v1.4.1

Highlights: bump the minimal Go version to 1.25.8 to fix the vulnerabilities affecting Go 1.24.6.

What's Changed

• fix: duplicate slice test + message by @lczyk in #268
• fix: nil dereference in archive priority processing by @lczyk in #269
• fix: allow only valid types of the essential field by @lczyk in #267
• chore: bump version to fix CVE by @upils in #274
• ci: pin all actions by @upils in #277
• ci: run trivy on last release binary by @upils in #275
• ci: split perf workflow by @upils in #272

Security Disclosure Acknowledgement

• @YardenCuriel: helped the Chisel team identify a potential path for the exploitation of a low-privileged ephemeral token ("PR writer") within the CI, driven by the opening of any PR and use of RCE

Full Changelog: v1.4.0...v1.4.1

v1.4.0

Highlights: a new optional field, "hint", is now supported as part of a slice's definition, allowing you to provide a concise and unopinionated description of the subset of contents coming from a slice. A new format, v3, has also been introduced, finalizing support for the new architecture-specific essentials.

What's Changed

• fix: handle default arch in Select by @upils in #256
• feat: hints on slices by @upils in #263
• fix: remove traversals calling ubuntuIndex.fetch by @upils in #257
• feat: format v3 by @letFunny in #249

New Contributors

• @upils made their first contribution in #256

Full Changelog: v1.3.0...v1.4.0

v1.3.0

Highlights: this release introduces support for unmaintained and unstable Ubuntu releases via a new --ignore option. It also includes fixes for CVEs GO-2025-3956/CVE-2025-47906 and GO-2025-3922/CVE-2025-58058.

What's Changed

• fix: remove redundant check by @letFunny in #230
• feat: debug command to check release archives by @letFunny in #229
• feat: emit a warning when implicit parent conflict found by @letFunny in #232
• feat: check if implicit conflict is handled in slice definitions by @letFunny in #236
• fix: improve invalid slice name error by @gajeshbhat in #240
• Use modern Go constructs by @HadrienPatte in #215
• feat: support unmaintained and unstable Ubuntu releases by @letFunny in #238
• chore: bump versions to fix CVE by @zhijie-yang in #244
• ci: add scheduled tics code analysis workflows by @cjdcordeiro in #243
• feat: typos by @lczyk in #247
• feat: allow multiple ignores by @lczyk in #245
• feat: add v3-essential to support arch-specific essentials by @letFunny in #246
• bugfix: revert change to transitive dependencies (essential) by @letFunny in #248

New Contributors

• @gajeshbhat made their first contribution in #240
• @lczyk made their first contribution in #247

Full Changelog: v1.2.0...v1.3.0

v1.2.0

Highlights: this release introduces support for hard links and handling of path conflicts. It also exposes jsonwall and manifest as Apache-2.0 packages, for easier integration with 3rd party CVE scanners and SBOM generators. A new format, v2, is introduced in this release.

What's Changed

• fix: wrong help text for version command by @cjdcordeiro in #183
• chore(snap): rename system-files interface by @cjdcordeiro in #190
• feat: add support for hard links by @letFunny in #179
• chore(ci): bump artifact actions to v4 by @zhijie-yang in #193
• chore(snap): add security advisory and contact email by @zhijie-yang in #192
• chore: expose manifest reading and jsonwall as packages by @letFunny in #182
• chore(deps,build,ci): bump Golang to v1.22 by @zhijie-yang in #200
• feat: add performance testing in the ci by @letFunny in #196
• chore(ci): bump artifact actions to v4 by @letFunny in #202
• feat: add support for path conflicts with 'prefer' by @letFunny in #201
• chore(deps): update canonical/has-signed-canonical-cla action to v2 by @cjdcordeiro in #210
• feat: cannot extract files outside the target directory by @letFunny in #205
• chore: update Go version to 1.22.12 for security fixes by @nilsdebruin in #211
• bugfix: revert disabling TopLevelControl by @letFunny in #214
• fix: ci real archive tests on supported image by @letFunny in #218
• refactor: simplify conflict algorithm by @letFunny in #216
• feat: finish support for path conflicts with 'prefer' by @letFunny in #204
• ci: ubuntu-20.04 runner image is deprecated by @letFunny in #225
• fix: script errors when root is / by @letFunny in #224
• feat: add support for v2 format by @letFunny in #197
• feat: update to Go-1.23 by @letFunny in #219

New Contributors

• @zhijie-yang made their first contribution in #193
• @nilsdebruin made their first contribution in #211

Full Changelog: v1.1.0...v1.2.0

v1.1.0

Highlights: this release introduces support for Ubuntu Pro archives. Copyright files are no longer implicitly installed. There is also a fix for CVE-2024-45337, and a security policy has been added to the repository.

