Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make things safe for running untrusted code #366

Closed
vito opened this issue Apr 11, 2016 · 12 comments

Comments

@vito
Copy link
Member

commented Apr 11, 2016

(This issue's a WIP; just want to log this somewhere.)

I'd like to document Concourse's usage in running untrusted code, e.g. via pull requests. There's a pretty neat Pull Request resource already, but I can't in good conscience recommend using it until we have answers for the following attack vectors (some of which we already do).

In no particular order:

  1. DOS the host machine, forcing it to reboot (e.g. echo b > /proc/sysrq-trigger).
  2. Consume crazy amounts of memory/disk/bandwidth/etc. for extended periods of time.
  3. Reach arbitrary sensitive information within the worker's private or local network.
  4. Reach sensitive data on the worker's disk.
  5. Access pipeline credentials.
  6. Escalate task capabilities beyond normal.
  7. Affect (by killing) other processes running on the worker.

And here's how Concourse currently fares:

  1. OK. This should be safe as long as the containers don't run privileged. Of course, barring any kernel bugs or CVEs come out. We're talking fundamentals here.
  2. Not OK, but maybe not critical. We currently don't apply any memory, disk, or bandwidth limits on any containers. I don't want to force people to think about it, and having even optional configuration for this is dangerous (people will just forget to set it). I'm not sure if people expect this; maybe we should investigate what kind of limits Travis enforces?
  3. CRITICAL. By default, containers have unlimited access to the host machine's private network. Each worker currently binds on their external IP via TCP, so if the attacker can guess your worker IPs, they can reach your Garden servers and do bad things. This is fixable by setting network restrictions on the worker (--allowNetworks, --denyNetworks flags), but it may be a better idea to just have auth in front of Garden.
  4. OK, again barring CVEs. This one's pretty basic and is part of the point of running everything in containers.
  5. OK, as long as resources don't leak their credentials or something.
  6. OK; privileged lives in the pipeline config, not the task config, for this very reason.
  7. OK aside from points 3 (kill containers via Garden API) and 2 (OOM/other resources). The rest is basic containerization (PID namespaces).

Any others?

@concourse-bot

This comment has been minimized.

Copy link

commented Apr 11, 2016

Hi there!

We use Pivotal Tracker to provide visibility into what our team is working on. A story for this issue has been automatically created.

The current status is as follows:

  • #117354659 Make things safe for running untrusted code

This comment, as well as the labels on the issue, will be automatically updated as the status in Tracker changes.

vito added a commit that referenced this issue Aug 17, 2016
would not be surprised at all if this breaks things, but it's easiest to
see by trying

bump tail pat cli retryhttp jwt-go go-bindata-assetfs color tcpkeepalive protobuf go-github go-querystring websocket go-multierror tail go-update pty pq go-isatty mapstructure ginkgo remote_syslog2 link term agouti ansicolor ifrit go-interact go-sse gosub crypto net oauth2 pb.v1 yaml.v2

