Format: 1.8 Date: Mon, 22 Apr 2024 14:49:00 +0300 Source: adsys Built-For-Profiles: noudeb Architecture: source Version: 0.14.1ubuntu1 Distribution: jammy Urgency: medium Maintainer: Ubuntu Developers Changed-By: Gabriel Nagy Launchpad-Bugs-Fixed: 2012371 2020682 2024377 2037270 2037271 2044112 2049061 2051363 2054445 2059756 Changes: adsys (0.14.1ubuntu1) jammy; urgency=medium . * Backport 0.14.1 to jammy (LP: #2059756) - Build with Go 1.22 - Disable dh_dwz on account of go >= 1.19 compressing symbols itself (fixed in newer dh_golang) . adsys (0.14.1build1) noble; urgency=medium . * No-change rebuild for CVE-2024-3094 . adsys (0.14.1) noble; urgency=medium . * Pin Go toolchain to 1.22.1 to fix the following security vulnerabilities: - GO-2024-2598 - GO-2024-2599 * Update apport hook to include journal errors and package logs * CI and quality of life changes not impacting package functionality: - Enable end-to-end tests in GitHub Actions - Remove stale AD resources on test finish - Add developer documentation for running end-to-end tests - Collect and upload end-to-end test logs on failure - Report test coverage in Cobertura XML format - Silence gosec warnings using nolint and remove deprecated ifshort linter - Use an environment variable to update golden files - Bump github actions to latest: - azure/login - softprops/action-gh-release * Update dependencies to latest: - github.com/charmbracelet/lipgloss - github.com/golangci/golangci-lint - github.com/golang/protobuf - github.com/stretchr/testify - golang.org/x/crypto - golang.org/x/net - google.golang.org/grpc - google.golang.org/protobuf . adsys (0.14.0) noble; urgency=medium . * Infer user KRB5CCNAME path via the libkrb5 API (LP: #2049061) - This functionality is opt-in and activated if the detect_cached_ticket setting is set to true - If the AD backend (e.g. sssd) doesn't export the KRB5CCNAME variable, adsys will now determine the path to the default ticket cache and use it during authentication (when adsys is executed through the PAM module) and runs of adsysctl update for the current user. * Allow sssd backend to work without ad_domain being set (LP: #2054445) * Upgrade to Go 1.22 * CI and quality of life changes not impacting package functionality: - Pass token explicitly to Codecov action - Fix require outside of main goroutine - Mark function arguments as unused where applicable Thanks to Edu Gómez Escandell - End to end test VM template creation updates - Bump github actions to latest: - codecov/codecov-action - peter-evans/create-pull-request * Update dependencies to latest: - github.com/charmbracelet/bubbles - github.com/golangci/golangci-lint - golang.org/x/crypto - golang.org/x/net - google.golang.org/grpc . adsys (0.13.3) noble; urgency=medium . * Fix cert auto-enroll without NDES (LP: #2051363) * Refresh policy definition files (remove Lunar support) * CI and quality of life changes not impacting package functionality: - Bump github actions to latest: - actions/download-artifact - actions/setup-go - actions/upload-artifact * Update dependencies to latest: - github.com/charmbracelet/bubbles - github.com/charmbracelet/bubbletea - github.com/google/uuid - github.com/spf13/viper - golang.org/x/crypto - golang.org/x/net - golang.org/x/sync - golang.org/x/sys - google.golang.org/grpc - google.golang.org/protobuf . adsys (0.13.2) noble; urgency=medium . [ Denison Barbosa ] [ Didier Roche ] [ Gabriel Nagy ] [ Jean-Baptiste Lallement ] * Ensure GPO URLs contain the FQDN of the domain controller (LP: #2024377) * Add runtime dependency on nfs-common (LP: #2044112) * Documentation changes: - Switch to Read the Docs for project documentation - Generate documentation from policy definitions - Fix installation path of adwatchd * CI and quality of life changes not impacting package functionality: - Bump go version to 1.21.4 - Fix docker stop behavior on integration tests - Add e2e tests provisioning workflow - Reduce the amount of workflows to be run - Remove scopes from dependabot config * Update dependencies to latest: - github.com/charmbracelet/lipgloss - github.com/fatih/color - github.com/fsnotify/fsnotify - github.com/golangci/golangci-lint - github.com/google/uuid - github.com/maruel/natural - github.com/pkg/sftp - github.com/spf13/cobra - github.com/spf13/viper - golang.org/x/crypto - golang.org/x/net - golang.org/x/sync - golang.org/x/sys - golang.org/x/text - google.golang.org/grpc . adsys (0.13.1) mantic; urgency=medium . [ Denison Barbosa ] [ Didier Roche ] [ Gabriel Nagy ] * Fix pam_adsys build (LP: #2037270) * Switch to upstream gotext version and align go-i18n (LP: #2037271) * Add