wolfi-dev
diff --git a/‎.github/chainguard/lifecycle-eol-mover.sts.yaml
+2-3 b/‎.github/chainguard/lifecycle-eol-mover.sts.yaml
+2-3
diff --git a/‎abseil-cpp.yaml
+3-3 b/‎abseil-cpp.yaml
+3-3
diff --git a/‎amazon-cloudwatch-agent.yaml
+2-1 b/‎amazon-cloudwatch-agent.yaml
+2-1
diff --git a/‎apache-activemq-artemis.yaml
+2-2 b/‎apache-activemq-artemis.yaml
+2-2
diff --git a/‎apicurio-registry.yaml
+1-1 b/‎apicurio-registry.yaml
+1-1
diff --git a/‎apicurio-registry/pombump-deps.yaml
+15-15 b/‎apicurio-registry/pombump-deps.yaml
+15-15
diff --git a/‎apicurio-registry/pombump-properties.yaml
+3 b/‎apicurio-registry/pombump-properties.yaml
+3
diff --git a/‎apk-tools.yaml
+6-1 b/‎apk-tools.yaml
+6-1
diff --git a/‎apk-tools/292.patch
+106 b/‎apk-tools/292.patch
+106
diff --git a/‎argo-cd-2.14.yaml
+2-1 b/‎argo-cd-2.14.yaml
+2-1
diff --git a/‎argo-workflows.yaml
+2-1 b/‎argo-workflows.yaml
+2-1
diff --git a/‎aws-c-auth.yaml
+2-2 b/‎aws-c-auth.yaml
+2-2
diff --git a/‎aws-c-common.yaml
+2-2 b/‎aws-c-common.yaml
+2-2
diff --git a/‎aws-c-event-stream.yaml
+1-5 b/‎aws-c-event-stream.yaml
+1-5
diff --git a/‎aws-c-http.yaml
+1-5 b/‎aws-c-http.yaml
+1-5
diff --git a/‎aws-c-io.yaml
-2 b/‎aws-c-io.yaml
-2
diff --git a/‎aws-c-mqtt.yaml
+1-5 b/‎aws-c-mqtt.yaml
+1-5
diff --git a/‎aws-c-s3.yaml
+1-5 b/‎aws-c-s3.yaml
+1-5
@@ -5,6 +5,5 @@ issuer: https://accounts.google.com
 subject: "105314035764875766195"
 
 permissions:
-  contents: write
-  pull_requests: write
-  workflows: write
+  contents: write # to push to branches of the repo
+  pull_requests: write # to open and modify PRs
@@ -6,8 +6,8 @@
 # to this file from the OS team.
 package:
   name: abseil-cpp
-  version: "20250127.0" # On update, please check if -fdelete-null-pointer-checks is still required
-  epoch: 2
+  version: "20250127.1" # On update, please check if -fdelete-null-pointer-checks is still required
+  epoch: 0
   description: Abseil Common Libraries (C++)
   copyright:
     - license: Apache-2.0
@@ -32,7 +32,7 @@ pipeline:
     with:
       repository: https://github.com/abseil/abseil-cpp
       tag: ${{package.version}}
-      expected-commit: 9ac7062b1860d895fb5a8cbf58c3e9ef8f674b5f
+      expected-commit: d9e4955c65cd4367dd6bf46f4ccb8cd3d100540b
 
   - runs: |
       cmake -B build -G Ninja \
 
@@ -1,7 +1,7 @@
 package:
   name: amazon-cloudwatch-agent
   version: "1.300053.1"
-  epoch: 0
+  epoch: 1
   description: CloudWatch Agent enables you to collect and export host-level metrics and logs on instances running Linux or Windows server.
   copyright:
     - license: Apache-2.0
@@ -27,6 +27,7 @@ pipeline:
         golang.org/x/crypto@v0.35.0
         golang.org/x/oauth2@v0.27.0
         golang.org/x/net@v0.36.0
+        github.com/expr-lang/expr@v1.17.0
 
   - uses: go/build
     with:
 