Submodule src/github.com/ActiveState/tail 05d326f..a30252c:
  > Merge pull request #89 from hpcloud/adds-appveyor-badge
  > Merge pull request #88 from hpcloud/add-appveyor-for-windows
  > Merge pull request #85 from hpcloud/update-licensing
  > Merge pull request #84 from hpcloud/fix-flaky-test
  > Merge branch 'davidsansome-block-until-exists-relative-path'
  > fix reader nil pointer
  > Merge pull request #76 from aristanetworks/upstream
  > watch: Fix prototype to be more restrictive.
  > watch: Unsubscribe from fsnotify synchronously.
  > Merge pull request #81 from hpcloud/fix-race-in-test
  > Merge pull request #80 from hpcloud/v2-criteria
  > Merge branch 'tcheneau-typo-fix'
  > Merge pull request #79 from hpcloud/add-godep
  > Merge branch 'ando-masaki-master'
  > Merge branch 'flynn-stop-at-eof'
  > Merge pull request #72 from miraclesu/fix/watch_create
  > Update README.md
  > Merge branch 'ajacoutot-openbsd'
  > Merge pull request #66 from ober/master
  > Merge branch '42wim-namedpipe'
  > Merge pull request #58 from aristanetworks/upstream
  > Merge pull request #63 from ekini/master
Submodule src/github.com/bmizerany/pat b8a3500..c068ca2:
  > Refresh contributors list
  > Style tweaks for PATCH code
  > Merge remote-tracking branch 'nesv/http-patch'
  > Handle slash redirects with variable substitution
  > Don't store duplicate patterns
  > Tweak and test for NotFound handler
  > allow registering custom not found handler
  > Merge pull request #39 from tcyrus/patch-1
  > Test cleanup
Submodule src/github.com/codegangsta/cli aba9469..168c954:
  > Ensure that EnvVar struct field exists before interrogating it
  > Merge pull request #502 from urfave/fix-is-set-for-env
  > Note TOML support in README and CHANGELOG
  > Merge pull request #491 from ykanda/toml-support
  > Merge pull request #500 from npcode/readme-remove-v
  > Merge pull request #497 from urfave/error-behavior-changelog-mention
  > Merge pull request #496 from urfave/write-non-nil-error-message-exit-nonzero
  > Merge pull request #494 from urfave/bump-tested-versions
  > Merge pull request #492 from urfave/goimports-iff-available
  > Merge pull request #485 from urfave/switch-to-gfmrun
  > Merge pull request #482 from urfave/runtests-gen-all
  > Merge pull request #481 from urfave/fix-subcommand-help-flag
  > Merge pull request #466 from urfave/flag-context-gen
  > Merge pull request #479 from urfave/drop-go1.1.2-testing
  > Merge pull request #480 from TimeIncOSS/f-metadata
  > Release v1.18.0
  > Add missing fixes to `CHANGELOG.md`
  > Merge pull request #463 from urfave/help-command-categorization
  > Merge pull request #462 from urfave/license-update
  > Merge pull request #460 from urfave/v2-volatility-clarification
  > Merge pull request #457 from urfave/readme-toc
  > Merge pull request #456 from urfave/uint-flags
  > Merge pull request #455 from urfave/bfreis-master
  > Merge pull request #452 from urfave/handle-action-undiaper
  > Merge pull request #450 from urfave/flag-value-changelog-mention
  > Merge pull request #448 from urfave/merging-joshuarubin-master
  > Merge pull request #446 from jamescun/master
  > Merge pull request #445 from tianon/spaces-changelog
  > Merge pull request #444 from urfave/more-v1-examples
  > Merge pull request #441 from tianon/spaces-for-alignment
  > Merge pull request #442 from urfave/appveyor-badge
  > Merge pull request #440 from urfave/more-v1-examples
  > Merge pull request #437 from urfave/formarlly
  > Merge pull request #434 from urfave/update-gfmxr-ref
  > Merge pull request #429 from urfave/travis-osx
  > Merge pull request #425 from urfave/appveyor-badge
  > Merge pull request #422 from urfave/update-references-to-codegangsta
  > Merge pull request #417 from codegangsta/trim-go1.1-support
  > TRIVIAL removal of extra "current"
  > Merge pull request #411 from codegangsta/v2-docs
  > Merge pull request #404 from codegangsta/runtests-argparse
  > Updating coverage badges
  > Merge pull request #407 from codegangsta/coverage-breakout
  > Merge pull request #406 from codegangsta/command-alias-help
  > Merge pull request #403 from codegangsta/changelog-tweak
  > Merge pull request #400 from codegangsta/coverage
  > Merge pull request #402 from codegangsta/v1.17.0-prep
  > Merge pull request #401 from mattfarina/cleanup
  > Merge pull request #399 from codegangsta/exit-nonzero-for-unknown-subcommand
  > Merge pull request #397 from codegangsta/add-global-boolt
  > Added Hidden command support to CHANGELOG
  > Merge pull request #386 from codegangsta/psmit-hidden_command
  > Merge pull request #393 from mattfarina/io-Writer
  > Merge pull request #394 from mattfarina/travis-update
  > Merge pull request #395 from mattfarina/goreportcard
  > Merge pull request #390 from codegangsta/readme-example-touchup
  > Merge pull request #381 from codegangsta/pluggable-flag-printer
  > TRIVIAL the letter "a"
  > Merge pull request #380 from codegangsta/readme-cli-refs
  > Merge pull request #379 from codegangsta/v1.16.0-prep
  > Merge pull request #378 from codegangsta/exit-error-bug-376
  > Merge pull request #374 from codegangsta/kytrinyx-action-err
  > Merge pull request #373 from codegangsta/doc-custom-help
  > Merge pull request #372 from codegangsta/deprecation-cleanups
  > Merge pull request #371 from codegangsta/harshavardhana-hidden-flags
  > Merge pull request #369 from codegangsta/v1.15.0-prep
  > Merge pull request #368 from codegangsta/yaml-nested-changelog
  > Merge pull request #365 from roboll/nested-flags
  > Merge pull request #367 from codegangsta/bryanl-bryanl-set-context-values
  > Merge pull request #366 from codegangsta/metadata-note
  > Merge pull request #339 from jack230230/master
  > Merge pull request #361 from codegangsta/txgruppi-develop
  > Merge pull request #364 from codegangsta/assert-before-command-after-ordering
  > Merge pull request #363 from codegangsta/global-float64
  > Update changelog with placeholder support
  > Merge pull request #357 from kevin-cantwell/parse-usage-placeholders
  > Merge pull request #360 from codegangsta/keep-a-changelog
  > Merge pull request #349 from Felamande/master
  > Merge pull request #346 from codegangsta/category_sort_2
  > Merge pull request #343 from TimeIncOSS/f-hide-version
  > Merge pull request #342 from korzonek/master
  > Fix yaml file loader
  > Drop support for Go 1.0.3
  > Merge pull request #306 from ChrisPRobinson/inputfilesupport
  > Merge pull request #336 from muraty/master
  > Merge pull request #334 from djui/patch-1
  > Merge pull request #332 from adamclerk/fix/spellingErrors
  > Merge pull request #331 from blaubaer/windows-ci
  > Merge pull request #289 from KSubedi/master
  > Merge pull request #321 from blaubaer/master
  > Merge pull request #322 from blaubaer/custom-error-handling
  > Merge pull request #329 from leonardyp/master
  > Merge pull request #323 from hpcloud/master
  > Merge pull request #326 from tcyrus/patch-1
  > Merge pull request #315 from blaubaer/master
  > Merge pull request #320 from technosophos/master
  > Merge pull request #311 from Jille/exportFlagNames
  > Merge pull request #312 from ysh7/master
  > Merge pull request #309 from dedalusj/check-completion-order
  > Merge pull request #304 from osocurioso/silence-tests
  > Merge pull request #283 from codegangsta/really-skip-flag-parsing
  > Merge pull request #298 from codegangsta/use-correct-example-naming
  > Merge pull request #295 from rosenhouse/update-travis-versions
  > Merge pull request #297 from ston1th/master
  > Merge pull request #292 from Jille/remove-unused-var
  > Merge pull request #284 from rbjorklin/readme-update
  > Merge pull request #286 from mktmpio/dedup-help-and-version
Submodule src/github.com/concourse/retryhttp 3248b7b..c1bda69:
  > Merge pull request #2 from gkaur94/master
Submodule src/github.com/dgrijalva/jwt-go f62f64e..63734ea:
  > Merge pull request #151 from zaichang/FixMigrationGuide
  > Merge pull request #146 from pkieltyka/master
  > Merge pull request #140 from kazhuravlev/patch-1
  > Merge pull request #77 from dgrijalva/release_3_0_0
  > v2.7.0
  > notice about imminent 3.0.0
  > Merge pull request #136 from bruston/keyfunc-typo
  > fixes #135 copy/paste error in rsa decoding tools
  > Merge pull request #132 from abourget/master
  > Merge pull request #133 from johnlockwood-wf/expire-delta
  > release notes
  > expose inner error within ValidationError
  > Merge branch 'master' of https://github.com/emanoelxavier/jwt-go-contr into dg/merge_112
  > cleaned up style and added tests
  > Merge branch 'master' of https://github.com/dakom/jwt-go into dg/pr_121
  > version history update
  > Merge pull request #79 from dgrijalva/dg/none
  > Merge pull request #122 from appleboy/patch-1
  > add 1.6 to travis.yml
  > Merge pull request #107 from Snorlock/bearer-verification
  > Merge pull request #111 from matm/master
  > added supported signing methods
  > Added some clarification and (hopefully) helpful documentation
  > version history
  > signature should be populated after parsing a valid token
  > Merge pull request #98 from dgrijalva/dg/parser
  > use cleaner version of prefix checking (thanks shurcooL)
  > fix array OOB panic (#100)
  > Merge pull request #93 from EnerfisTeam/master
  > Merge branch 'master' of github.com:dgrijalva/jwt-go
  > minor refactor of HMAC verify for legibility.  no functional changes
  > updated documenation of SigningMethod interface
Submodule src/github.com/elazarl/go-bindata-assetfs 8731e8b..e1a2a7e:
  > Merge pull request #42 from imakewebthings/remove_extra_os_import
  > Merge pull request #40 from hheld/master
  > Merge pull request #29 from vCabbage/patch-1
Submodule src/github.com/fatih/color 76d4231..87d4004:
  > Merge pull request #30 from fatih/remove-vendor
  > Add tip to travis
  > Merge pull request #27 from fatih/improvements
  > Merge pull request #26 from harshavardhana/depend
  > Merge pull request #25 from mattn/color256
  > Merge pull request #24 from klaidliadon/master
Submodule src/github.com/felixge/tcpkeepalive c7641b5..5bb0b2d:
  > Merge pull request #5 from jdeppe-pivotal/master
Submodule src/github.com/golang/protobuf deb4a5e..7390af9:
  > Fix comment for Buffer.index field
  > Update Go tests for C++ JSON name change
  > README: add compatibility section
  > proto: Prevent Any protos from being deserialized multiple times.
  > protoc-gen-go: Make proto3 scalar repeated fields packed by default (per the proto3 spec).
  > proto: don't panic when calling ExtensionDescs on an uninitialized message.
  > regenerate .pb.go
  > proto: check for required fields when unmarshalling groups
  > jsonpb: sort numeric proto keys in numeric order
  > fix compiler golden test
  > jsonpb: add option to ignore unknown fields in a message
  > proto: regenerate proto3.pb.go from .proto file
  > net/proto2/go: add GetAllExtensionDescs returns a []*ExtensionDesc
  > proto: import change from Google.
  > protoc-gen-go/grpc: pass file descriptor for service as Metadata
  > proto: s/Printf/Print/ where there's no format verb
  > ptypes: regen and remove transforms from regen.sh
  > protoc-gen-go: export the generated variable name of the FileDescriptor bytes
  > Make proto.RegisterFile public for gRPC
  > Fix marshalAny's handling of indentation.
  > Add missing error check in jsonpb's marshal implementation.
  > net/proto2/go: make a slight change to how we handle []byte fields
  > proto: allow text proto map keys to be omitted or order swapped
  > proto: fix equality to work with V1 generated format
  > net/proto2: remove <message>.ExtensionMap() from generated messages
  > proto: return error from Marshal if a message encodes to > 2GiB
  > proto: clean up proto API for extensions
  > Use grpcPkg for a bit of code gen that overlooked it.
  > jsonpb: Marshal Any according to the spec.
  > Correctly set OrigName for oneof fields.
  > Update the grpc plugin to support the grpc-go interceptor implementation.
  > jsonpb: Fix handling of repeated enums.
  > Improve error message when text unmarshaling a nested message with a required field.
  > Use reflection-driven field accesses under GopherJS.
  > Add specific error for oneof with nil element.
  > Add Any helper funcs to the ptypes package.
  > Expose the gRPC code generation plugin.
  > jsonpb: Accept both camelCase and orig_name as field names for oneof fields.
  > Add support for decoding a stream of JSON objects.
  > Switch use of strings.LastIndexByte to strings.LastIndex.
  > A few small bits of style modernisation, such as using append where it makes the code shorter and more natural.
  > Generate the new go_package options for the WKTs.
  > Add compatibility markers to grpc generated code.
  > Use the zero value when decoding a map element that is missing its key or value.
  > Implement new semantics for `option go_package`.
  > Support for google.protobuf.Any expansion in text marshaling and unmarshaling.
  > jsonpb: Handle Struct and NullValue WKTs.
  > Generate Descriptor method for groups.
  > Generate a XXX_WellKnownType method for NullValue.
  > jsonpb: Format and parse the WKTs in wrappers.proto.
  > Add remaining Go-supported WKTs to the list of types to generate XXX_WellKnownType for.
  > Generate XXX_WellKnownType method for recognised well-known types.
  > Add Timestamp helper funcs to the ptypes package.
  > Rearrange the well-known types package layout and API:
  > Add initial well-known types support package.
  > Configurable TextMarshaler for protos.
  > Add more well-known types: Struct, Timestamp and Wrappers.
  > Add well-known types.
  > Switch jsonpb.Marshaler to use camelCase by default.
  > Add support for plumbing json_name from protoc through to proto.Properties.
  > Extend the text format parser to allow concatenation of string literals in single quotes.
  > jsonpb: Don't emit zero value proto3 fields by default.
  > Adding repeated field data population example
  > Clarify jsonpb package docs.
  > Add compatibility markers to proto generated code.
  > Fix proto.Equal handling of proto3 bytes fields.
  > Update docs to mention the proto3 API differences.
  > Add some more Markdown annotations.
  > By popular demand, rename README to README.md and make Markdown consistent.
  > Generate sizer functions for oneofs.
  > Regenerate protos.
  > Fix unmarshaling code to properly handle multiple instances of the same extension appearing in the wire format. Prior to this change, multiple custom options would result in all but the first being discarded when processed using the proto.GetExtension() facilities.
  > Document parameters in README
  > Generate correct service name for gRPC services without a package name.
  > Remove a test that has outlived its usefulness.
  > Add compressed file descriptor code generation.
  > Unexport proto.MessageSet, and remove a bunch of its support.
  > Expand proto.RegisterType mapping to record both directions (name <-> reflect.Type), and add two functions to access the mapping.
  > Merge pull request #91 from tswast/plain
  > Always import non-weak imported proto packages.
  > Register all proto message types with a centralised registry.
  > jsonpb: Implementing marshaling of proto2 extensions.
  > Another minor performance improvement to the code generator.
  > Regenerate descriptor.pb.go to pick up FileDescriptorProto.json_name.
  > Various optimisations to protoc-gen-go.
  > Don't sort map keys when encoding a map field in wire format.
  > Forward oneof marshal/unmarshal funcs through public imports.
  > jsonpb: Remove Marshaler.EnumsAsString.
  > jsonpb: Disable Marshaler.EnumsAsString; it is now the default.
  > jsonpb: Introduce Marshaler.EnumsAsInts.
  > Fix jsonpb parsing of enums as names for proto3.
Submodule src/github.com/google/go-github 9420d0f..b969816:
  > Adding missing field to search results
  > Add some missing fields
  > add Juan Basso as author
  > Fixed typo and removed unused vars
  > Fixing some lint issues
  > Set Content-Type to "application/json" for request bodies
  > add Huy Tr as author
  > Add Request a Page Build API
  > Fix Mark{,Repository}NotificationsRead methods.
  > Don't use Header.Add where Header.Set is sufficient.
  > Stop using custom media type for Multiple Assignees.
  > remove CONTRIBUTORS file
  > Put sync.Mutex on top of variables it protects.
  > Sync doc.go and README.md
  > add Carlos Alexandro Becker as contributor
  > Add missing ID fields to PullRequest and Issue structs
  > add unit tests for #342 - CreateImpersonation and DeleteImpersonation
  > add (AuthorizationsService) CreateImpersonation/DeleteImpersonation
  > add missing license headers in a few files
  > add Yannick Utard as contributor
  > Add ReadOnly boolean field to deploy keys
  > Avoid unnecessary FooService allocations
  > add support for OAuth Grant Authorizations API
  > add Beshr Kayali as contributor
  > add support for list commits endpoint
  > Add support for affiliation and visibility in RepositoryListOptions.
  > Remove issue locking/unlocking preview media type.
  > better support both Events API and Webhook events in PushEventCommit
  > make integration tests pass even if already watching this repo
  > add support for new repository invitations
  > replace []Issue with []*Issue and for other large structs as well
  > Remove leading slash from ReactionsService.DeleteReaction URL.
  > remove unnecessary newlines
  > add support for Issue Timeline API
  > move examples to github_test package in examples_test.go
  > document 'since' pagination for Users.ListAll