documentation for certificate policy manager * CI and quality of life changes not impacting package functionality: - Workflow to auto-patch vendored Samba code - Fix typo on build command for the admxgen package - Switch to reusable code quality action in CI - Apply issue template changes - Open issue when ADMX/L builds fail * Update dependencies to latest: - github.com/charmbracelet/lipgloss - github.com/golangci/golangci-lint - github.com/gomarkdown/markdown - golang.org/x/net - golang.org/x/sys - golang.org/x/text - google.golang.org/grpc . adsys (0.13.0) mantic; urgency=medium . [ Denison Barbosa ] [ Didier Roche ] [ Gabriel Nagy ] * Add certificate policy manager for machines - a new Pro-only policy manager that leverages Samba functionality in order to enroll the machine for certificates from AD Certificate Services * Migrate translation support to native approach using go-i18n + gotext * Update policy definitions to include dconf key for dark mode background * Update dependencies to latest: - github.com/charmbracelet/bubbles - github.com/charmbracelet/bubbletea - github.com/golangci/golangci-lint - github.com/muesli/termenv - github.com/sirupsen/logrus - golang.org/x/net - golang.org/x/sync - golang.org/x/sys - golang.org/x/text - google.golang.org/grpc - google.golang.org/protobuf * CI and quality of life changes not impacting package functionality: - Address a few issues in smbsafe_test.go - Fix typo on build command for the admxgen package - Switch to reusable code quality action in CI - Apply issue template changes - Open issue when ADMX/L builds fail . adsys (0.12.0) mantic; urgency=medium . [ Denison Barbosa ] [ Didier Roche ] [ Gabriel Nagy ] [ Jean-Baptiste Lallement ] * Release 0.12.0 (LP: #2020682) - Fix DCONF_PROFILE not considering default_domain_suffix on sssd.conf - Go implementation for the user mount handler - Remove Rust source code from adsys - Rework Kerberos ticket handling logic: - to satisfy the Heimdal implementation of Kerberos, we now store and use a root-owned copy of the cached ticket - the ticket lifetime is still handled via a symlink, and the copy is kept up to date based on the original ticket timestamp - Ensure empty state for dconf policy - Handle case mismatches in GPT.INI file name - Refactor ListActiveUsers gRPC function - Add adsysctl policy purge command to purge applied policies - Rework policy application sync strategy - Print logs when policies are up to date - Bump Go version to 1.20 - Update dependencies to latest: - github.com/charmbracelet/bubbles - github.com/charmbracelet/bubbletea - github.com/sirupsen/logrus - github.com/spf13/cobra - github.com/stretchr/testify - golang.org/x/net - golang.org/x/sync - golang.org/x/sys - google.golang.org/grpc - CI and quality of life changes not affecting package functionality: - peter-evans/create-pull-request - Apply clang-format to C source files - Remove Rust related code from CI and tests - Improve test consistency - Fix documentation example images . adsys (0.11.0) lunar; urgency=medium . [ Denison Barbosa ] [ Gabriel Nagy ] * List Pro policy types in service status output * Warn when Pro-only rules are configured * Use systemd via D-Bus instead of systemctl commands * Add placeholder notes for entry types * Add guideline docs to the policy managers * Change Ubuntu Advantage to Ubuntu Pro in docs * Add system proxy policy manager (LP: #2012371) * Update dependencies to latest: - github.com/charmbracelet/lipgloss - github.com/coreos/go-systemd/v22 - github.com/fatih/color - github.com/golangci/golangci-lint - github.com/golang/protobuf - golang.org/x/net - google.golang.org/grpc - google.golang.org/grpc/cmd/protoc-gen-go-grpc - google.golang.org/protobuf * CI and quality of life changes not impacting package functionality: - Bump github actions to latest: - actions/setup-go - Update Rust related auto update jobs - Replace testutils.Setenv with t.Setenv - Set up more tests to run in parallel - Various test refactors and improvements . adsys (0.10.1) lunar; urgency=medium . [ Denison Barbosa ] [ Jean-Baptiste Lallement ] [ Gabriel Nagy ] [ Didier Roche ] * Fix erroneous non alternative dependency on package krb5-user * Fix a bug in internal/config tests that was causing the autopkgtests to fail * Update internal/config to also trigger a reload when config file is overwritten * Update dependencies to latest: - github.com/golangci/golangci-lint - github.com/stretchr/testify * CI and quality of life changes not impacting package functionality: - Bump github actions to latest: - peter-evans/create-pull-request - actions/download-artifact - Addressing