@@ -1,7 +1,7 @@
 package:
   name: apache-activemq-artemis
   version: "2.40.0"
-  epoch: 0
+  epoch: 1
   description: ActiveMQ Artemis is the next generation message broker from Apache ActiveMQ.
   copyright:
     - license: Apache-2.0
@@ -41,7 +41,7 @@ pipeline:
     with:
       repository: https://github.com/apache/activemq-artemis
       tag: ${{package.version}}
-      expected-commit: 665d2763c3a3a063fccc62dc68a30576d24958c6
+      expected-commit: 2c3903ff71de7ecc6830d5f051dfc94d6df9b187
 
   - uses: maven/pombump
 
 
@@ -1,7 +1,7 @@
 package:
   name: apicurio-registry
   version: 3.0.6
-  epoch: 1
+  epoch: 2
   description: An API/Schema registry - stores APIs and Schemas
   copyright:
     - license: Apache-2.0
 
@@ -1,16 +1,16 @@
 patches:
-  - groupId: io.netty
-    artifactId: netty-handler
-    version: 4.1.118.Final
-  - groupId: io.netty
-    artifactId: netty-common
-    version: 4.1.118.Final
-  - groupId: org.apache.kafka
-    artifactId: kafka-clients
-    version: 3.7.1
-  - groupId: net.minidev
-    artifactId: json-smart
-    version: 2.5.2
-  - groupId: io.quarkus.http
-    artifactId: quarkus-http-core
-    version: 5.3.4
+    - groupId: io.netty
+      artifactId: netty-handler
+      version: 4.1.118.Final
+    - groupId: io.netty
+      artifactId: netty-common
+      version: 4.1.118.Final
+    - groupId: org.apache.kafka
+      artifactId: kafka-clients
+      version: 3.7.1
+    - groupId: net.minidev
+      artifactId: json-smart
+      version: 2.5.2
+    - groupId: io.quarkus.http
+      artifactId: quarkus-http-core
+      version: 5.3.4
@@ -0,0 +1,3 @@
+properties:
+  - property: quarkus.version
+    value: "3.15.4"
@@ -1,7 +1,7 @@
 package:
   name: apk-tools
   version: "2.14.10"
-  epoch: 0
+  epoch: 2
   description: "apk-tools (Wolfi package manager)"
   copyright:
     - license: GPL-2.0-only
@@ -31,6 +31,9 @@ pipeline:
       tag: v${{package.version}}
       expected-commit: 9d074efdc12bc41b5d24190595a5269a770e852a
 
+  - runs: |
+      git am 292.patch
+
   - runs: |
       sed -i -e 's:-Werror::' Make.rules
       echo "FULL_VERSION=${{package.version}}-r${{package.epoch}}" > config.mk
@@ -105,7 +108,9 @@ test:
         mkdir -p packages/aarch64/
         wget https://raw.githubusercontent.com/chainguard-dev/apko/71f1961fde53a10c5bd40b80dd4c00a9250dd9f7/pkg/apk/apk/testdata/rsa256-signed/APKINDEX.tar.gz -O packages/aarch64/APKINDEX.tar.gz
         apk --arch aarch64 --repository ./packages/ info --all alpine-baselayout
+        apk update
         apk --version
+        apk info apk-tools
     - uses: test/ldd-check
       with:
         packages: ${{package.name}}
 