  > add support for multiple issue assignees
  > add utilities for processing payload messages
  > add Message field for "custom" errors
  > add support for git signing API methods
  > add Ainsley Chong as contributor
  > Added integration tests for Repositories.List.
  > add Garrett Squire as contributor
  > Add squashing capability to the pull request merge function.
  > remove org permission content type
  > Add missing ListOptions to various structs
  > Update Reactions API (preview) for breaking change.
  > add Joe Tsai as contributor
  > fix unit tests for go1.7 release
  > add support for Reactions API
  > Add support for the Source Import API
  > add more payloads to event.Payload
  > Simplify Bool, Int, String helpers.
  > Fix Int helper documentation.
  > Deprecate Client.Rate() method in favor of Response.Rate.
  > Predict *RateLimitError, return immediately without network call.
  > Keep track of all rate limits in client.
  > Fix formatting directive issues in tests.
  > tests/integration: Turn into valid, empty Go package.
  > Travis: Run gofmt -s, go vet, go test -race, add Go 1.6.
  > Improve test error message.
  > add Chris Roche as contributor
  > Correctly handle API errors when downloading Release Assets
  > add support for new webhook changes
  > change custom accept header for support of commit reference SHA-1 API
  > add Glenn Lewis as contributor
  > add Hanno Hecker as contributor
  > Add "assignee" field
  > add Andrew Ryabchun as contributor
  > Add support for Activities.ListStargazers response with timestamp.
  > Add UsersService.GetByID method.
  > Add RepositoriesService.GetByID method.
  > Clarify use of RepositoryContent encoded content
  > add support for Deployment and DeploymentStatus API enhancements
  > add RepoContent.GetContent to replace Decode
  > add Neil O'Toole as contributor
  > Add integrations tests for Authorizations API
  > Update AuthorizationsService
  > Support OAuth Authrization API.
  > clarify that CC-BY license only covers docs in source code
  > move example inline where possible
  > limit draining up to 512 bytes from response.Body
  > add Georgy Buranov as contributor
  > check options for nil
  > add Filippo Valsorda as contributor
  > Drain Response.Body to enable TCP/TLS connection reuse (4x speedup)
  > add support for new list all orgs method
  > Add support for Feeds API
  > Add support for Migrations API
  > change DownloadReleaseAsset API to additionally return a redirectURL
  > Add support for 451 status code
  > Block running integration tests by default
  > Fixes path escaping for Repositories.GetContents
  > add Isao Jonas as contributor
  > add additional fields to Milestone struct
  > go-github: add support for commit reference SHA-1 method
  > go-github: add support for getting content of a repository's license
  > go-github: fix PageBuildEvent unmarshaling
  > add Luke Evers as contributor
  > Add InReplyTo to PullRequestComment struct
  > go-github: add useful fields to Webhooks
  > go-github: add Event types for Webhooks
  > CONTRIBUTING: remove paragraph that was rewritten
  > update CONTRIBUTING file
  > add David Deng (Googler) as contributor
  > Do URL path escape composing the URL for GetContents
  > add Luke Roberts as contributor
  > add preview header to list branches request
  > go-github: move event types into event_types.go
  > go-github: add support for issue locking / unlocking
  > add Pierre Carrier as contributor
  > issues: add Repository
  > Document specific errors returned by CheckResponse.
  > Add RateLimitError type, detect and return it when appropriate.
  > Minor Rate, RateLimits documentation fixes.
  > add StatusUnprocessableEntity constant
  > new repo struct for push events
  > gofmt -s
  > add saisi as contributor
  > Fixed a couple of typos in comments
  > RepositoryContentFileOptions: specify .Content as unencoded Fixes #263.
  > add Julien Rostand as contributor
  > Add Sender to WebHookPayload. Resolves #267.
  > add John Engelman as contributor
  > Add the Description field for organization teams.
  > fix spelling in comment
  > add griffin_stewie as contributor
  > Add "SuspendedAt" field to User struct.
  > update to 2048 bit key for user integration test
  > update required go version to 1.4
  > Edit branch protection
  > add Björn Häuser as contributor
  > Add initial support for protected branches
  > bump minimum tested version to go 1.4
  > add support for HTTP Basic Authentication
  > fix typo
  > add sona-tar as contributor
  > Add ListOptions to ListWatched
  > add Eric Paris (Red Hat, Inc.) as contributor
  > Fix default comment for Direction in issue lists
  > ignore EOF error when json decoding empty response
  > add Brad Harris as contributor
  > adding URL property to Hook struct
  > Fix data race surrounding Client.Rate.
  > github: Document all possible values for IssueList{,ByRepo}Options.State.
  > add Russ Cox as contributor
  > github: document and add support for all IssueEvent types
  > Add support for 'renamed' issue events.
  > use PUT verb when setting org membership
  > add Maxime Bury as contributor
  > Adding DownloadReleaseAsset
Submodule src/github.com/google/go-querystring 547ef5a..9235644:
  > New array handling options (semicolon, numbered)
  > Now checking if a field is not anonymous before skipping it when walking over values in an struct, to make sure that we don't skip validly accessible (exported) embedded values in an unexported field.
  > Updating tests for the expected behavior
  > Fix invalid call to value method with nil pointer
Submodule src/github.com/gorilla/websocket 5c91b59..a69d25b:
  > Merge pull request #152 from sambooo/patch-1
  > Improve chat example
  > Merge pull request #150 from RHavar/patch-1
  > Add description to the chat example readme
  > Add hooks to support RFC 7692 (per-message compression extension)
  > Implement RFC 6455, section 4.4
  > Coalesce outbound messages in chat example
  > Merge pull request #136 from reeze/add-handler-getter
  > Add Sec-WebSocket-Extensions header parser
  > Reduce memory allocations in NextReader, NextWriter
  > Revert "Reduce memory allocations in NextReader, NextWriter"
  > Merge branch 'varnames'
  > Reduce memory allocations in NextReader, NextWriter
  > Cleanup js in chat example
  > Handle invalid close frames
  > Test truncated frames at all positions
  > Fix Read() to return errUnexpectedEOF when EOF is received before all bytes in the frame have been read
  > Drop Go 1.3 from supported configurations
  > Do not shallow copy crypto/tls.Config
  > .travis.yml go vet fix.
  > Fix filewatch example
  > Document that default ping handler can block
  > Add IsWebSocketUpgrade
  > Remove Go 1.1 from Travis config
  > Run 'go vet' instead of 'go tool vet' in Travis
  > Merge pull request #113 from elithrar/patch-1
  > Fix go vet warning
Submodule src/github.com/hashicorp/go-multierror d30f099..8c5f0ad:
  > Add deps script
  > Add travis stuff
Submodule src/github.com/hpcloud/tail 05d326f..a30252c:
  > Merge pull request #89 from hpcloud/adds-appveyor-badge
  > Merge pull request #88 from hpcloud/add-appveyor-for-windows
  > Merge pull request #85 from hpcloud/update-licensing
  > Merge pull request #84 from hpcloud/fix-flaky-test
  > Merge branch 'davidsansome-block-until-exists-relative-path'
  > fix reader nil pointer
  > Merge pull request #76 from aristanetworks/upstream
  > watch: Fix prototype to be more restrictive.
  > watch: Unsubscribe from fsnotify synchronously.
  > Merge pull request #81 from hpcloud/fix-race-in-test
  > Merge pull request #80 from hpcloud/v2-criteria
  > Merge branch 'tcheneau-typo-fix'
  > Merge pull request #79 from hpcloud/add-godep
  > Merge branch 'ando-masaki-master'
  > Merge branch 'flynn-stop-at-eof'
  > Merge pull request #72 from miraclesu/fix/watch_create
  > Update README.md
  > Merge branch 'ajacoutot-openbsd'
  > Merge pull request #66 from ober/master
  > Merge branch '42wim-namedpipe'
  > Merge pull request #58 from aristanetworks/upstream
  > Merge pull request #63 from ekini/master
Submodule src/github.com/inconshreveable/go-update 8455de1..8152e7e:
  > Fix nondeterministic failure caused by parallel tests.
Submodule src/github.com/kr/pty f7ee69f..ce7fa45:
  > Merge pull request #44 from cmarcelo/pr/dragonfly-gofmt
  > Merge pull request #36 from keybase/master
  > Merge pull request #41 from mneumann/fix_dragonfly
Submodule src/github.com/lib/pq ffe986a..80f8150:
  > Add support for array Scanners and Valuers
  > Dont assume . to be in PATH
  > Skip pgpass tests if not running under Travis
  > Re-format an awfully long line
  > Fix typo
  > Update README to reflect my current GitHub handle
  > Merge remote-tracking branch 'origin/pr/469'
  > encode: `decode` T_text into a string
  > Export FormatTimestamp for emitting the postgres timestamp format
  > sslmode=require compliance when root cert provided
  > Merge pull request #468 from cbandy/travis-ci
  > Use goimports instead of gofmt
  > Fail Travis if code is not gofmted correctly
  > Run go fmt
  > Merge branch 'add-go-vet-to-travis'
  > Move from /var/run/postgresql to /run/postgresql in examples
  > Merge remote-tracking branch 'origin/pr/461'
  > Support arbitrary network dialers in listeners
  > Merge pull request #458 from vsukhin/master
  > Expose ParseTimestamp for parsing the postgres timestamp format
  > Drop antediluvian Postgres and Go versions
  > Add 1.6 to travis for testing
  > fix typo
  > Remove unnecessary allocation
  > Use `net.{Join,Split}HostPort` for proper ipv6 handling
  > whitespace (gofmt)
  > fix build on go1.6
  > whitespace (gofmt)
  > Add verify-ca to error message in conn
  > TestCopyRespLoopConnectionError: Always ignore errors on stmt.Close()
  > Fix intermittent test failure in TestCopyRespLoopConnectionError
  > Fix intermittent test failure in TestCopyRespLoopConnectionError
  > Merge pull request #418 from lib/9.5
  > Document pgpass support
  > Add Fazal Majid to contributors
  > added unit-tests for pgpass
  > proper handling of the "localhost" special case in .pgpass (it also matches the empty string and UNIX sockets) https://github.com/lib/pq/issues/75
  > better .pgpass parser (escaped colons) derived from https://github.com/tg/pgpass https://github.com/lib/pq/issues/75
  > implemented .pgpass support in lib/pq, see: https://github.com/lib/pq/issues/75
  > Also test prepared queries in TestEmptyResultSetColumns
  > Fix empty query `Columns()` handling
  > Make copyin.Close() idempotent
Submodule src/github.com/mattn/go-isatty 7fcbc72..66b8e73:
  > Merge pull request #10 from stuartnelson3/patch-1
  > Merge pull request #5 from CaptainCodeman/appengine
  > add example
  > Merge pull request #4 from fazalmajid/Solaris
Submodule src/github.com/mitchellh/mapstructure 281073e..ca63d7c:
  > Merge pull request #51 from jefferai/master
  > returning untyped nil from decode hook will assign properly to interface
  > Merge pull request #44 from grrtrr/master
  > Merge pull request #45 from mitchellh/f-map-slice
Submodule src/github.com/onsi/ginkgo 74c678d..120efcf:
  > Redo flags again, add a bunch of pass-throughs. (#282)
  > Spelling fix (#283)
  > Covermode flag (and reworked pass-through flags passing) (#281)
Submodule src/github.com/papertrail/remote_syslog2 d121b66..523d577:
  > Merge pull request #160 from papertrail/add-armhf
  > Merge pull request #163 from papertrail/clarify-config-example
  > Merge pull request #159 from papertrail/update-help
  > Merge pull request #149 from papertrail/systemd-dependency
  > Merge pull request #152 from papertrail/update-comments
  > Merge pull request #144 from papertrail/018-fsnotify-tail-additions
  > Merge pull request #138 from papertrail/use-beanstalk-env-and-instanceid
  > Merge pull request #143 from papertrail/close-connection-on-error
  > Merge pull request #137 from papertrail/logging-directory-recreation
  > Merge pull request #134 from papertrail/update-usage
  > Merge pull request #125 from papertrail/version-flag
  > Merge pull request #124 from papertrail/documenting-pr-51
  > v0.17
  > Merge pull request #51 from siavashs/application
  > Merge pull request #123 from papertrail/document-debug-logging
  > Update README.md
  > Merge pull request #68 from dhoeric/master
  > Merge pull request #116 from mlafeldt/gofmt
  > Update remote_syslog.ebextensions.config
  > Merge pull request #105 from u2mejc/u2mejc-ebextensions
  > Merge pull request #121 from papertrail/tcp-limit
  > Updated binary name to match #122
  > Merge pull request #117 from mlafeldt/gitignore
  > Merge pull request #122 from papertrail/build-binary
  > Merge pull request #90 from bhechinger/status_codes
  > Merge pull request #115 from papertrail/v0.16
  > Merge pull request #114 from papertrail/new_cert
  > Merge pull request #107 from papertrail/v0.15
  > Merge pull request #104 from papertrail/clarify-log-help-text
  > Merge pull request #97 from papertrail/connection-timeout
  > Merge pull request #98 from papertrail/write-deadline
  > Merge pull request #103 from papertrail/continue-on-connection-error
  > Merge pull request #100 from papertrail/generate-stracetraces
  > Merge pull request #101 from papertrail/explicitly-enable-cgo
  > Merge pull request #92 from papertrail/troubleshooting
Submodule src/github.com/peterhellberg/link 1082c67..d1cebc7:
  > Run the tests against 1.6 and 1.5.3
  > Updated copyright year [skip ci]
  > Changed rfc5988 to RFC 5988, rfc5987 to RFC 5987
Submodule src/github.com/pkg/term d7ef5fb..b1f72af:
  > Merge pull request #19 from jdeppe-pivotal/master
  > Merge pull request #18 from dumbbell/fix-freebsd-support
  > convert from wercker to travis
  > Merge pull request #17 from stuartrpearlman/tcflush-fix
  > Merge pull request #16 from aitjcize/master
  > Merge pull request #14 from liamstask/hw-flow-ctrl
  > Merge pull request #13 from liamstask/read-timeout
Submodule src/github.com/sclevine/agouti ce62464..e5378e7:
  > remove un-used tests
  > fix failing tests
  > Merge remote-tracking branch 'origin/master'
  > rework TouchAction to make it "Repository" aware, and mimic the new Agouti API.
  > Merge remote-tracking branch 'sclevine/master'
  > Merge remote-tracking branch 'sclevine/master'
  > Merge remote-tracking branch 'origin/feature/appium-replace-value'
  > Merge pull request #2 from abourget/feature/appium-reset-app
  > Merge pull request #1 from abourget/allByID
  > TouchAction tests pass.
  > Fix the touchaction code.  Suite still failing..
  > Most test suites restored. Appium in progress.
  > Appium WIP
  > First draft at implementing the TouchAction methods and chaining.
  > Added debug output when command fails to start.
  > Add more selectors, both to Agouti and Appium.  Those compatible with standard WebDriver are in agouti, but they are used more in Appium (like FindByID), since it corresponds to the resource ID.
  > Appium: Implemented All(), with MultiSelection
  > Appium: Added meat around selection on appium.Device and appium.Selection
  > TouchAction test updated, shows chaining in action.
  > Fix tests and decouple from *mobile.Session.
  > Moved TouchAction. Drafted first tests.
  > Selectors ready to go + AgoutiOptions + comments
  > Possible solution to unexported selector issues
  > Refactor target package to have a single selectors#Append method
  > RFC: Debug flag as options
  > Added "AppendClass", and selectors for class-based selection.  Appium uses classes to select component types.
  > Drafting TouchAction
  > Appium: First version to compile.
  > A few design ideas for abourget - nothing functional
Submodule src/github.com/shiena/ansicolor d445752..a422bbe:
  > Merge pull request #9 from techtonik/patch-1
Submodule src/github.com/tedsuo/ifrit 3a41de6..6711154:
  > Merge pull request #16 from cwlbraa/master
  > Merge pull request #15 from jvshahid/fix-early-interrupt-in-ordered-group
  > Merge pull request #13 from lwoydziak/master
  > Merge pull request #12 from lwoydziak/master
  > Merge pull request #11 from cf-routing/handle-multiple-signals
  > Invoke ffs
Submodule src/github.com/vito/go-interact 0eb3903..965b78f:
  > add MIT license
Submodule src/github.com/vito/go-sse bfb56c5..fd69d27:
  > Merge pull request #3 from cf-routing/max_retries
Submodule src/github.com/vito/gosub 2aa7c2b..84ac9df:
  > Merge pull request #6 from concourse/master
  > Merge pull request #5 from rosenhouse/actionfunc
Submodule src/golang.org/x/crypto c8b9e63..a8a4eed:
  > acme/autocert: improve test speed on 386
  > acme: improve http-01 challenge API
  > acme/autocert: new high-level package for automatic cert management
  > nacl/secretbox: add Seal, Open example
  > acme: context-aware Client methods
  > acme: build up full chain certs when requested
  > acme: format Client and errors
  > acme: preserve account URI on get and update
  > acme: improve TLSSNI{01,02}ChallengeCert methods
  > acme: simplify TLS-SNI challenge cert
  > acme: support for ECDSA keys
  > acme: TLS-SNI challenges implementation
  > acme: specify which version exactly is implemented
  > ssh: clarify error type if a SendRequest goes unanswered
  > x/crypto/ssh/terminal: have MakeRaw mirror cfmakeraw.
  > ssh: disable known-flaky test from the Go build dashboard
  > x/crypto/ssh: add ed25519 certs to supportedHostKeyAlgos
  > acme: prompt for terms agreement
  > ocsp: fix default value of Version in ResponseData
  > x/crypto/ssh/agent: ecdsa key/cert typo
  > acme: default values and discovery
  > x/crypto/ssh: handle missing exit status more gracefully.
