Merged
Conversation
PRD v3.0: add In Scope V3, FR27-FR30, update NFR1 for python3-yaml. Roadmap updated: remove Windows/GPG, add RPM packaging. 5 stories: Compose analysis (7.1), RPM packaging (7.2), log rotation (7.3), OCI auth restriction (7.4), manifest cache TTL (7.5).
New buncker/compose.py module parses docker-compose.yml files, extracting image: refs and build.dockerfile paths from services. Integrated with resolver pipeline via resolve_compose() with blob deduplication. CLI --compose flag and API compose_content field added. python3-yaml dependency added to .deb packaging.
RPM spec files for buncker and buncker-fetch with same file layout as .deb. Makefile build-rpm target, CI build-rpm + test-rpm-install jobs on Fedora, build-in-docker-rpm.sh helper script. RPM spec tests added. Also fixed .deb install list for auth.py and compose.py.
Daily rotation, 30 days retention, copytruncate, compress. Shipped in .deb via conffiles and .rpm via %config(noreplace). Makefile updated to include logrotate in deb build.
When enabled, /v2/* endpoints require a valid Bearer token (readonly or admin). Returns 401 with WWW-Authenticate challenge header per OCI Distribution Spec. Guard prevents starting with --restrict-oci when API auth is not configured. Also supports oci.restrict config.
Add ManifestCache.is_stale() and count_stale() methods. Resolver now emits warnings for stale manifests during analyze. New config option manifest_ttl (default 30 days). Generate-manifest supports refresh_stale parameter to include stale manifests for re-download. GET /admin/status now includes stale_manifests count.
All Epic 7 features (Compose analysis, RPM packaging, logrotate, OCI auth restriction, manifest TTL) are implemented and tested. 534 tests pass across the full suite.
- Add QA gate files for stories 7.1-7.5 (all PASS) - Add QA Results sections to all Epic 7 story files - Fix RPM spec versions 0.9.0 -> 1.0.0 (PKG-001) - Add test for buncker-fetch refresh:true manifest re-download (TEST-001) - Update README: v1.0.0 badge, RPM install section, RHEL/Fedora support, --compose/--restrict-oci/--refresh-stale flags, manifest_ttl/oci.restrict config, hosts.toml example, roadmap marked Done, make build-rpm
- Add TestGlobalFlowOciRestricted e2e test: full cycle with --restrict-oci (401 without token, 200 with RO/admin, WWW-Authenticate header, blob/manifest/HEAD auth) - Add Phase 3 to integration test-full-flow.sh: 9 OCI restriction checks across 3 containers (buncker-offline, client, online) - Add python3-yaml dependency to offline Dockerfile for v1.0.0 Compose support
Add python3-yaml to requirements and deps, mention .rpm packaging in CONTRIBUTING.md, add Compose/staleness to Key Features, document automated 3-phase integration test script in integration README.
SEC-01: validate tar member paths for zip-slip on Python < 3.12 SEC-02: enforce TLS 1.2 minimum and restrict cipher suites SEC-03: warn on insecure api-tokens.json file permissions at load SEC-04: reject empty Bearer token value early SEC-05: validate X-Buncker-Checksum as strict sha256:<64 hex> SEC-06: set blob and metadata files to mode 0600 SEC-07: bump PBKDF2 env key iterations from 100k to 600k SEC-08: use RSA-4096 for self-signed CA and server certificates SEC-09: add X-Content-Type-Options, X-Frame-Options, Cache-Control SEC-10: reject symlinks at blob destination before write Also: document rate limiting, bind address, cert SANs in README, add explicit mode to logrotate config.
- Add pyyaml to CI pip install (fixes ModuleNotFoundError on yaml) - Fix symlink check in store.py (check before exists() for Linux) - Add tests for handler GC endpoints, compose analysis, logs edge cases, disk space check, import/generate without crypto keys, HEAD /v2/ - Add tests for compose edge cases (invalid YAML, non-dict services) - Add tests for resolver staleness, internal images, compose Dockerfile
- Add python3-yaml to deb-install test Dockerfile (new buncker dependency) - Add make to Fedora container for rpm build step
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
buncker analyzeondocker-compose.yml)/var/log/buncker/--restrict-ociflag to require Bearer auth on OCI/v2/*endpointsstale_manifestsin status/analyzeChanges
Features
buncker/compose.py,buncker/resolver.py): parsedocker-compose.ymland resolve all image referencespackaging/*/rpm/):.specfiles +build-in-docker-rpm.shbuild scriptpackaging/buncker/logrotate): daily rotation, 30 days retention, mode 0640buncker/handler.py,buncker/__main__.py):--restrict-ociCLI flag withWWW-Authenticate: Beareron 401buncker/registry_client.py): configurablemanifest_ttl(default 30 days), stale manifest reportingSecurity (10 fixes)
filter="data")chmod 0600, symlink detection before writeX-Content-Type-Options,X-Frame-Options,Cache-ControlTests
Test plan
ruff check- all checks passedruff format --check- 56 files formattedpytest- 560 passed, 9 skipped