What's Changed

• ci: report vulnerabilities and fail on HIGH,CRITICAL by @cjdcordeiro in #152
• feat: make suites mandatory in archive config by @HadrienPatte in #161
• feat: support multiple archives with "priority" field by @letFunny in #160
• feat: support "Pro" archives by @letFunny in #167
• fix: explicit parents override implicit by @letFunny in #166
• fix: remove mantic spread tests by @letFunny in #175
• fix: remove implicit copyright installation by @letFunny in #170
• refactor(setup): move YAML-specific logic to yaml.go by @letFunny in #169
• snap: update description by @rebornplusplus in #165
• fix(setup): add missing "Generate" equivalency by @rebornplusplus in #173
• feat: add support for "v2-archives" in "v1" format by @letFunny in #181
• feat: optimize common case of GlobPath by @letFunny in #180
• fix: tune comment for v2-archives by @letFunny in #184
• chore: update golang.org/x/crypto by @letFunny in #189
• chore: add security policy by @cjdcordeiro in #188

New Contributors

• @HadrienPatte made their first contribution in #161

Full Changelog: v1.0.0...v1.1.0

v1.0.0

Highlights: this major release introduces the Chisel "manifest" - a Zstandard-compressed "jsonwall" file generated by Chisel, to record information about the installed slices in the chiselled root filesystem. The new Chisel command info is also introduced in this release. Finally, the Chisel format chisel-v1 is now deprecated.

What's Changed

• chore: update spread test to latest release changes by @letFunny in #147
• chore: update goyaml to latest version by @letFunny in #153
• feat: parse generate property in sdf by @letFunny in #143
• feat: internal manifest package by @letFunny in #144
• chore: publish release checksums by @rebornplusplus in #155
• feat: add info command by @rebornplusplus in #101
• feat: create manifest.wall by @letFunny in #142
• refactor: tune error message for invalid generate value by @letFunny in #162
• fix: info supports "generate" paths by @rebornplusplus in #163
• fix: deprecate "chisel-v1" format by @letFunny in #150
• feat: validate manifest before writing by @letFunny in #159

Full Changelog: v0.10.0...v1.0.0

v0.10.0

Highlights: this release adds support for a new top-level essential field in the slice definitions file. It also introduces a new Chisel command - find - for looking up slices in any given release, by package and/or slice name.

What's Changed

• refactor: filter created entries for report by @letFunny in #124
• chore: bump golang.org/x/crypto to v0.21.0 by @rebornplusplus in #130
• fix: parent directory permissions by @letFunny in #128
• chore: add noble as separate github action by @letFunny in #132
• feat: essential field for packages by @letFunny in #127
• feat: support for several slices of the same package by @letFunny in #134
• refactor: split slicer into steps and remove unnecessary state by @letFunny in #136
• feat: report mutated files by @letFunny in #131
• feat: add find command by @rebornplusplus in #99
• chore: enable noble spread tests by @letFunny in #141
• hotfix: use strings.TrimPrefix() for relative paths by @rebornplusplus in #145

Full Changelog: v0.9.1...v0.10.0

v0.9.1

Highlights: this release fixes the constraint on the length of package names, now accepting packages with less than three characters in length.

What's Changed

• feat: creating files logs information for use in chisel.db by @letFunny in #105
• fix(ci): adjust libc6 spread test for noble by @cjdcordeiro in #121
• feat: add file and directory report skeleton by @letFunny in #116
• remove deb package blob used for testing by @letFunny in #113
• fix: package names can be of length two by @rebornplusplus in #120

Full Changelog: v0.9.0...v0.9.1

v0.9.0

Highlights: this release introduces verification of GPG signatures for the Ubuntu archives' InRelease files. This is also associated with an incoming change of format for the chisel-releases - this release now supports both chisel-v1 and v1 formats, noting that the former will soon be removed, in favour of v1.

What's Changed

• feat: integrity checks for Ubuntu Release files by @letFunny and @rebornplusplus in #106
• feat: add support for chisel release format "v1" by @letFunny and @rebornplusplus in #115

Other minor changes

• fix starlark link by @shyim in #110
• make Spread tests run for multiple chisel-releases by @cjdcordeiro in #114

New Contributors

• @shyim made their first contribution in #110

Full Changelog: v0.8.1...v0.9.0

v0.8.1

Highlights: apart from testing and documentation improvements, this release uses a more appropriate HTTP client for fetching larger files. It also makes the expected chisel-releases schema more permissive, ignoring unknown fileds instead of raising an error.

What's Changed

• fix: use proper HTTP clients to fetch files by @rebornplusplus in #66
• bugfix: ignore extra fields in yaml by @letFunny in #107

Other minor changes

• chore: promote "riscv64" snap to candidate on release by @rebornplusplus in #95
• slicer/test: Define all release archives by @woky in #81
• testutil/pkgdata: Handle empty names in MakeDeb() by @woky in #85
• testutil/pkgdata: Add MakeTestDeb() by @woky in #87
• fsutil: Explicit parent directory creation by @woky in #76
• slicer/test: Set archive options from release by @woky in #82
• Switch from kinetic to focal in spread tests by @woky in #97
• CI: Add CLA check, Linting and security scanning by @rebornplusplus in #31
• testutil/pkgdata: Add TarEntry shorthand constructors by @woky in #86
• Support OpenPGP keyrings in release by @woky in #100
• docs: add snap and CI badges to README by @cjdcordeiro in #104

New Contributors

• @letFunny made their first contribution in #107

Full Changelog: v0.8.0...v0.8.1