  > x/crypto: fix typos
  > x/crypto/ssh: use BigEndian.Uint32 for decoding exit status.
  > x/crypto/ssh: Add support for retryable authentication
  > agent: add agent server support for ed25519 keys.
  > crypto/ssh: minor comment change (trivial)
  > go.crypto/blowfish: fix typo in docstring in cipher.go
  > x/crypto/ssh: set constraints when adding certs to the agent
  > ssh: allow adding ed25519 keys to the agent
  > x/crypto/ssh: return msgNewKeys for a short-circuited first kex.
  > x/crypto/ssh: add 3des-cbc as a non-default cipher
  > x/crypto/ssh: add support for ed25519 keys
  > x/crypto/ssh: hide msgNewKeys in the transport layer.
  > ssh: fix compatibility with recent OpenSSH
  > acme: format test data
  > x/crypto/openpgp/s2k: fix misleading function comment
  > x/crypto/ssh: also log data packets when debugHandshake is set
  > x/crypto/ssh: fix subsequent key exchanges.
  > x/crypto/ed25519: add package.
  > x/crypto/ssh: support more keytypes in the agent.
  > x/crypto/ssh: if debugMux is set, also log global messages.
  > x/crypto/ssh: remove misleading comment, add example
  > sha3: revert alignment optimization on ppc64
  > x/crypto/ssh/agent: Support v1 remove all message
  > x/crypto/ssh: omit empty fields in error message
  > x/crypto/ssh: debug support for msgUserAuthSuccess and msgChannelData
  > acme: initial import of ACME implementation
  > x/crypto/ssh: make sure the initial key exchange happens once.
  > x/crypto/ssh/terminal: ensure windows MakeRaw returns previous state
  > x/crypto/ssh/terminal: create stubs for plan9 methods
  > openpgp: Allow V3 signatures in messages
  > x/crypto/ssh: interpret disconnect message as error in the transport layer.
  > x/crypto/ssh: Add timeout for dialing
  > golang/x/crypto/sha3: use better alignment
  > openpgp: ECDSA key and signature support
  > x/crypto/ocsp: correct OID for DSA-with-SHA-256.
  > openpgp/clearsign: Handle truncated messages
  > x/crypto/ssh/agent: add a client example and tweak package doc.
  > x/crypto/ocsp: return errors to reflect OCSP errors.
  > x/crypto/ssh: add function to parse known_hosts files.
  > x/crypto/openpgp: add ElGamal support when writing GPG keys.
  > x/crypto/ssh: allow a custom Config to specify CBC mode.
  > x/crypto/pkcs12: fix typo in struct tag
  > ocsp: add support for OCSP response extensions
  > x/crypto/ssh/agent: Fix keyring removing the wrong key(s)
  > x/crypto/ssh: run go fmt
  > x/crypto/otr: reformat the libotr test harness with clang-format.
  > x/crypto/otr: update libotr test code for version 4.
  > x/crypto/otr: make errors fatal.
  > x/crypto/otr: clear key slots when handshaking.
  > crypto/ssh: fix typo in error string.
  > x/crypto/openpgp/packet: fix message for errors resulting from an unknown cipher.
  > otr: smpFailureError processing tlvTypeSMP3 prevents sending tlvTypeSMP4
  > x/crypto/pkcs12: deal with short byte array in PBKDF
Submodule src/golang.org/x/net cd8c270..07b5174:
  > publicsuffix: update table to latest list from publicsuffix.org
  > http2: adjust flow control on open streams when processing SETTINGS
  > http2: add missing import path declaration
  > http2: add more Transport logging around why connections close
  > http2: fix Transport.RoundTrip hang on stream error before headers
  > http2: add more HEADERS and error logging in GODEBUG=http2debug=2 mode
  > http2: make Transport work around mod_h2 bug
  > http2: don't ignore DATA padding in flow control
  > http2: return flow control for closed streams
  > http2: fix data race on cc.singleUse
  > route: don't crash or hang up with corrupted messages
  > http2: make Transport prefer HTTP response header recv before body write error
  > http2: make Transport treat "Connection: close" the same as Request.Close
  > context/ctxhttp: if context is canceled, return its error
  > http2: fix flaky TestTransportResPattern_* tests
  > http2: make Transport honor Request.Close more aggressively
  > http2: fix flaky TestTransportReqBodyAfterResponse_403
  > context/ctxhttp: add a specialized minimal version for Go 1.7
  > publicsuffix: update table to latest list from publicsuffix.org.
  > http2: add additional blacklisted ciphersuites
  > http2: merge multiple GOAWAY frames' contents into error message
  > http2: make Transport return server's GOAWAY error back to the user
  > webdav: skip test that fails with gccgo
  > ipv4: add support for ppc (using gccgo)
  > ipv6: add support for ppc (using gccgo)
  > http2: fix typo in ReadFrame
  > bpf: implement LoadExtension and ExtLen for VM
  > bpf: fix a typo
  > bpf: add Go implementation of virtual machine
  > webdav: respect the Handler.Prefix in confirmLocks.
  > publicsuffix: strip generated comments; automatically scrape git version.
  > http2: fix data race on pipe
  > http2: consider buffered data when doing stream flow control
  > http2: GotFirstResponseByte hook should only fire once
  > websocket: fix Read behaviour in hybiFrameReader.Read
  > webdav: set 'getlastmodified' live property for directories
  > http2: fix nits in test
  > http2: allow http scheme for http2
  > http2: prevent Server from sending status 100 header after anything else
  > http2: let handlers close Request.Body without killing streams
  > http2: fix Transport.CloseIdleConnections when http1+http2 are wired together
  > http2: delay sending request body in Transport if 100-continue is set
  > http2, lex/httplex: make Transport reject bogus headers before sending
  > http2: reject more trailer values
  > http2: with Go 1.7 set Request.Context in ServeHTTP handlers
  > http2: when using Go 1.7, make Transport use httptrace hooks
  > ipv6: add support for linux/s390x
  > ipv4: add support for linux/s390x
  > route: fix typos in test
  > ipv6: support attaching packet filters to PacketConn.
  > ipv4: support attaching packet filters to PacketConn/RawConn.
  > route: new package
  > http2/hpack: forbid excess and invalid padding in hpack decoder
  > http2: make Transport use Request.Context, set Response.Uncompressed
  > context: correct spelling of TODO in comment
  > ipv4: don't fail test on big endian machine
  > icmp: don't fail test on big endian machine
  > net/trace: fix comment typo
  > context: fix doc typo
  > http2: allow StreamDep of 0 in HEADERS and PRIORITY frames
  > http2: delete pre-Go1.5 request cancellation
  > context/ctxhttp: remove pre-Go 1.5 support
  > context: bump gccgo-specific alloc limit for WithTimeout test.
  > http2: standardize RFC mention format
  > ipv6: fix a typo
  > ipv4: fix a typo
  > icmp: fix a typo
  > http2: fix typos
  > http2/hpack: fix a typo
  > webdav: have the exported API use the standard library's xml.Name type.
  > webdav: rename the "etc/internal/xml" import.
  > webdav: run "gofmt -s" to simplify some tests.
  > webdav: fill in the package's doc comment.
  > webdav: remove runtime check for Go 1.4 or earlier.
  > http2: make Server reject connection-level headers with a 400 response
  > websocket: remove redundant error handling
  > context: implement in terms of the standard library for Go 1.7+
  > http2: Ignore Keep-Alive header in requests
  > bpf: rename LoadIPv4HeaderLen to the more generic LoadMemShift.
  > ipv6: remove unnecessary sysSockoptLen type
  > ipv4: remove unnecessary sysSockoptLen type
  > http2: fix truncated comment
  > bpf: correct spelling of marshaling in package doc.
  > bpf: add package documentation describing the BPF virtual machine.
  > bpf: simplify disasm state machine.
  > bpf: new package to assemble and disassemble Berkeley Packet Filter programs.
  > http2: revert part of e7da8eda to fix data race it introduced
  > http2: make Transport handle HEAD responses with DATA frames
  > http2: don't make garbage when sorting things
  > http2: remove method value allocation per read frame
  > http2: reduce alloc-heavy init
  > context: Uniformly pass cancelCtx by pointer.
  > trace: make AuthRequest robust to multiple RemoteAddr formats
  > http2: reduce garbage in Server on requests with bodies
  > websocket: Be explicit about goroutine safety
  > http2: gofmt -w -s
  > context/ctxhttp: fix data race in tests
  > publicsuffix: Make gen.go faster.
  > publicsuffix: update table to latest list from publicsuffix.org.
  > http2: add Framer.ErrorDetail method
  > http2: don't override user's Transport.TLSConfig.ServerName
  > http2/h2i: Handle invalid usage more idiomatically.
  > internal/iana: update protocol numbers
  > http2: move merging of HEADERS and CONTINUATION into Framer
  > ipv6: fix potential misaligned memory access
  > ipv4: fix potential misaligned memory access
  > icmp: fix potential misaligned memory access
  > http2: fix crash in Transport on double Read of invalid gzip Response.Body
  > publicsuffix: add some commentary on using "go run gen.go".
  > http2: fix a nit
  > http2: don't send Connection-level headers in Transport
  > http2: export Server.ServeConn
  > http2/h2demo: update bug link, add idle conn timeouts
  > publicsuffix: update table to latest list from publicsuffix.org on 2016-01-30.
  > http2: don't add *Response to activeRes in Transport on Headers.END_STREA
  > http2: add mechanism to send undeclared Trailers mid handler
  > http2: remove unused variable
  > http2: reduce log spam, especially on Windows
  > net/context/ctxhttp: fix case where Body could leak and not be closed
  > http2: clarify field-value grammar in doc; reject DEL in field value
  > http2: validate received header field values in Server and Transport
  > publicsuffix: update table to latest list from publicsuffix.org
  > http2: unmailed code review cleanups from previous commit
  > http2: make Transport respect http1 Transport settings
  > http2: make Transport send a Content-Length
  > http2: make configureTransport return the new t2 transport as well
  > http2: make Transport close unneeded connections after h1->h2 upgrade
  > icmp: fix typo.
  > http2: add Transport strictness, paranoia, logging for unwanted DATA frames
  > context/ctxhttp: don't test on plan9
  > http2/h2i: disable building h2i on plan9 and solaris
  > http2: skip TestServer_RejectsLargeFrames on windows (fixes build)
  > http2: log frame reads at log level http2debug=2 also, not just writes
  > http2: fix channel double-close crash
  > http2: add tests to verify the type of peer stream resets
  > x/net/icmp: fix typos in comments
  > http2: relax Trailer predeclaration requirement in Transport
  > html/charset: replace EUC-KR test
  > http2: clean up debugging, rename GODEBUG key
  > http2: mix cleanups, TODOs, new tests, enforce header list size in Transport
  > http2: make Transport ignore 100-continue responses, add comprehensive tests
  > http2: fix nits found by vet
  > http2: fix Transport cancelation problems
  > http2: set default User-Agent if not otherwise specified
  > http2: support CONNECT requests
  > context/ctxhttp: allow cancellation after Do returns
  > trace: properly set the content type when sending html
  > http2: move HEADERS/CONTINUATION order checking into Framer
  > http2: fix typo and simplify truncation of text in test
  > http2: fix readFrames goroutine spin between ConnectionError and conn close
  > http2: reset DebugGoroutines after testing it
  > html/charset: verify correct UTF-8 behavior
  > http2: make Transport's Response.Body.Close not wait for buffered data
  > http2: send client trailers
  > html/charset: handle unsupported code points for encoding
  > html/charset: use x/text/encoding/htmlindex
  > http2: add support for Transport reading trailers from the server
  > http2: add server-side trailer support
  > http2: add Server support for reading trailers from clients
  > http2: add disabled start of tests for trailers, clean up, deflake some tests
  > http2: catch panics server-side, respect RST_STREAM on the Transport side
  > ipv6: update example for the use of dual stack listener
  > ipv4: update example for the use of dual stack listener
  > ipv6: add support for linux/{mips64,mips64le}
  > ipv4: add support for linux/{mips64,mips64le}
  > http2: fix build for Go 1.4 users
  > http2: support Request.Cancel in Transport
  > http2: send "http/1.1" ALPN in TLS dial in addition to "h2"
  > html/charmap: update table with latest data
  > netutil: Ditch go1.3 build tag.
  > xsrftoken: fix lint error in Timeout's comment.
  > webdav: fix props for directory
  > xsrftoken: add package import comment
  > xsrftoken: update token implementation
  > html: remove license references from benchmark test data
  > xsrftoken: copy from code.google.com/p/xsrftoken
  > http2: fix two cases of Server behavior not matching HTTP/1
  > http2: make the Transport write request body data as it's available
  > publicsuffix: update table to latest list from publicsuffix.org.
  > ipv6: simplify log message format
  > ipv4: simplify log message format
  > http2: merge duplicate Transport dials
  > icmp: fix miscalculation on multipart message bodies
  > x/net/webdav: percent-encode D:href in the XML.
  > http2: add automatic gzip compression for the Transport
  > http2: client & server fixes
  > ipv6: move unexposed error values into helper.go
  > ipv4: move unexposed error values into helper.go
  > http2/h2demo: updates to text and Makefile to upload/deploy it
  > context: fix typo in TODO documentation
  > http2/h2i: add settings flag
  > http2: minor transport code & docs cleanups
  > http2: add ConfigureTransport, like ConfigureServer
  > http2: handle pings in Transport
  > http2: client conn pool abstraction
  > http2: add Transport.RoundTripOpt, adds option to RoundTrip without new dials
  > publicsuffix: update table to latest list from publicsuffix.org.
  > http2: fix Server race with ResponseWriter.curWrite re-use
  > http2: another Transport body-writing bug fix, and more tests
  > http2: fix Transport's flow control control when writing request bodies
  > http2: swallow io.EOF while reading body and flow fix
  > http2: append query to :path pseudo-header
  > http2: add DialTLS to Transport
  > http2: push stream look up later in Transport, address some TODOs/cleanups
  > http2: prevent deadlock channel send in server Handler if client disappears
  > http2: send WINDOW_UPDATE frames while reading Transport Response bodies
  > http2: add per-Response buffered response bodies with separate flow control
  > http2: write Transport bodies
  > http2: change the pipe and buffer code
  > http2: remove Transport.Fallback
  > http2: add Transport.AddIdleConn
  > http2: quiet Transport logging
  > http2: fix server race
  > http2: update the curl and nghttp2 versions used in tests
  > http2: fix broken test after ConfigureServer change
  > http2: make ConfigureServer set PreferServerCipherSuites, return an errors
  > context: attempt to deflake TestLayersTimeout with timer padding.
Submodule src/golang.org/x/oauth2 ef4eca6..4784bb8:
  > uber: Add Uber API endpoints
  > oauth2/google: change import paths
  > oauth2: add reference to clientcredentials package
  > oauth2: fix stale docs
  > google: fix warnings from go vet
  > oauth2: fix warning from go vet
  > jws: use base64.RawURLEncoding
  > google: fix the build when appengine isn't present
  > internal: decapitalize the argument names
  > google: support key ID in JWTAccessTokenSourceFromJSON
  > Revert "passwordcredentials: add"
  > passwordcredentials: add
  > travis: always build against tip
  > internal: fix transport_test use of nil Context
  > jws: Fix typo in jws_test
  > jws: add RS256 Verification for JWS
  > google: Update godocs to reflect recent GCP front-end changes.
  > hipchat: Generate Config for Connect integrations
  > oauth2: remove mockCache since NewTransportFromTokenStore() removed.
  > hipchat: Add endpoint function for HipChat server
  > oauth2/internal: Add api.dropboxapi.com to broken providers.
  > hipchat: Add HipChat API endpoints
  > fitbit: add Fitbit API endpoints
  > internal: add Patreon to the broken auth list
  > internal: add Wunderlist to list of broken auth providers
  > internal: add baidu.com to the broken auth list
  > slack: new package with Slack's endpoints
  > transport_test: added TestNilTokenSource + close res.Body per GET
  > microsoft: add windows live endpoints
  > internal: primarily use the HTTP client provided in the context
  > oauth2: allow users to register broken OAuth2 implementations
  > internal: add Salesforce to list of broken auth providers
  > internal: add microsoftonline.com to list of broken providers
  > jws: fix base64Decode for strings of length 1 (mod 4).
  > jws: add EncodeWithSigner function.
  > all: change copyright to 'Go Authors'
Submodule src/gopkg.in/cheggaaa/pb.v1 8808370..9453b2d:
  > 1.0.5
  > Merge branch 'A40in-master'
  > Merge pull request #82 from hackintoshrao/create-getcurrent
  > 1.0.4
  > Reader implements io.Closer #80 #60
  > bar.Finish in example #79
Submodule src/gopkg.in/yaml.v2 53feefa..e4d366f:
  > Updated LICENSE to Apache License 2.0.
  > Merge pull request #152 from mwhudson/go16-compat
  > Merge master.
  > Add .travis.yml
  > More UTF-16 test cases by John.
  > Fix UTF-16 LE and BE handling.
@vito vito added the enhancement label Oct 6, 2016
@vito vito added the discuss label Oct 15, 2016
@concourse-bot concourse-bot removed the discuss label Oct 15, 2016
@vito vito added the discuss label Oct 16, 2016
@vito vito removed the unscheduled label May 8, 2017
@vito vito added this to Research 🤔 in Runtime Aug 14, 2017
@vito vito removed the enhancement label Nov 28, 2017
@stela

