1.2.9: PDK sync and typo fixes

• Synced with PDK and disabled Puppet 6 testing, since the package signing key is no longer valid.
• Switched to Ruby 3.1 for automated testing since PDK no longer supports 2.7.
• Fixed a few spelling mistakes.

1.2.8: Keep in sync with PDK

v1.2.8

1.2.8: Keep in sync with PDK

1.2.7: Security: Enforce file ownership

Security fix

Certain Go tarballs (see below) had files owned by non-root users:

❯ curl -SsL https://go.dev/dl/go1.20.14.darwin-amd64.tar.gz | tar -tzvf - | head -3
drwxr-xr-x  0 0      0           0 Feb  2 10:19 go/
-rw-r--r--  0 gopher wheel    1339 Feb  2 10:09 go/CONTRIBUTING.md
-rw-r--r--  0 gopher wheel    1479 Feb  2 10:09 go/LICENSE

In this case, the non-root user in question mapped to the first user created on the macOS system (UID 501).

When running as root, previous versions of dp-golang would preserve file ownership when extracting the tarball, even if owner was set to something else. This meant that files, such as the go binary, ended up being writable by a non-root user.

This version of dp-golang enables tar’s --no-same-owner and --no-same-permissions flags, which cause files to be extracted as the user running Puppet, or as the user/group specified in the Puppet code.

GitHub security advisory: GHSA-8h8m-h98f-vv84

Affected Go tarballs

• Go for macOS version 1.4.3 through 1.21rc3, inclusive.
• go1.4-bootstrap-20170518.tar.gz
• go1.4-bootstrap-20170531.tar.gz

Changes

As part of the security fix mentioned above, it became necessary to be more aggressive about ensuring that the owner and group of files in the installation are correct. dp-golang now deletes and recreates any Go installation it finds that has a file or directory with the wrong owner or group.

1.2.6: Keep in sync with PDK

• Synced with PDK.

1.2.5: Update dependencies and PDK

• Updated automatic PR checks to run acceptance tests with both Puppet 7 and Puppet 8 (Puppet 6 is still supported by this module, but unfortunately the acceptance test framework does not support it).
• Updated metadata to support puppet/archive 7.0.0.
• Synced with PDK.

1.2.4: Keep in sync with PDK

• Added a section about development status (stable; no features planned) to README.md.
• Synced with PDK.

1.2.3: Keep in sync with PDK

No functional changes. This release is solely to keep the released module from getting too far out of sync with git after multiple pdk updates.

1.2.2: Fix link in README.md

Bug fixes

• Fix in-page anchor link in README.md.

1.2.1: Fix links to REFERENCE.md

Improvements

• Added more links to REFERENCE.md from README.md to make it easier to find reference documentation.

Bug fixes

• Anchor links seem to be broken on the Forge, so we now update links to REFERENCE.md and other markdown files to point to GitHub when making a release.
• The Hiera example in README.md referenced the deprecated golang::version instead of golang::ensure.

1.2.0: Automatic upgrades, multiple installations, and running as non-root

Features

• Added option of ensure => latest to automatically keep Go installations at the latest stable version.
• Added golang::installation to allow multiple installs of standard Go packages from https://go.dev/dl on the same system. Installations can be owned by any user.
• Added golang::from_tarball to explicitly install from a binary tarball.
• Added golang::linked_binaries link binaries from a Go installation into a bin directory.

Improvements

• Use Stdlib::HTTPUrl data type for URL parameters.

Bug fixes

• Updated minimum Puppet version to match puppet/archive. Archive version 4.0.0 requires Puppet 5.5.8 or higher, so this module must as well.

Deprecations

• The $version parameter on golang is now deprecated. Pass the version to $ensure instead.
• The $source parameter on golang is now deprecated. Use golang::from_tarball instead.