forgejo/services/packages
Earl Warren 00749b3a8f fix: referenced sha256:* container images may be deleted
The inventory of the sha256:* images and the manifest index that
reference them is incomplete because it does not take into account any
image older than the expiration limit. As a result some sha256:* will
be considered orphaned although they are referenced from a manifest
index that was created more recently than the expiration limit.

There must not be any filtering based on the creation time when
building the inventory. The expiration limit must only be taken into
account when deleting orphaned images: those that are more recent than
the expiration limit must not be deleted.

This limit is specially important because it protects against a race
between a cleanup task and an ongoing mirroring task. A mirroring
task (such as skopeo sync) will first upload sha256:* images and then
create the corresponding manifest index. If a cleanup races against
it, the sha256:* images that are not yet referenced will be deleted
without skopeo noticing and the published index manifest that happens
at a later time will contain references to non-existent images.

(cherry picked from commit 0a5fd7fdb8)
2024-09-30 16:46:11 +00:00
..
alpine Remove hardcoded filenames for better readability 2024-07-17 23:20:48 +02:00
arch feat: add architecture-specific removal support for arch package (#5351) 2024-09-27 08:29:09 +00:00
cargo [BUG] Reflect Cargo index state in settings 2024-03-20 09:17:49 +01:00
cleanup fix: referenced sha256:* container images may be deleted 2024-09-30 16:46:11 +00:00
container fix: referenced sha256:* container images may be deleted 2024-09-30 16:46:11 +00:00
debian [CHORE] Use github.com/ProtonMail/go-crypto 2024-07-15 17:27:37 +02:00
rpm Do not escape relative path in RPM primary index (#32038) 2024-09-27 08:13:29 +00:00
auth.go [SEC] Ensure propagation of API scopes for Conan and Container authentication 2024-08-28 10:33:32 +02:00
packages.go Arch packages implementation (#4785) 2024-08-04 06:16:29 +00:00