This comment has been minimized.

Copy link

commented Jun 6, 2018

@vito
5. is NOT OK, some resources do leak credentials, it's very easy to dump all your team's credentials, e.g. for deployment to production or git, even if the credentials are stored on CredHub or Vault. So far I found two paths to achieve this.

A. If a developer has access to Concourse, the developer can set a new pipeline like:

jobs:
- name: show-animal-names
  plan:
  - task: show-animal-names
    config:
      platform: linux
      image_resource:
        type: docker-image
        source:
          repository: busybox
      params:
        TOPSECRET: "((production-deploy-password))"
      run:
        path: env

B. If a developer can commit a "child" build.yml pipeline to version control and have Concourse execute it:
main-pipeline.yaml

resources:
- name: mysrc
  type: git
  source:
    uri: git@github.com:me/mysrc.git
    branch: master
    private_key: ((github-private-key))

jobs:
- name: build-job
  public: false
  plan:
  - get: mysrc
  - task: tests
    file: mysrc/build.yml

build.yml:

platform: linux
image_resource:
  type: docker-image
  source:
    repository: 'busybox'
inputs:
- name: mysrc
run:
  path: env
params:
  TOPSECRET: ((production-deploy-password))

This is a shame, as Concourse is so close to getting this right, running resource types like git and cf out-of-reach from the main source code build, and only exposing explicitly passed ((variables)).

B could be resolved by disabling variable-expansion in child-build.yml files, either completely or by flagging "developer-safe" variables in the main-pipeline.

A could be resolved by either having fine-grained authorization of whom is permitted to execute set-pipeline, or better, I believe, by only permitting variable-expansion for trusted non-leaky resource types like git (I think?) but disable it for developer-controlled types like docker-image. However even deployment-resources like e.g. cf (Cloud Foundry) could be sensitive if the developer reroutes logins to a developer-controlled URL, the raw original password is sent (i.e. e.g. PAKE is not used).

@vito

This comment has been minimized.

Copy link
Member Author

commented Jun 6, 2018

@stela This issue is primarily concerned with "B". You bring up a good point. We should maybe just disallow variable expansion, or only allow it during fly execute. It'll make some people sad since they use it for image_resource credentials. But security comes first.

I think RBAC is the solution to "A" - I really don't want to get into preferential treatment of resource types. There's really nothing about git that should make it any safer than docker-image, especially in light of CVEs. If someone can "set-pipeline" that's pretty much the keys to the kingdom. We're working on RBAC so you can control who can and can't - see #1317 and its precursor issue, #1888 (along with the epic/users label in general).

@stela

This comment has been minimized.

Copy link

commented Jun 6, 2018

@vito thanks, disallowing variable expansion would probably be enough to make it secure against arbitrary developer commits. What you could get away with though for image_resource credentials and such, would be to somehow set those credentials declaratively by naming convention, e.g. if there's a vault/credhub key named teamname/pipelinename/docker_image/docker-registry-hostname/password or similar, it would automatically be assigned as a docker password value to matching docker-image resources?
Or allow defining named docker repositories in the main pipeline.yml and then only allow the build.yml to refer to them and provide repository and tag values?

@vito

This comment has been minimized.

Copy link
Member Author

commented Jun 6, 2018

@stela I like the conventional paths approach but it might be a bit constraining; we've already received feedback from users that want to be able to break from Concourse's enforced convention and use their own paths and fine-grained Vault permissions/etc.

One thing people can do without any task interpolation is use a pipeline-provided resource:

resources:
- name: golang
  type: docker-image
  source:
    repository: my-hub-account/my-image
    username: ((my-name))
    password: ((my-password))

jobs:
- name: unit
  plan:
  - get: my-repo
  - get: golang
  - task: my-repo/ci/unit.yml
    image: golang

...which people could do forever, but they seemed dissatisfied. Hmm.

@dstufft

This comment has been minimized.

Copy link

commented Jul 5, 2018

If a deployment is only concerned about people committing things (particularly in untrusted pull requests), then "B" above is the only case we care about right?

@vito

This comment has been minimized.

Copy link
Member Author

commented Jul 5, 2018

@dstufft yep!

@dstufft

This comment has been minimized.

Copy link

commented Jul 5, 2018

Is there currently any way to work around it? I've been poking at Concourse again, and I think maybe if the pipeline doesn't use any child tasks and stores all tasks in the pipeline itself it should be ok?

@vito

This comment has been minimized.

Copy link
Member Author

commented Jul 26, 2018

@dstufft (sorry for the delay) - yeah, as long as your pipeline doesn't load tasks from untrusted repositories (PRed repos) you should be safe. You could either inline them with config: or take them from some other repo that only you control.

