Welcome to the v2.0.8 release of manifest-tool!
v2.0.8 Fix release
The v2.0.8 release has many vendoring updates which mitigate various
CVEs in Go, containerd, and other related dependencies. This release
also moves from the v1 oras library to the v2 oras-go, causing minor
changes to the manifest-tool use of ORAS data structures. With the
removal of the auth package in oras, the auth behavior is migrated to
a simpler implementation in the util package here in manifest-tool.
Docker auth configs and credential helpers are still supported and
have been verified to work properly in this release.
A few minor feature additions to v2.0.8:
- Attestations created by BuildKit are now visible in the
inspect
command, unique from layers/blobs. A future release will add the
ability to properly consume BuildKit index manifests as inputs to
a multi-platform image. Currently the check to not have an index
as an input prevents this from working properly. - You can now add additional tags from the command line. Previously
this was only possible when using the input YAML format.
Thanks to @neanton and @deitch for their contributions to this
release!
If you do find bugs, please report them to the GitHub issue tracker
for manifest-tool.
v2.0.7 Fix release (BROKEN)
The v2.0.7 release had a significant bug (my fault!) and the actual
changes and additions are reflected above in the v2.0.8 release
notes.
v2.0.6 Fix release
The v2.0.6 release of manifest-tool fixes an early mistake in
the v2 codebase that removed the "type" flag support for handling
push of both OCI and Docker v2 manifests.
In addition to this one bug fix, the Go version has been updated
to 1.19.2, key imports to their latest releases, and the GitHub
Actions worker Linux version moves off the soon-deprecated Ubuntu
18.04 LTS release to 20.04 LTS. This means the Linux release
binaries will be built against an Ubuntu 20.04 base image. This
should not cause issues for downstream users but please open an
issue if you find a runtime error.
v2.0.5 Fix release
The v2.0.5 release of manifest-tool upgrades several go module
imports to versions that allow for the removal of all the replace
clauses in the v2 go.mod. This allows for cleaner import and
use of manifest-tool from the Go ecosystem.
v2.0.4 Fix release
The v2.0.4 release of manifest-tool includes a new image variant
which is valuable for those who need to use the published images
with other platforms that require a shell inside the image. This
new variant is based on Alpine, and prepends the tag name with
alpine; so mplatform/manifest-tool:alpine will be the latest
release, and mplatform/manifest-tool:alpine-v2.0.4 will retrieve
this specific released version, on top of an Alpine Linux base.
Thanks to Brandon Butler for
contributing the release packaging changes to add this
feature.
This release also moves up dependencies for various CVEs (aside
from the fact that manifest-tool was unaffected), as well as
building with Go 1.18.
A single bug fix for a reported segfault in using --docker-cfg
with a file instead of the expected directory is also fixed via
PR #169. Thanks
to Jian Zhang for the bug
report.
v2.0.3 Fix release
The v2.0.3 release of manifest-tool includes a single bug fix
for an issue that most regularly occurred when assembling manifest
lists/indexes in a public repository in gcr.io or Quay. Due to
the authentication flow for these registries and an existing bug
in the containerd resolver, a push would fail with "cannot reuse
body" errors. Until containerd has a complete fix for this issue,
v2.0.3 will appropriately push to these registries by retrying
after the authentication challenge (401 Unauthorized) is handled.
v2.0.2 Fix release (FAILED)
Includes the fix mentioned in v2.0.3 but due to a release script
bug did not appropriately publish the release on GitHub.
v2.0.1 Fix release (FAILED)
Includes the fix mentioned in v2.0.3 but due to a release script
bug did not appropriately publish the release on GitHub.
v2.0.0 Release overview
The v2.0.0 release of manifest-tool represents a significant
change to the architecture and implementation of manifest-tool.
Instead of continuing to use the original implementation
for registry interaction (a similar heritage to what became skopeo) this
v2 re-worked codebase of manifest-tool uses the resolver/fetcher/pusher
implementation from containerd as a library. It uses the same model (and
some of the code) from ORAS to use
these distribution API capabilities within containerd as a
library without the need to run or even have containerd installed.
This greatly simplified the codebase of manifest-tool and allowed for
restructuring the code to itself be usable as a library. For example,
the query tool for manifest-lists (estesp/mquery) can now use
these functions directly without running a copy of manifest-tool
separately and parsing the raw output.
In addition to this major rework of the codebase, new features have
been added. The most significant are:
- OCIv1 image/index support! (see the
--typeflag) - Color output from
inspect - On average 75% faster
inspectperformance - credential helper support built-in
A number of small issues have been resolved and the v2 code has been
tested against most public container registries. However, software
being software, I'm sure there are bugs that have not been discovered
in the testing to date.
v1 -> v2 Update
To handle how Go module version support (e.g. go get) works,
since v2.0.0 the code is now located in a /v2 subdirectory.
Because of this, if you are importing manifest-tool you will
need to add /v2 to your go.mod import of manifest-tool
or when using go get to utilize the v2.x codebase.
Reporting Issues
Please report bugs to the issue tracker at https://github.com/estesp/manifest-tool/issues.