some linter issues pointed out by new golangci-lint version . adsys (0.10.0) lunar; urgency=medium . [ Denison Barbosa ] [ Jean-Baptiste Lallement ] [ Gabriel Nagy ] [ Didier Roche ] * Add mount / network shares policy manager - this is an Ubuntu Pro feature that allows mounting network shares at a user or machine level - supported mount types: smb, nfs, and ftp (after installing curlftpfs) - supported authentication: anonymous (default), krb5 - user mounts are handled at login by a Rust binary now shipped with adsys Thanks to schopin for the packaging guidance and contributions - computer mounts are handled by systemd mount units requiring root privileges * Add AppArmor policy manager - this is an Ubuntu Pro feature that allows enforcing application confinement at a user or machine level using AppArmor - user policies rely on the libpam-apparmor package which must be installed manually * Support multiple AD backends and implement Winbind support - sssd is still the default backend, but winbind can be opted into through the adsys.yaml configuration file * Add a --machine / -m flag to adsysctl applied, indicating the policies applied to the current machine * Expose Ubuntu Pro status in the "status" command - status is now fetched dynamically instead of relying on a possibly outdated state when updating policies * Update scripts manager creation - scripts manager now creates both an users and machine directory on initialization * Fix policy update failing when GPT.INI contains no version key * Fix object lookup for users having a FQDN as their hostname * Support special characters in domains when parsing sssd configuration * Reduce dependencies by excluding CI tools from go.mod - tooling-related packages are now vendored in a separate go.mod file, allowing for a smaller source package * Replace gopkg.in/yaml.v2 with gopkg.in/yaml.v3 Thanks to Juneezee for the contribution * Clean-up packaging scripts related to the user mount handler Thanks to liushuyu for the contribution * CI and quality of life changes not impacting package functionality: - Add golden functionality to testutils - Switch to new fsnotify event check syntax - Move adsysgpotests to golden generated by testutils - Fix test helper permission when making directory RO - Rework skipping integration tests - Compare golden tree executable permissions - Allow running mount_handler tests as part of go test - Fix python coverage in integration tests - Factorize some coverage testutils functions - Refactor tracking and generating coverage files - Implement session dbus mock - Stabilize integration test coverage - Fix set-output GitHub Actions deprecation warning - Reuse our utility function for comparing trees - Install missing packages for auto-updates workflow - Update d/copyright to account for the new Rust dependencies - Fix FTBFS on Launchpad introduced by the latest unreleased work - Standardize on test case naming and use the previously added testutils functions for golden file comparison * Update dependencies to latest: - github.com/charmbracelet/bubbles - github.com/charmbracelet/bubbletea - github.com/charmbracelet/glamour - github.com/charmbracelet/lipgloss - github.com/fatih/color - github.com/fsnotify/fsnotify - github.com/golangci/golangci-lint - github.com/kardianos/service - github.com/muesli/termenv - github.com/spf13/cobra - github.com/spf13/viper - github.com/stretchr/testify - golang.org/x/net - golang.org/x/sys - golang.org/x/text - google.golang.org/grpc - gopkg.in/ini.v1 . adsys (0.9.2) kinetic; urgency=medium . * Update generators to fix FTBFS - shell out to mkdir instead of go's os.Mkdir which can bypass fakeroot's filesystem hijacking and cause unexpected behavior * Update dependencies to latest: - github.com/golangci/golangci-lint - google.golang.org/protobuf Checksums-Sha1: ed0e8f2c948c6a1248f1023355051a0360b96c5e 1502 adsys_0.14.1ubuntu1.dsc ac8d586f158421c2d752006d7d0c12262c7563b2 7077324 adsys_0.14.1ubuntu1.tar.xz de5c3d779272e2d29089d03af379c801589da06f 16929 adsys_0.14.1ubuntu1_source.buildinfo Checksums-Sha256: 37ba80f1d5034c4f9afd6355e1ae6c00768e0857f53f6e42b741a469bd8ae2cc 1502 adsys_0.14.1ubuntu1.dsc f1ab01fe4222cfecc6a45842309397deb72fab4f72429280978a023900db14c0 7077324 adsys_0.14.1ubuntu1.tar.xz 87d1ebefa6b8a0d531f43d4f6a8341fdbed3fba538b959ca3f7328a4f0a70b92 16929 adsys_0.14.1ubuntu1_source.buildinfo Files: 467e15b94881aaa4e83acb9e91674de8 1502 admin optional adsys_0.14.1ubuntu1.dsc 50660eb645d5f16355b134813dcb8fc5 7077324 admin optional adsys_0.14.1ubuntu1.tar.xz d8ecbd7a47399d71684a58eeecef7133 16929 admin optional adsys_0.14.1ubuntu1_source.buildinfo