vito added a commit that referenced this issue Aug 15, 2018
Submodule src/github.com/beevik/etree 90dafc1e..4cd0dd97 (rewind):
  < add attribute sort support.
  < Release v1.0.1
  < Update path documentation.
  < Minor code reordering.
  < add support for absolute path queries.
  < Update travis config.
  < fix bug in GetRelativePath.
  < Modify GetPath and GetRelativePath.
  < Added a GetPath() and GetRelativePath() to get the paths of an element.
  < Update travis config
  < Added filterText type
  < Added [text()] syntax to retrieve all elements with non empty text
  < path: add text filters
  < Fix broken Markdown headings
  < Add Permissive read setting.
  < Fix unit test.
Submodule src/github.com/concourse/tsa 49a729b..e1df238:
  > fix race/panic in tsa suite
Submodule src/github.com/gorilla/handlers 7e0847f9..3a5767ca (rewind):
  < added ability to register custom log formatter (#131)
  < Fix typo in cors.go (#127)
  < [bugfix] Handle CORS pre-flight request in middleware (#112)
  < Revert "Add Vary header when allowedOrigins is * (#114)" (#122)
  < Add Vary header when allowedOrigins is * (#114)
  < distinguish between explicit and implicit star (#118)
  < [bugfix] Don't return the origin header when configured to * (#116)
  < Travis go18 (#106)
  < use http.StatusOK as initial value for responseLogger.status (#103)
  < README.md: Add sourcegraph badge
  < Merge pull request #97 from nwidger/master
Submodule src/github.com/gorilla/mux e48e440e..9fa818a4 (rewind):
  < Add test for multiple calls to Name(). Fixes #394
  < Clarify behaviour of Name method if called multiple times.
  < Update LICENSE & AUTHORS files. (#386)
  < Initialize user map (#371)
  < [deps] Add go.mod for versioned Go (#376)
  < [docs] Improve docstrings for middleware, skipclean (#375)
  < [docs] Doc fix for testing variables in path (#374)
  < Add CORSMethodMiddleware (#366)
  < Fix linter issues (docs) (#370)
  < [build] Update Go versions; add 1.10.x (#364)
  < Fix table-driven example documentation (#363)
  < Make Use() variadic (#355)
  < Modify http status code to variable in README (#350)
  < Modify 403 status code to const variable (#349)
  < Create authentication middleware example. (#340)
  < [docs] Clarify SetURLVars (#335)
  < [docs] Document route.Get* methods consistently (#338)
  < [docs] README.md: Improve "walking routes" example. (#337) (#323)
  < README.md: add miss "time" (#336)
  < [docs] Fix doc.go (#333)
  < [docs] Add testing example (#331)
  < [docs] Fix Middleware docs typos (#332)
  < Update doc.go: r.AddMiddleware(...) -> r.Use(...)
  < Make shutdown docs compilable (#330)
  < [feat] Add middleware support as discussed in #293 (#294)
  < [docs] Add graceful shutdown example (#329)
  < refactor routeRegexp, particularily newRouteRegexp. (#328)
  < Public test API to set URL params (#322)
  < [docs] Add example usage for Route.HeadersRegexp (#320)
  < [docs] Note StrictSlash re-direct behaviour #308 (#321)
  < Create ISSUE_TEMPLATE.md (#318)
  < [bugfix] Fix method subrouter handler matching (#300) (#317)
  < [docs] fix outdated UseEncodedPath method docs (#314)
  < MatchErr is set to ErrNotFound if NotFoundHandler is used (#311)
  < [docs] Document router.Match (#313)
  < [build] Allow tip failures (#312)
  < .travis.yml: Remove versions < go1.5 from build matrix
  < use req.URL.EscapedPath() instead of getPath(req) (#306)
  < GetQueryTemplates and GetQueryRegexp extraction (#304)
  < Added 1.9 build step (#303)
  < Fix WriteHeader in TestA301ResponseWriter. (#301)
  < [docs] Document evaluation order for routes (#297)
  < [docs] README.md: add missing `.` (#292)
  < [docs] Fix missing space in docstring (#289)
  < Fix #271:  Return 405 instead of 404 when request method doesn't match the route
  < Prefer scheme on child route when building URLs.
  < Use scheme from parent router when building URLs.
  < Fix typo
  < Add test and fix for escaped query values.
  < Update docs.
  < Add tests for support for queries in URL reversing.
  < Add support for queries in URL reversing.
  < Update Walking Routes Section
  < Fix invalid example code
  < Removing half of conflict marker (#268)
  < Update README with example for Router.Walk
  < Update ancestors parameter for WalkFunc for matcher subrouters
  < Update Walk to match all subrouters
  < Support building URLs with non-http schemes. (#260)
  < Updated README
  < Added method Route.GetMethods
  < Added method Route.GetPathRegexp
  < fixed typo (#250)
  < Fixing Regexp in the benchmark test (#234)
  < updating logic in route matcher, cleaner and saner (#235)
  < Merge pull request #232 from DavidJFelix/patch-1
  < Add Go 1.8 to .travis.yml
  < [bugfix] fail fast if regex is incorrectly specified using capturing groups. (#218)
  < [docs] Add route listing example to README
  < Merge pull request #199 from wirehead/minor-doc-tweek
  < Merge pull request #215 from ShaneSaww/fix_for_subroutes_with_pathPrefix
  < Merge pull request #196 from olt/doc-non-capture-groups
  < Add useEncodedPath option to router and routes (#190)
  < Simplify extractVars, fixes edge cases. (#185)
  < make the getPath method safer, fixing panics within App Engine (#189)
  < Add mechanism to route based on the escaped path (#184)
  < .travis.yml: add go1.7
  < [docs] Add logo to README. (#180)
  < [docs] Add static file example to README; doc.go. (#179)
  < Clean up some naming in mux_test.go
  < [bugfix] Fix error handling in Router.Walk (#177)
  < [docs] README typo (#175)
Submodule src/github.com/jonboulle/clockwork e7c6d408..bcac9884 (rewind):
  < README: Fix "Faking time" Golang playground anchor (#16)
  < travis: bump go version (#15)
  < Add support for fake tickers (#8)
Submodule src/github.com/russellhaering/goxmldsig 7acd5e4a..eaac44c6 (rewind):
  < Treat the xml namespace as already declared during exclusive c14n
  < Avoid mutating the original tree when performing transforms
  < Correctly build a surrounding NSContext to locate SignedInfo
  < In NSFindIterateCtx pass the surrounding context of found elements instead of their own context
  < Improve the efficiency of traversing Signature searching for SignedInfo
  < Improve namespace handling when locating CanonicalizationMethod
  < Improve namespace handling in locating SignedInfo
  < Add etreeutils support for iterating and searching of direct children
  < Actually expand travis test matrix
  < Expand go runtime test matrix
  < Merge pull request #33 from apilloud/chain
  < Merge pull request #31 from skyportsystems/master
  < Merge pull request #35 from danikarik/master
  < Merge pull request #34 from otto-md/master
  < Merge pull request #30 from skyportsystems/master
  < Merge pull request #27 from gravitational/rjones/signature
  < Merge pull request #26 from aidansteele/patch-1
Submodule src/google.golang.org/genproto 383e8b2c..411e09b9 (rewind):
  < Add response field to HttpRule (#87)
  < re-enable 1.6
  < update from googleapis (#88)
  < update from googleapis (#85)
  < update from googleapis (#84)
  < update from googleapis (#83)
  < Revert "update from googleapis (#80)" (#81)
  < update from googleapis (#80)
  < update from googleapis (#79)
  < regen: use api-common-protos (#78)
  < update from googleapis (#76)
  < regenerate (#75)
  < update protos using new go protoc plugin (#73)
  < regen speech pb.gos (#72)
  < update from googleapis (#71)
  < update from googleapis (#69)
  < Update bigtable from googleapis (#70)
  < add cloud tasks protos (#67)
  < update from googleapis (#65)
  < update from googleapis (#63)
  < update from googleapis (#62)
  < update from googleapis (#61)
  < update cloudbuild (#60)
  < update from googleapis (#59)
  < update from googleapis (#58)
  < update generated files from googleapis for googleapis/spanner/* (#57)
  < update from googleapis (#56)
  < update from googleapis (#55)
  < update from googleapis (#54)
  < update generated file for googleapis/spanner/* (#53)
  < update from googleapis (#52)
  < add codeowners (#50)
  < update from googleapis (#49)
  < update from googleapis (#48)
  < update from googleapis (#47)
  < update from googleapis (#45)
  < update generated files (#43)
  < update googleapis (#42)
  < regenerate protos (#41)
  < firestore: add generated client (#40)
  < regenerate from updated googleapis (#39)
  < update from googleapis (#38)
  < update from googleapis and protobuf (#37)
  < regenerated from updated googleapis (#36)
  < regenerate speech client (#35)
  < all: regenerate from googleapis (#32)
  < regenerate with proper protobuf path (#31)
  < all: regenerate from latest googleapis (#29)
  < make travis go get cloud.google.com/go/... (#28)
  < release videointelligence (#26)
  < all: regenerate from googleapis (#25)
Submodule src/google.golang.org/grpc 07ef407d9..0e8b58d22 (rewind):
  < channelz: unexport unnecessary API on grpc entities (#2257)
  < channelz: use atomic instead of mutex (#2218)
  < internal: remove TestingUseHandlerImpl (#2253)
  < update proto generated code (#2254)
  < Revert "internal: remove transportMonitor, replace with callbacks" (#2252)
  < internal: remove transportMonitor, replace with callbacks (#2219)
  < Change version to 1.15.0-dev (#2247)
  < interop: implement special_status_message interop test (#2241)
  < internal/grpcsync: introduce package for synchronization (#2244)
  < remove 1.6 support for channelz (#2242)
  < transport: eliminate StreamError; use status errors instead (#2239)
  < transport: replace ClientTransport with *http2Client for internal usage (#2238)
  < disable go1.6 travis tests (#2237)
  < go generate: update proto files (#2236)
  < ClientConn: add Target() returning target string (#2233)
  < client: define dialOptions as interfaces instead of functions (#2230)
  < interop: loosen restrictions on creds per test in interop client (#2231)
  < Convert io.ErrUnexpectedEOF to a codes.Internal-marked status in toRPCerr. (#2228)
  < internal/transport: remove unnecessary ServerTransport method (#2224)
  < internal/transport_test.go: prevent leaking context (#2227)
  < internal/syscall: add package description (#2226)
  < transport.go: minor typo fix (#2225)
  < resolver: document that SetDefaultScheme should be called at init time (#2217)
  < addrconn: remove unused wait() method (#2220)
  < dns resolver: exponential retry when getting empty address list (#2201)
  < internal/transport: remove some unused fields from structs (#2213)
  < internal: move DialOptions to a new file (#2193)
  < Benchmark: fix build tags (#2099)
  < transport: move to internal to make room for new, public transport API (#2212)
  < balancer: add rpc method to PickOptions (#2204)
  < transport: double-check deadline when processing server cancelation (#2211)
  < createTransport: timeout under waitForHandshake case should not have transport transferred to ready stage (#2208)
  < deprecate stream, move documentation to client|server stream (#2198)
  < Set and respect HTTP/2 SETTINGS_MAX_HEADER_LIST_SIZE (#2084)
  < travis: skip race testing on 386 as it is not supported (#2207)
  < internal: changes to travis to make it do less work (#2200)
  < stream: in withRetry, block until Status is valid and check on io.EOF (#2199)
  < grpclb: s/fmt.Errorf/errors.New/ (#2196)
  < Fix flaky test: TestClientStreamingError (#2192)
  < Add documentation for loopy. (#2169)
  < Fix test: wait on server to signal successful accept. (#2183)
  < Allow interop client to use call creds on any secure channel (#2185)
  < client: Implement gRFC A6: configurable client-side retry support (#2111)
  < documentation: clarify SendMsg documentation (#2171)
  < credentials: cleanup version-specific files (#2178)
  < Restrict channelz service test to x86 architecture (#2179)
  < client, server: update dial/server buffer options to support a "disable" setting (#2147)
  < credentials: add more appengine build tags (#2177)
  < Revert stickiness (#2175)
  < minor fix: remove redundant channelz files (#2176)
  < channelz: stage 4 - add security and socket option info with appengine build tags (#2149)
  < Update flow control test to have multiple concurrent streams. (#2170)
  < balancer/grpclb: update to latest lb proto (#2172)
  < resolver/dns: error if target ends with a colon instead of assuming the default port (#2150)
  < grpclb: remove old grpclb generated code  (#2143)
  < testing: run test in simulated appengine environment (#2145)
  < interop: set dns as default scheme in interop client (#2165)
  < Change version to 1.14.0-dev (#2163)
  < Don't log grpclb server ending connection as error (#2162)
  < channelz: move APIs to internal except channelz service (#2157)
  < transport: notify controlbuf that transport is gracefully closing to ensure proper cleanup (#2158)
  < Register incoming stream with loopy as soon as it gets created. (#2144)
  < Import grpclb package in the interop client (#2155)
  < fix: do not percent encode character tilde (#2139)
  < grpclb: backoff for RPC call if init handshake was unsucessful (#2077)
  < status: handle invalid utf-8 characters (#2109) (#2134)
  < Don't do extra work for keepalive when it's disabled. (#2148)
  < internal: move backoff to internal (#2141)
  < Fix flaky tests in transport. (#2120)
  < internal: Change Lock to RLock since no mutation is performed (#2142)
  < grpclb: remove redundent testing struct (#2126)
  < Normalize gRPC LB
  < Fix test: Account for the fact that Dial can return successfully before Accept. (#2123)
  < Add some debug info (#2136)
  < Documentation: create doc describing grpc-go's log levels and their usages (#2033)
  < internal: Update proto generated code (#2133)
  < resolver_conn_wrapper.go: fix minor typo (#2135)
  < internal: move leakcheck to internal/ (#2129)
  < Revert "status: handle invalid utf-8 characters" (#2127)
  < status: handle invalid utf-8 characters (#2109)
  < Revert " channelz: stage 4 - add security and socket option info" (#2124)
  < grpclb: minor fixes on comments and tests (#2122)
  < channelz: stage 4 - add security and socket option info (#2098)
  < Split grpclb out of top level grpc package (#2107)
  < Reduce error logs in transport. (#2117)
  < DNS resolver: Throw an error for non-default DNS authority. (#2067)
  < grpclb: sync messages.proto and update client load reporting (#2101)
  < alts: copy handshake address in Clone() (#2119)
  < codes: fix: marshal/unmarshal a Code to JSON fails (#2116)
  < Account for user configured small io write buffer. (#2092)
  < clarify CloseSend vs CloseAndRecv; better formatting (#2071)
  < internal/grpcrand: New package for concurrency-safe randoms (#2106)
  < Clarify newCCResolverWrapper documentation. (#2100)
  < Revert "channelz: stage 4 - add security and socket option info" (#2096)
  < channelz: stage 4 - add security and socket option info (#1965)
  < stickiness: limit the max count of stickiness keys (#2021)
  < Benchmarks that runs server and client and separate processes. (#1952)
  < Synchronize WriteStatus with WriteHeader on server. (#2074)
  < internal: update proto generated code (#2093)
  < health: generate health proto from grpc-proto (#2081)
  < internal: remove redundant channelz service go generate (#2085)
  < Revert "Strip port from server name in grpclb (#2066)" (#2083)
  < channelz: generate proto from grpc-proto repo (#2082)
  < internal: move version to a separate file (#2080)
  < internal: fix travis failure on alts proto (#2079)
  < test: make end2end test use split grpc / proto imports (#2069)
  < credentials/alts: make go:generate rebuild alts protos (#2056)
  < channelz: split channelz grpc and pb (#2068)
  < Strip port from server name in grpclb (#2066)
  < benchmark: listen on all addresses in benchmark servers (#2073)
  < regenerate *.pb.go files due to proto-gen-go update (#2070)
  < transport: respect http2 setting SETTINGS_HEADER_TABLE_SIZE (#2045)
  < Add AuthInfoFromContext utility API (#2062)
  < Fix possible data loss; Only let reader goroutine handle connection errors. (#1993)
  < split encode into three functions (#2058)
  < small documentation addition to NewStream (#2060)
  < Documentation: Add initial documentation on concurrency (#2034)
  < status: Introduce FromContextError convenience function (#2057)
  < Change version to 1.13.0-dev (#2054)
  < client: introduce WithDisableServiceConfig DialOption (#2010)
  < fix flaky test caused by race in channelz test (#2051)
  < Fix typo (#2050)
  < Ignore metadata that gRPC explicitly sets. (#2026)
  < internal: better test names (#2043)
  < Revert "Less mem (#1987)" (#2049)
  < client: fix interceptors after recent cleanup (#2046)
  < internal: vet.sh quits when it sees macosx (#2048)
  < channelz: update proto to canonical version and rename directory (#2044)
  < interop: Fix unimplemented method test (#2040)
  < health: set health proto canonical path (#2038)
  < Fix "deprecated" function godoc comments to match standard formatting (#2027)
  < proto: update generated code (#2039)
  < Rename proto import. (#2036)
  < Fix typos. (#2035)
  < credentials/alts: Refer to ALTS gRPC types by a different package (#2028)
  < http2Client: send reset stream when closing the stream on protocol error (#2030)
  < Stage 3: Channelz server implementation (#1919)
  < Less mem (#1987)
  < server: export ServerTransportStreamFromContext for unary interceptors to control headers/trailers (#2019)
  < dns resolver: create rand seed at init time (#2007)
  < vet: disallow importing "unsafe" (#2024)
  < stickiness: avoid using unsafe (#2023)
  < Fix typos (#2020)
  < travis: skip vet install for 386 (#2018)
  < stickiness: add stickiness support (#1969)
  < Stage 2: Channelz metric collection (#1909)
  < credentials/alts: Add ServiceOption for server-side ALTS creation (#2009)
  < documentation: add instructions for running tests locally (#2006)
  < go vet: fix composite literal uses unkeyed fields (#2005)
  < documentation: add OAuth2 doc and example (#2003)
  < reflection: regenerate pb.go file after typo fix (#2002)
  < Remove unnecessary type conversions (unconvert) (#1995)
  < Fix typos (#1994)
  < Merge pull request #1996 from knweiss/gosimple
  < documentation: mention DialContext is non-blocking by default (#1970)
  < documentation: mention Register functions should be call at init time (#1975)
  < cleanup: extend dial context for TestFailFastRPCErrorOnBadCertificates to 10 seconds (#1984)
  < Fix Test: race between t.Write() and t.closeStream()  (#1989)
  < Small test readability fixes (#1985)
  < documentation: mention peer will only be populated after RPC completes (#1982)
  < Channelz: more stable tesing (#1983)
  < grpclb: fix issues caused by caching SubConns (#1977)
  < createTransport: check for SHUTDOWN before assigning TransientFailure to ac.state  (#1979)
  < resolver/dns: Typo in lookupHost failure warning (#1981)
  < Channelz: Entity Registration and Deletion (#1811)
  < clientconn: add support for unix network in DialContext. (#1883)
  < documentation: Mark compresser and decompresser as deprecated (#1971)
  < grpclb: cache SubConns for 10 seconds after it is removed from the backendlist (#1957)
  < internal: clean up deprecated Invoke() usage (#1966)
  < Mark old balancer and naming APIs as deprecated (#1951)
  < Export changes to OSS. (#1962)
  < metadata: Add Get, Set, and Append methods to metadata.MD (#1940)
  < server: add grpc.Method function for extracting method from context (#1961)
  < resolver/manual: fix minor typo (#1960)
  < status: remove redundant import (#1947)
  < client: Fix race when using both client-side default CallOptions and per-call CallOptions (#1948)
  < Change version to 1.12.0-dev (#1946)
  < resolver: keep full unparsed target string if scheme in parsed target is not registered (#1943)
  < status: rename Status to GRPCStatus to avoid name conflicts (#1944)
  < status: Allow external packages to produce status-compatible errors (#1927)
  < Merge pull request #1941 from jtattermusch/routeguide_reimplement_distance
  < service reflection can lookup enum, enum val, oneof, and field symbols (#1910)
  < Documentation: Fix broken link in rpc-errors.md (#1935)
  < Correct Go 1.6 support policy (#1934)
  < Add documentation and example of adding details to errors (#1915)
  < Allow storing alternate transport.ServerStream implementations in context (#1904)
  < Fix Test: Update the deadline since small deadlines are prone to flakes on Travis. (#1932)
  < gzip: Add ability to set compression level (#1891)
  < credentials/alts: Remove the enable_untrusted_alts flag (#1931)
  < metadata: Fix bug where AppendToOutgoingContext could modify another context's metadata (#1930)
  < fix minor typos and remove grpc.Codec related code in TestInterceptorCanAccessCallOptions (#1929)
  < credentials/alts: Update ALTS "New" APIs (#1921)
  < client: export types implementing CallOptions for access by interceptors (#1902)
  < travis: add Go 1.10 and run vet there instead of 1.9 (#1913)
  < stream: split per-attempt data from clientStream (#1900)
  < stats: add BeginTime to stats.End (#1907)
  < Reset ping strike counter right before sending out data. (#1905)
  < resolver: always fall back to default resolver when target does not follow URI scheme (#1889)
  < server: Convert all non-status errors to codes.Unknown (#1881)
  < credentials/alts: change ALTS protos to match the golden version (#1908)