@@ -0,0 +1,106 @@
+From https://gitlab.alpinelinux.org/alpine/apk-tools/-/merge_requests/292.patch
+From 716fe84f69137b59dd12b3b4fa90710e5f4ed911 Mon Sep 17 00:00:00 2001
+From: Justin Vreeland <vreeland.justin@gmail.com>
+Date: Tue, 18 Mar 2025 10:25:33 -0700
+Subject: [PATCH] db: Explicitly clean st on fstatat failure to workaround
+ rosetta2
+
+We've discovered an issue with in apk when using Rosetta2 with wolfi that was surfaced
+by f3f239a: apk, db: rework dbopts cache_max_age default handling.  With the new
+settings apk now hits an fstatat conditional where it didn't before.  As far as I can tell
+this failure is expected and shouldn't be a problem. It only is because the code
+continues to rely out the buffer that was passed in to contain clean
+values. On Rosetta2 with wolfi the st buffer is no longer clean out after the call to fstatat.
+
+This issue only occurs if cache_max_age is positive, and `/var/cache/apk`
+is empty.  This issue can be seen below:
+
+```
+a549fa77b74f:/apk-tools# apk --help | head -1
+apk-tools 2.14.10, compiled for x86_64.
+a549fa77b74f:/apk-tools# apk update
+fetch https://packages.wolfi.dev/os/x86_64/APKINDEX.tar.gz
+WARNING: opening from cache https://packages.wolfi.dev/os: No such file or directory
+2 unavailable, 0 stale; 83 distinct packages available
+
+a549fa77b74f:/apk-tools# apk update --cache-max-age 0
+fetch https://packages.wolfi.dev/os/x86_64/APKINDEX.tar.gz
+ [https://packages.wolfi.dev/os]
+OK: 144415 distinct packages available
+
+a549fa77b74f:/apk-tools# apk update
+ [https://packages.wolfi.dev/os]
+OK: 144415 distinct packages available
+
+a549fa77b74f:/apk-tools# apk update --cache-max-age 1
+ [https://packages.wolfi.dev/os]
+OK: 144415 distinct packages available
+
+a549fa77b74f:/apk-tools# rm /var/cache/apk/*
+
+a549fa77b74f:/apk-tools# apk update
+fetch https://packages.wolfi.dev/os/x86_64/APKINDEX.tar.gz
+WARNING: opening from cache https://packages.wolfi.dev/os: No such file or directory
+2 unavailable, 0 stale; 83 distinct packages available
+```
+
+Some debug output with Rosetta2
+
+```
+a549fa77b74f:/apk-tools# LD_PRELOAD=`pwd`/src/libapk.so ./src/apk update --cache-max-age 1
+st_mtime pre fstat: 0
+cache_max_age=60
+ferr: -1, tmperr: 2
+st_mtime post fstat: 140737472955232
+fetch https://packages.wolfi.dev/os/x86_64/APKINDEX.tar.gz
+WARNING: opening from cache https://packages.wolfi.dev/os: No such file or directory
+2 unavailable, 0 stale; 83 distinct packages available
+a549fa77b74f:/apk-tools# git diff > /test.patch
+a549fa77b74f:/apk-tools# ps aux | grep rosetta
+    1 root      0:02 {sh} /run/rosetta/rosetta /bin/sh /bin/sh -l
+15816 root      0:00 {grep} /run/rosetta/rosetta /usr/bin/grep grep rosetta
+```
+
+Some debug output without Rosetta2
+
+```
+/apk-tools # LD_PRELOAD=`pwd`/src/libapk.so ./src/apk update --cache-max-age 1
+st_mtime pre fstat: 0
+cache_max_age=60
+ferr: -1, tmperr: 2
+st_mtime post fstat: 0
+fetch https://packages.wolfi.dev/os/x86_64/APKINDEX.tar.gz
+ [https://packages.wolfi.dev/os]
+OK: 144391 distinct packages available
+/apk-tools # ps aux | grep rosetta
+ 2438 root      0:00 grep rosetta
+```
+
+I cannot reproduce this with Alpine. In fact the st buffer remains clean
+with Alpine. I believe the real issue is with rosetta2 & glibc not
+actually apk but it seems reasonable not to rely on the buffer from
+a failed system call as a solution for now.
+---
+ src/database.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/database.c b/src/database.c
+index dc5e4fd4..b7353221 100644
+--- a/src/database.c
++++ b/src/database.c
+@@ -654,7 +654,11 @@ int apk_cache_download(struct apk_database *db, struct apk_repository *repo,
+ 	if (r < 0) return r;
+ 
+ 	if (autoupdate && db->cache_max_age > 0 && !(apk_force & APK_FORCE_REFRESH)) {
+-		if (fstatat(db->cache_fd, cacheitem, &st, 0) == 0 &&
++		int ferr = fstatat(db->cache_fd, cacheitem, &st, 0);
++		if (ferr == -1) {
++			memset(&st, 0, sizeof(struct stat));
++		}
++		if (ferr == 0 &&
+ 		    now - st.st_mtime <= db->cache_max_age)
+ 			return -EALREADY;
+ 	}
+-- 
+GitLab
+
@@ -1,7 +1,7 @@
 package:
   name: argo-cd-2.14
   version: "2.14.5"
-  epoch: 3
+  epoch: 4
   description: Declarative continuous deployment for Kubernetes.
   copyright:
     - license: Apache-2.0
@@ -35,6 +35,7 @@ pipeline:
         golang.org/x/oauth2@v0.27.0
         golang.org/x/crypto@v0.35.0
         golang.org/x/net@v0.36.0
+        github.com/expr-lang/expr@v1.17.0
 
