry/go-buildpack/issues/22> and no objections were raised. We'll be scheduling work on this over the next few weeks. <https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-11-09-buildpacks.md#notes> Notes We're also in the process of sending pull requests back upstream to godep and to the go-buildpack to allow "wildcarding" of golang versions, meaning that "1.4.*" would use the most recent matching golang version. This would make more palatable the "skinny buildpack" policy of only providing the two most-recent supported versions on a major/minor branch. See GH#22 <https://github.com/cloudfoundry/go-buildpack/issues/22> for details. <https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-11-09-buildpacks.md#java-buildpack> java-buildpack <https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-11-09-buildpacks.md#releases-2> Releases Released v3.3.1 <https://github.com/cloudfoundry/java-buildpack/releases/tag/v3.3.1>. This release contains a new debug framework and ensures that the dependencies contained in theoffline buildpack are up to date. <https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-11-09-buildpacks.md#nodejs-buildpack> nodejs-buildpack <https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-11-09-buildpacks.md#releases-3> Releases Released v1.5.1 <https://github.com/cloudfoundry/nodejs-buildpack/releases/tag/v1.5.1>, which adds support for Node 4.2.x LTS, emits buildpack details from bin/detect, and merges many commits from upstream. <https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-11-09-buildpacks.md#proposals-1> Proposals In the last PMC notes, it was proposed to add node.js 4.x support <https://github.com/cloudfoundry/nodejs-buildpack/issues/32> via static linking of dependencies. This work was completed and shipped in nodejs-buildpack v1.5.1 as noted above. <https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-11-09-buildpacks.md#php-buildpack> php-buildpack <https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-11-09-buildpacks.md#releases-4> Releases Released v4.2.1 <https://github.com/cloudfoundry/php-buildpack/releases/tag/v4.2.1>, v4.2.0 <https://github.com/cloudfoundry/php-buildpack/releases/tag/v4.2.0>, and v4.1.5 <https://github.com/cloudfoundry/php-buildpack/releases/tag/v4.1.5>, which collectively update nginx to v1.9.6, update httpd to 2.4.17, add support for PHP 5.6.16 and 5.5.30, and drop support for PHP 5.4.x (which has been EOLed). <https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-11-09-buildpacks.md#proposals-2> Proposals In the last PMC notes, it was proposed to remove nginx 1.6 <https://github.com/cloudfoundry/php-buildpack/issues/109> from the buildpack, but continuing to support nginx 1.8 and 1.9, and no objections were raised. We'll schedule work on this change. <https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-11-09-buildpacks.md#ruby-buildpack> ruby-buildpack <https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-11-09-buildpacks.md#releases-5> Releases Released v1.6.8 <https://github.com/cloudfoundry/ruby-buildpack/releases/tag/v1.6.8>, which updates JRuby to 9.0.3.0, and updates OpenJDK to 1.8.0_65. <https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-11-09-buildpacks.md#staticfile-buildpack> staticfile-buildpack <https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-11-09-buildpacks.md#releases-6> Releases Released v1.2.2 <https://github.com/cloudfoundry/staticfile-buildpack/releases/tag/v1.2.2>, which improves error messages and log messages, and emits buildpack details from bin/detect. <https://github.com/cloudfoundry/pmc-notes/blob/master/Buildpacks/2015-11-09-buildpacks.md#notes-1> Notes Some performance analysis was done of the staticfile-buildpack after cf-release v221's increase of ip_conntrack_max, and the results may be interesting to readers. Details are in this tracker story <https://www.pivotaltracker.com/story/show/105014548>, but the TL;DR is that we saturated the testing network before we hit nginx bottlenecks. Peak performance for 1KB payloads was in excess of 1400 requests/second
|
|
|