  < credentials/alts: fix infinite recursion bug [in custom error type] (#1906)
  < Fix test race: Atomically access minConnecTimout in testing environment. (#1897)
  < interop: Add use_alts flag to client and server binaries (#1896)
  < ALTS: Simplify "New" APIs (#1895)
  < Fix flaky test: TestCloseConnectionWhenServerPrefaceNotReceived (#1870)
  < examples: Replace context.Background with context.WithTimeout (#1877)
  < alts: Change ALTS proto package name (#1886)
  < Add ALTS code (#1865)
  < Expunge error codes that shouldn't be returned from library (#1875)
  < Small spelling fixes (unknow -> unknown) (#1868)
  < clientconn: fix a typo in GetMethodConfig documentation (#1867)
  < Change version to 1.11.0-dev (#1863)
  < benchmarks: add flag to benchmain to use bufconn instead of network (#1837)
  < addrConn: Report underlying connection error in RPC error (#1855)
  < Fix data race in TestServerGoAwayPendingRPC (#1862)
  < addrConn: keep retrying even on non-temporary errors (#1856)
  < transport: fix race causing flow control discrepancy when sending messages over server limit (#1859)
  < interop test: Expect io.EOF from stream.Send() (#1858)
  < metadata: provide AppendToOutgoingContext interface (#1794)
  < Add status.Convert convenience function (#1848)
  < streams: Stop cleaning up after orphaned streams (#1854)
  < transport: support stats.Handler in serverHandlerTransport (#1840)
  < Fix connection drain error message (#1844)
  < Implement unary functionality using streams (#1835)
  < Revert "Add WithResolverUserOptions for custom resolver build options" (#1839)
  < Stream: do not cancel ctx created with service config timeout (#1838)
  < Fix lint error and typo (#1843)
  < stats: Fix bug causing trailers-only responses to be reported as headers (#1817)
  < transport: remove unnecessary rstReceived (#1834)
  < transport: remove redundant check of stream state in Write (#1833)
  < client: send RST_STREAM on client-side errors to prevent server from blocking (#1823)
  < Use keyed fields for struct initializers (#1829)
  < encoding: Introduce new method for registering and choosing codecs (#1813)
  < compare atomic and mutex performance in case of contention. (#1788)
  < transport: Fix a data race when headers are received while the stream is being closed (#1814)
  < Write should fail when the stream was done but context wasn't cancelled. (#1792)
  < Explain target format in DialContext's documentation (#1785)
  < gzip: add Name const to avoid typos in usage (#1804)
  < remove .please-update (#1800)
  < Documentation: update broken wire.html link in metadata package. (#1791)
  < Document that all errors from RPCs are status errors (#1782)
  < update const order (#1770)
  < Don't set reconnect parameters when the server has already responded. (#1779)
  < credentials: return Unavailable instead of Internal for per-RPC creds errors (#1776)
  < Avoid copying headers/trailers in unary RPCs unless requested by CallOptions (#1775)
  < Update version to 1.10.0-dev (#1777)
  < compare atomic and mutex performance for incrementing/storing one variable (#1757)
  < Fix flakey test. (#1771)
  < grpclb: Remove duplicate init() (#1764)
  < server: fix bug preventing Serve from exiting when Listener is closed (#1765)
  < Fix TestGracefulStop flakiness (#1767)
  < server: fix race between GracefulStop and new incoming connections (#1745)
  < Notify parent ClientConn to re-resolve in grpclb (#1699)
  < Add dial option to set balancer (#1697)
  < Fix test: Data race while resetting global var. (#1748)
  < status: add Code convenience function (#1754)
  < vet: run golint on _string files (#1749)
  < examples: fix concurrent map accesses in route_guide server (#1752)
  < grpc: fix deprecation comments to conform to standard (#1691)
  < Adjust keepalive paramenters in the test such that scheduling delays don't cause false failures too often. (#1730)
  < fix typo (#1746)
  < fix stats flaky test (#1740)
  < relocate check for shutdown in ac.tearDown() (#1723)
  < fix flaky TestPickfirstOneAddressRemoval (#1731)
  < bufconn: allow readers to receive data after writers close (#1739)
  < After sending second goaway close conn if idle. (#1736)
  < Make sure all goroutines have ended before restoring global vars. (#1732)
  < client: fix race between server response and stream context cancellation (#1729)
  < In gracefull stop close server transport only after flushing status of the last stream. (#1734)
  < Deflake tests that rely on Stop() then Dial() not reconnecting (#1728)
  < Switch balancer to grpclb when at least one address is grpclb address (#1692)
  < Merge pull request #1724 from grpc/jtattermusch-patch-1
  < codes: Add UnmarshalJSON support to Code type (#1720)
  < naming: Fix build constraints for go1.6 and go1.7 (#1718)
  < remove stringer and go generate (#1715)
  < Add WithResolverUserOptions for custom resolver build options (#1711)
  < Fix grpc basics link in route_guide example (#1713)
  < Optimize codes.String() method using a switch instead of a slice of indexes (#1712)
  < Disable ccBalancerWrapper when it is closed (#1698)
  < Refactor roundrobin to support custom picker (#1707)
  < Change parseTimeout to not handle non-second durations (#1706)
  < make load balancing policy name string case-insensitive (#1708)
  < protoCodec: avoid buffer allocations if proto.Marshaler/Unmarshaler (#1689)
  < Add comments to ClientConn/SubConn interfaces to indicate new methods may be added (#1680)
  < client: backoff before reconnecting if an HTTP2 server preface was not received (#1648)
  < use the request context with net/http handler (#1696)
  < transport: fix race sending RPC status that could lead to a panic (#1687)
  < Fix misleading default resolver scheme comments (#1703)
  < Eliminate data race in ccBalancerWrapper (#1688)
  < Re-resolve target when one connection becomes TransientFailure (#1679)
  < New grpclb implementation (#1558)
  < Fix panics on balancer and resolver updates (#1684)
  < Change version to 1.9.0-dev (#1682)
  < set context timeout when Timeout value >= 0 (#1678)
  < switch balancer based on service config info (#1670)
  < Add proper support for 'identity' encoding type (#1664)
  < update code_string.go for new stringer changes (#1674)
  < addrConn: set ac.state to TransientFailure upon non-temporary errors (#1657)
  < Eliminate race on ac.acbw (#1666)
  < Corrected documentation on Server.Serve (#1668)
  < Update picker doc when returned SubConn is not ready (#1659)
  < travis: fix GOARCH=386 and add misspell check (#1658)
  < Add context benchmarks (#1610)
  < Add protoc command to example/readme (#1653)
  < Implement transparent retries for gRFC A6 (#1597)
  < server: add EXPERIMENTAL tag to grpc.ConnectTimeout (#1652)
  < *: replace deprecated grpc.Errorf calls with status.Errorf (#1651)
  < server: apply deadline to new connections until all handshaking is completed (#1646)
  < codec_benchmark_test: fix racy unmarshal behavior and make some cleanups (#1642)
  < Speed-up quota pools. (#1636)
  < Check ac state shutdown before setting it to TransientFailure (#1643)
  < vet.sh: don't check git status when doing -install (#1641)
  < latency: Listen on localhost:0 instead of :0 in test (#1640)
  < reduce timeout for tests to 5m (7m for testrace) (#1635)
  < Introduce new Compressor/Decompressor API (#1428)
  < Fix settings ack race (#1630)
  < Update examples/README.md (#1629)
  < Get method string from stream (#1588)
  < fix max msg size type issues on different arch (#1623)
  < Deflake roundrobin TestOneServerDown, and fix test error messages (#1622)
  <  Remove self-imposed limit on max concurrent streams if the server doesn't impose any. (#1624)
  < Acquire all stream related quota and cache it locally since no more than one write can happen in parallel on stream (#1614)
  < Make travis 32-bit actually work (#1621)
  < balancer: reduce chattiness (#1608)
  < Revert "cap max msg size to min(max_int, max_uint32) (#1598)" (#1619)
  < cap max msg size to min(max_int, max_uint32) (#1598)
  < Fix parseTarget for unix socket address without scheme (#1611)
  < Fix connectivity state transitions when dialing (#1596)
  < Update go_package declarations (#1593)
  < ClientHandshake should get the dialing endpoint as the authority (#1607)
  < Add functions to ClientConn so it satisfies an interface for generated code (#1599)
  < Re-add support for Go1.6 (#1603)
  < Make passthrouth resolver the default instead of dns (#1606)
  < Fix goroutine leak in grpclb_test (#1595)
  < Add go report card (#1594)
  < Parse ServiceConfig JSON string (#1515)
  < Register and use default balancers and resolvers (#1551)
  < fix misspell (#1592)
  < Serve() should not return error on Stop() or GracefulStop() (#1485)
  < Remove single-entry var blocks (#1589)
  < update fail fast documentation to remove retry language (#1586)
  < Create versioning and release policy document (#1583)
  < Skip proxy_test in race mode (#1584)
  < transport: minor cleanups (comment and error text) (#1576)
  < Use proto3 in interop tests and end2end tests (#1574)
  < Change version to 1.8.0-dev (#1573)
  < Make resolver Build() take a target struct (#1567)
  < Revert "Temporary disable staticcheck" (#1568)
  < Update UnknownServiceHandler comment to be clearer about interceptor behavior (#1566)
  < transport: fix racey send to writes channel in WriteStatus (#1546)
  < fix stats test race (#1560)
  < Run tests without -v (#1562)
  < Remove Go1.6 support (#1492)
  < Temporary disable staticcheck (#1561)
  < fix TestServerCredsDispatch and stats test race (#1554)
  < Make interop client dial blocking (#1559)
  < benchmark: add type assertion benchmarks (#1556)
  < fix typo and lint (#1553)
  < transport: refactor of error/cancellation paths (#1533)
  < New implementation of roundrobin and pickfirst (#1506)
  < Update format string to match type (#1548)
  < add comment to dns package (#1545)
  < Make IO Buffer size configurable. (#1544)
  < Use the same hpack encoder on a transport and share it between RPCs. (#1536)
  < DNS with new API (#1513)
  < update markdown render (#1542)
  < Revert "Added localhost to net.Listen() calls to avoid macOS firewall dialog." (#1541)
  < Added localhost to net.Listen() calls to avoid macOS firewall dialog. (#1539)
  < transport: remove some defers (#1538)
  < Use Type() method for OAuth tokens instead of accessing TokenType field. (#1537)
  < benchmark: add primivites benchmark for Unlocking via defer vs. inline (#1534)
  < benchmain: format output of benchmark to a table (#1493)
  < Fix misspells (#1531)
  < vet.sh: set PATH to force downloaded binaries to be run (#1529)
  < Fix format error on travis (#1527)
  < Move primitives benchmarks to package primitives_test (#1522)
  < Speed up end to end tests by removing an unnecessary sleep (#1521)
  < Change quota version to uint32 instead on uint64 (#1517)
  < Fix deadline error on grpclb streams (#1511)
  < Dedicated goroutine for writing. (#1498)
  < benchmark: add primitives benchmarks for informational purposes (#1501)
  < Truncate payload trace string, and turn trace off by default (#1509)
  < Add leak goroutine checking to grpc/balancer tests (#1497)
  < Add RegisterIgnoreGoroutine to leakcheck package (#1507)
  < remove a debug print that causes deadlock (#1505)
  < vet.sh: fix protoc installation (#1502)
  < Add new Resolver and Balancer APIs (gRFC L9) (#1408)
  < Fix to avoid annoying firewall dialog on macOS (#1499)
  < Move leak check into a separate leakcheck package (#1445)
  < Change version to 1.7.0-dev (#1496)
  < Run Go1.9 and 386 on Travis (#1475)
  < Check "x/net/context" with `go vet` like "context" (#1490)
  < benchmain: add nop compressor and other usability tweaks (#1489)
  < Fix context warnings from govet. (#1486)
  < benchmain: minor bug fixes (#1488)
  < Update proto generation commands in example doc (#1481)
  < Remove expiration_interval from grpclb message (#1477)
  < balancer_test: possible ctx leak, cancel before break (#1479)
  < Merge pull request #1476 from dfawley/pkg
  < Fix for 32-bit architectures (#1471)
  < When sending a non heads-up goaway close the connection if there are no active streams. (#1474)
  < Remove unnecessary function handleStreamSuspension (#1468)
  < fix grpclb protos to not cause re-registration of types (#1466)
  < transport: fix handling of InTapHandle's returned context (#1461)
  < the cancel function should be called to avoid ctx leak (#1465)
  < add comment (#1464)
  < Remove buf copy when the compressor exist (#1427)
  < transport: Fix deadlock in client keepalive. (#1460)
  < benchmark: add benchmain/main.go to run benchmark with flag set (#1352)
  < stats: add methods to allow setting grpc-trace-bin and grpc-tags-bin headers (#1404)
  < deduplicate dns record in lookup (#1454)
  < Add -u to  installation command (#1451)
  < addrConn: change address to slice of address (#1376)
  < go-generate pb.go files and check in Travis to make sure they don't change (#1426)
  < Fix host string passed to PerRPCCredentials (#1433)
  < metadata: Remove NewContext and FromContext for gRFC L7 (#1392)
  < Add status details support to server HTTP handler (#1438)
  < put *gzip.Writer back to pool (#1441)
  < Automatic WriteStatus for RecvMsg/SendMsg error on server side (#1409)
  < Update ServerInHandle comments (#1437)
  < Server should send 2 goaway messages to gracefully shutdown the connection. (#1403)
  < Add and use connectivity package for states (#1430)
  < Add 'experimental' note to ServeHTTP godoc (#1429)
  < Document Server.ServeHTTP (#1406)
  < Set peer before sending request (#1423)
  < Fix missing and wrong license (#1422)
  < Fix a goroutine leak in DialContext (#1424)
  < Use `NewOutgoingContext ` in the metadata doc (#1425)
  < Fix typo
  < Add flags for tls file path (#1419)
  < Change comment on stats.End.Error (#1418)
  < Call cancel on contexts in tests (#1412)
  < Don't use 64-bit integers with atomic. (#1411)
  < benchmark: don't stop timer until after workers are done (#1407)
  < Validate send quota again after acquiring writable channel (#1367)
  < Use log instead of grpclog in routeguide example (#1395)
  < Revert "Make all "grpc-" metadata field names reserved (#1391)" (#1400)
  < Enabling client process multiple GoAways (#1393)
  < Assign testdata path to correct variable (#1397)
  < Do not call testdata.Path when defining flags (#1394)
  < Make all "grpc-" metadata field names reserved (#1391)
  < remove defer funtion in recvBufferReader Read method (#1031)
  < Add testdata package and unify testdata to only one dir (#1297)
  < DNS resolver (#1300)
  < Expose ConnectivityState of a ClientConn. (#1385)
  < status: Add WithDetails and Details functions (#1358)
  < benchmark: remove multi-layer for loop (#1339)
  < transport: fix minor typo in http2_server.go (#1383)
  < Add doc in default implementation fatal functions on os.Exit() (#1365)
  < Fix bufconn.Close to not be blocking. (#1377)
  < Do not create new addrConn when connection error happens (#1369)
  < Change version to 1.6.x (#1382)
  < Revert "Use bufconn in end2end tests." (#1381)
  < Fix logging method (#1375)
  < Use bufconn in end2end tests.
  < Create bufconn package for a local, buffered net.Conn and dialer/listener
  < Fix a typo in examples/gotutorial.md (#1374)
  < Use log severity and verbosity level (#1340)
  < fix deadlock of roundrobin balancer (#1353)
  < Ignore goroutines spanwned by log.init during leakcheck. (#1368)
  < Populate callInfo.peer object for streaming RPCs (#1356)
  < BDP estimation and window update. (#1310)
  < Canonicalize https://grpc.io as the preferred URL prefix
  < Update leckCheck to ignore non-gRPC goroutine introduced in Go1.9 (#1351)
  < Do not flush NewStream header on client side for unary RPCs and streaming RPCs with requests. (#1343)
  < adjust import order (#1311)
  < add license for some proto files (#1322)
  < latency: sleep in Write when BDP is exceeded to avoid buffer bloat (#1330)
  < Add documentation to deprecate WithTimeout dial option (#1333)
  < change objects in recvBuffer queue from interface to concrete type to reduce allocs (#1029)
  < Catch invalid use of Server.RegisterService after Register.Serve (#828)
  < benchmark: add latency/MTU/bandwidth into testcases (#1304)
  < Updated documentation of ClientStream. (#1320)
  < Add support for grpc.SupportPackageIsVersion3 back (#1331)
  < Deflake TestServerGoAway (#1321)
  < dont create new reader in recvMsg (#940)
  < Make Apache 2.0 LICENSE file a verbatim copy (#1329)
  < Protect bytesSent and bytesReceived with mutex to avoid datarace (#1318)
  < Add Severity and VerboseLevel to grpclog. (#922)
  < update LICENSE (#1312)
  < fix spell (#1314)
  < Add goroutine safety doc on stream (#1313)
  < replace 127.0.0.1 with localhost for ipv6 only environment (#1306)
  < transport: fix error handling on Stream deletion (#1275)
  < Behaviour Change: transport errors should be coded Unavailable instead of internal. (#1307)
  < Support ipv6 addresses in grpclb (#1303)
  < Return header in Stream.Header() if available (#1281)
  < add license for some files (#1296)
  < Make RPCs non-failfast in grpclb_test. (#1302)
  < Specify characters allowed in metadata keys (#1299)
  < use subtests for the benchmark_test and add it into the Makefile (#1278)
  < update the path of guide (#950)
  < Create latency package for realistically simulating network latency (#1286)
  < Deflake TestFlowContolLogicalRace (#1279)
  < Merge pull request #1290 from jtattermusch/apache_license
  < Change version to 1.5.0-dev (#1288)
  < transport: fix minor typo in 'GoAway' godoc (#1284)
  < Piggyback window updates for connection with those of a stream. (#1273)
  < Reopening: Server shouldn't Fatalf in case it fails to encode. (#1276)
  < Avoid int32 overflow when applying initial window size setting
  < Revert "Server shouldn't Fatalf in case it fails to encode. (#1251)" (#1274)
  < Server shouldn't Fatalf in case it fails to encode. (#1251)
  < Decouple transport flow control from application read. (#1265)
  < Update references to route_guide.proto to use new directory name (#1270)
  < add MaxConcurrentStreams to benchmark_test when start the server (#1271)
  < Merge pull request #1267 from jtattermusch/improve_contributing
  < re-enable handler_server in end2end test, and fix some failed tests (#1259)
  < Avoid panic caused by stdlib context package errors (#1258)
  < Initialize stream properly in handler_server. (#1260)
  < Expand stream's flow control in case of an active read. (#1248)
  < Suppress server log message when EOF without receiving data for preface (#1052)
  < Fixed comment spelling (#1254)
  < Merge pull request #1165 from lyuxuan/service_config_pr
  < clientconn, server: replace time.After with time.NewTimer (#998)
  < grpclb balancer.Close() should not panic if called more than once (#1250)
  < Add doc and example for mocking streaming RPCs (#1230)
  < Test for EmptyCallOption
  < Implement `EmptyCallOption`
  < Reuse Token for serviceAccount credentials (#1238)
  < Travis: add staticcheck (#1019)
  < Defined GA and add pointer to benchmarks (#1239)
  < call listen with "localhost:port" instead of ":port" in tests (#1237)
  < fix server panic trying to send on stream as client disconnects #1111 (#1115)
  < Eagerly set a pointer to nil to help GC (#1232)
  < add logs to grpclb on send and recv (#1235)
  < Add stats test for client streaming and server streaming RPCs (#1140)
  < Adding dial options for PerRPCCredentials (#1225)
  < Pass custom dialer to balancer (#1205)
  < Http status to grpc status conversion (#1195)
  < Calling handleRPC with context derived from the original (#1227)
  < Use pooled gzip.{Writer,Reader} in gzip{Compressor,Decompressor} (#1217)
  < tentative fix to a flow control over-give-back bug (#1170)
  < Ensure that RoundRobin.Close() does not panic. (#1139)
  < Log the actual error when inTapHandle fails in http2Server (#1185)
  < make ServerOption panic messages more clear. (#1194)
  < Make window size configurable. (#1210)
  < Reset proto before unmarshalling (#1222)
  < Merge pull request #1221 from adelez/doc_fixit
  < Fix go buildable source file problem (#1213)
  < don't add defer func if stats handler is nil (#1214)
  < Change version to 1.4.0-dev (#1212)
  < Fix nil pointer dereferences from status.FromProto(nil) (#1211)
  < Split grpclb client load report test to deflake test. (#1206)
  < Use unpadded base64 encoding for binary metadata headers; handle padded or unpadded input (#1209)
  < Never encode binary metadata within the metadata map (#1188)
  < Client load report for grpclb. (#1200)
  < Use proto.Equal for equalities on Go proto messages (#1204)
  < Update grpclb proto and move grpclb into package grpc (#1186)
  < Revert "temporary disable 1.6 on travis (#1198)" (#1199)
  < temporary disable 1.6 on travis (#1198)
  < Revert "To adhere with protocol the server should send RST_STREAM on observing timeout on a strea, (#1130)"
  < Make sure all in-flight streams close when ClientConn.Close() is called. (#1136)
  < To adhere with protocol the server should send RST_STREAM on observing timeout on a strea, (#1130)
  < Fix broken Markdown headings in examples/gotutorial.md (#1189)
  < Support proxy with dialer (#1098)
  < grpclb should connect to the second balancer (#1181)
@willmurphyscode

