*: update dependencies

We haven't done a dependency bump in quite a while, and there are a fair
few fixes and improvements we should get into umoci before the next
release.

  % go get -u
  go: github.com/apex/log upgrade => v1.4.0
  go: github.com/cpuguy83/go-md2man/v2 upgrade => v2.0.0
  go: github.com/golang/protobuf upgrade => v1.4.2
  go: github.com/klauspost/compress upgrade => v1.10.9
  go: github.com/klauspost/cpuid upgrade => v1.3.0
  go: github.com/klauspost/pgzip upgrade => v1.2.4
  go: github.com/konsorten/go-windows-terminal-sequences upgrade => v1.0.3
  go: github.com/opencontainers/go-digest upgrade => v1.0.0
  go: github.com/opencontainers/runtime-spec upgrade => v1.0.2
  go: github.com/pkg/errors upgrade => v0.9.1
  go: github.com/sirupsen/logrus upgrade => v1.6.0
  go: github.com/vbatts/go-mtree upgrade => v0.5.0
  go: golang.org/x/crypto upgrade => v0.0.0-20200604202706-70a84ac30bf9
  go: golang.org/x/net upgrade => v0.0.0-20200602114024-627f9648deb9
  go: golang.org/x/sys upgrade => v0.0.0-20200615200032-f1bc736245b1
  go: google.golang.org/protobuf upgrade => v1.24.0

However there are two issues with this update:

 * We cannot update github.com/urfave/cli to anything later than
   v1.22.1 because of a bug when it comes to StringSliceFlag parsing that we
   hit in CI[1] -- hence the new excludes block.

 * Updating github.com/klauspost/compress to anything later than v1.8.6 causes
   us to generate different gzip-compressed blobs due to an optimisation in
   their compression[2]. Since this is generally a good change to have, we have
   to update our CI so that it works with the newest version (even if it's
   sub-optimal to generate different bytes between versions).

[1]: urfave/cli#1152
[2]: klauspost/compress#105

Signed-off-by: Aleksa Sarai <asarai@suse.de>

go.mod

@@ -3,28 +3,32 @@ module github.com/opencontainers/umoci
 go 1.14
 
 require (
-	github.com/apex/log v1.1.1
+	github.com/apex/log v1.4.0
+	github.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.2
 	github.com/docker/go-units v0.4.0
-	github.com/golang/protobuf v1.3.2
-	github.com/klauspost/compress v1.8.3 // indirect
-	github.com/klauspost/cpuid v1.2.1 // indirect
-	github.com/klauspost/pgzip v1.2.1
-	github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect
-	github.com/kr/pretty v0.1.0 // indirect
-	github.com/mattn/go-isatty v0.0.9 // indirect
+	github.com/golang/protobuf v1.4.2
+	github.com/klauspost/compress v1.10.9 // indirect
+	github.com/klauspost/pgzip v1.2.4
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
-	github.com/opencontainers/go-digest v1.0.0-rc1
+	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.0.1
-	github.com/opencontainers/runtime-spec v1.0.1
-	github.com/pkg/errors v0.8.1
+	github.com/opencontainers/runtime-spec v1.0.2
+	github.com/pkg/errors v0.9.1
 	github.com/rootless-containers/proto v0.1.0
-	github.com/sirupsen/logrus v1.4.2 // indirect
-	github.com/stretchr/testify v1.4.0 // indirect
+	github.com/sirupsen/logrus v1.6.0 // indirect
 	github.com/urfave/cli v1.22.1
-	github.com/vbatts/go-mtree v0.4.4
-	golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7 // indirect
-	golang.org/x/net v0.0.0-20190912160710-24e19bdeb0f2
-	golang.org/x/sys v0.0.0-20190913121621-c3b328c6e5a7
-	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
+	github.com/vbatts/go-mtree v0.5.0
+	golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9 // indirect
+	golang.org/x/net v0.0.0-20200602114024-627f9648deb9
+	golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1
+	google.golang.org/protobuf v1.24.0 // indirect
+)
+
+exclude (
+	// These versions have regressions that break umoci's CI and UX. For more
+	// details, see <https://github.com/urfave/cli/issues/1152>.
+	github.com/urfave/cli v1.22.2
+	github.com/urfave/cli v1.22.3
+	github.com/urfave/cli v1.22.4
 )

test/create.bats

@@ -136,6 +136,13 @@ function teardown() {
 # behaviour and thus non-deterministic archives. Do you ever get the feeling
 # that sometimes you have to cut your losses and actually do something better
 # than to sit and suffer? Well, this is how it feels.
+#
+# Oh and it turns out that this issue can be triggered by more than just
+# archive/tar. It turns out that pgzip has changed their output in the past
+# <https://github.com/klauspost/compress/pull/105> which means that our
+# dependencies can also trigger this issue. And the best part is that you have
+# to decide whether you want better compression or consistent output between
+# versions.
 @test "umoci [archive/tar regressions]" {
 	# Setup up $IMAGE.
 	IMAGE="$(setup_tmpdir)/image"
@@ -195,13 +202,16 @@ function teardown() {
 	[ "$status" -eq 0 ]
 	image-verify "$IMAGE"
 
+	# To allow us to debug issues with the checksums, output them to the log.
+	find "$IMAGE" -type f -print0 | xargs -0 sha256sum
+
 	# Verify that the hashes of the blobs and index match (blobs are
 	# content-addressable so using hashes is a bit silly, but whatever).
 	known_hashes=(
-		"d6cbf1632c7d81ac353cf59e469d9dc76e246ff80c048c057e9dd8f380339cae  $IMAGE/blobs/sha256/d6cbf1632c7d81ac353cf59e469d9dc76e246ff80c048c057e9dd8f380339cae"
+		"4e15e3699a98dddc67cb2e9aa5a6135cdf8ffcbdc7963daf959395f73dd52849  $IMAGE/index.json"
+		"54d5cbf998d9b1185628128d83af76ca18425f037ef9f79e6900f7e26985c169  $IMAGE/blobs/sha256/54d5cbf998d9b1185628128d83af76ca18425f037ef9f79e6900f7e26985c169"
+		"e7013826daf8b5d68f82c5b790ca5e9de222a834f2cb3fe3532030161bd72083  $IMAGE/blobs/sha256/e7013826daf8b5d68f82c5b790ca5e9de222a834f2cb3fe3532030161bd72083"
 		"f4a39a97d97aa834da7ad2d92940f9636a57e3d9b3cc7c53242451b02a6cea89  $IMAGE/blobs/sha256/f4a39a97d97aa834da7ad2d92940f9636a57e3d9b3cc7c53242451b02a6cea89"
-		"9ebaf9a7943bde8602a4bc50d772528cc3ba7b386df28a42158f863a857f7ade  $IMAGE/blobs/sha256/9ebaf9a7943bde8602a4bc50d772528cc3ba7b386df28a42158f863a857f7ade"
-		"0e40f6c0d484307d9cb9bda59a86432b4fc802934b2fcf250214ab7169ab4e7f  $IMAGE/index.json"
 	)
 	sha256sum -c <(printf '%s\n' "${known_hashes[@]}")