   - runs: |
       cd ui
 
@@ -1,7 +1,7 @@
 package:
   name: argo-workflows
   version: "3.6.5"
-  epoch: 1
+  epoch: 2
   description: Workflow engine for Kubernetes.
   copyright:
     - license: Apache-2.0
@@ -45,6 +45,7 @@ pipeline:
     with:
       deps: |-
         golang.org/x/net@v0.36.0
+        github.com/expr-lang/expr@v1.17.0
 
   - uses: go/build
     with:
 
@@ -1,6 +1,6 @@
 package:
   name: aws-c-auth
-  version: "0.8.6"
+  version: "0.8.7"
   epoch: 0
   description: "C99 library implementation of AWS client-side authentication: standard credentials providers and signing"
   copyright:
@@ -26,7 +26,7 @@ environment:
 pipeline:
   - uses: git-checkout
     with:
-      expected-commit: 01dd06acd2b8865a4a6bc232380ee69a042af47d
+      expected-commit: e0bd58d172cdc78d62eff5728437790d06fcce50
       repository: https://github.com/awslabs/aws-c-auth
       tag: v${{package.version}}
 
 
@@ -1,6 +1,6 @@
 package:
   name: aws-c-common
-  version: "0.12.0"
+  version: "0.12.1"
   epoch: 0
   description: Core c99 package for AWS SDK for C including cross-platform primitives, configuration, data structures, and error handling
   copyright:
@@ -18,7 +18,7 @@ environment:
 pipeline:
   - uses: git-checkout
     with:
-      expected-commit: 7fb0071ab88182bffcc18a4a09bdb4dd2a5751d8
+      expected-commit: d80b00560f0ebb441538b3ab40192a242afeaa80
       repository: https://github.com/awslabs/aws-c-common
       tag: v${{package.version}}
 
 
@@ -54,14 +54,10 @@ subpackages:
     test:
       pipeline:
         - uses: test/tw/ldd-check
-          with:
-            packages: aws-c-event-stream-dev
 
 test:
   pipeline:
-    - uses: test/ldd-check
-      with:
-        packages: ${{package.name}}
+    - uses: test/tw/ldd-check
 
 update:
   enabled: true
 
@@ -53,14 +53,10 @@ subpackages:
     test:
       pipeline:
         - uses: test/tw/ldd-check
-          with:
-            packages: aws-c-http-dev
 
 test:
   pipeline:
-    - uses: test/ldd-check
-      with:
-        packages: ${{package.name}}
+    - uses: test/tw/ldd-check
 
 update:
   enabled: true
 
@@ -80,8 +80,6 @@ test:
         echo "Verifying aws-c-io installation..."
         find /usr /usr/local -name 'libaws-c-io.so' || (echo "aws-c-io library not found!" && exit 1)
     - uses: test/tw/ldd-check
-      with:
-        packages: aws-c-io
     - name: "Compile and Run aws-c-io Test Program"
       runs: |
         echo "Testing aws-c-io functionality..."
 
@@ -55,8 +55,6 @@ subpackages:
     test:
       pipeline:
         - uses: test/tw/ldd-check
-          with:
-            packages: aws-c-mqtt-dev
 
 update:
   enabled: true
@@ -77,9 +75,7 @@ test:
         - gcc
         - aws-c-mqtt-dev
   pipeline:
-    - uses: test/ldd-check
-      with:
-        packages: ${{package.name}}
+    - uses: test/tw/ldd-check
     - name: "Compile simple MQTT test program"
       runs: |
         cat << 'EOF' > test.c
 
@@ -66,14 +66,10 @@ subpackages:
     test:
       pipeline:
         - uses: test/tw/ldd-check
-          with:
-            packages: aws-c-s3-dev
 
 test:
   pipeline:
-    - uses: test/ldd-check
-      with:
-        packages: ${{package.name}}
+    - uses: test/tw/ldd-check
 
 update:
   enabled: true
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+properties:`
	`2`	`+ - property: quarkus.version`
	`3`	`+ value: "3.15.4"`