This comment has been minimized.

Copy link

commented Apr 18, 2019

@vito One mitigation I was planning to try was having the pipeline use a regular git resource pointed at master for pipeline code, and a GitHub PR resource only for application and test code. For example, something like:

resource_types:
- name: pull-request
  type: docker-image
  source:
    repository: teliaoss/github-pr-resource

resources:
- name: pr
  type: pull-request
  check_every: 1m
- name: master
  type: git
  source:
    branch: master

Then all the task configs are read off files like file: master/ci/tasks/units.yml for example. Does that seem like an adequate mitigation? That way, if a PR does change a task config file, the pipeline would continue to use master's version of that file.

yeah, as long as your pipeline doesn't load tasks from untrusted repositories (PRed repos) you should be safe

This fix really separates trusted from untrusted code by branch, not be repository, so I wanted to double check, but they seem equivalent to me.

@vito

This comment has been minimized.

Copy link
Member Author

commented May 14, 2019

@willmurphyscode 🐢 Yep, that seems sensible!

vito added a commit that referenced this issue May 24, 2019
...otherwise someone could PR a task config that reads from our
credential manager

see #366 (comment)

Signed-off-by: Clara Fu <cfu@pivotal.io>
Co-authored-by: Alex Suraci <suraci.alex@gmail.com>
@stale

This comment has been minimized.

Copy link

commented Jul 16, 2019

Beep boop! This issue has been idle for long enough that it's time to check
in and see if it's still important.

If it is, what is blocking it? Would anyone be interested in submitting a
PR
or
continuing the discussion to help move things forward?

If no activity is observed within the next week, this issue will be
exterminated closed, in accordance with our stale issue
process
.

@stale stale bot added the wontfix label Jul 16, 2019
@stale stale bot closed this Jul 23, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.