Merge 2fe7406ef9 into f35b2b7cab

2023-09-05 09:56:31 +02:00
parent f35b2b7cab 2fe7406ef9
commit 8c5c8f2bb4
83 changed files with 1579 additions and 4255 deletions
--- a/build/build.go
+++ b/build/build.go
@@ -23,6 +23,7 @@ import (
 	"github.com/containerd/containerd/content/local"
 	"github.com/containerd/containerd/images"
 	"github.com/containerd/containerd/platforms"
 	"github.com/distribution/reference"
 	"github.com/docker/buildx/builder"
 	"github.com/docker/buildx/driver"
 	"github.com/docker/buildx/localstate"
@@ -33,7 +34,6 @@ import (
 	"github.com/docker/buildx/util/resolver"
 	"github.com/docker/buildx/util/waitmap"
 	"github.com/docker/cli/opts"
 	"github.com/docker/distribution/reference"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/builder/remotecontext/urlutil"
 	"github.com/docker/docker/pkg/jsonmessage"
--- a/commands/imagetools/create.go
+++ b/commands/imagetools/create.go
@@ -7,12 +7,12 @@ import (
 	"os"
 	"strings"
 	"github.com/distribution/reference"
 	"github.com/docker/buildx/builder"
 	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/buildx/util/imagetools"
 	"github.com/docker/buildx/util/progress"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/distribution/reference"
 	"github.com/moby/buildkit/util/appcontext"
 	"github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
--- a/go.mod
+++ b/go.mod
@@ -5,15 +5,15 @@ go 1.20
 require (
 	github.com/Masterminds/semver/v3 v3.2.1
 	github.com/aws/aws-sdk-go-v2/config v1.18.16
-	github.com/compose-spec/compose-go v1.17.0
+	github.com/compose-spec/compose-go v1.18.4
 	github.com/containerd/console v1.0.3
 	github.com/containerd/containerd v1.7.2
 	github.com/containerd/continuity v0.4.1
 	github.com/containerd/typeurl/v2 v2.1.1
 	github.com/creack/pty v1.1.18
 	github.com/distribution/reference v0.5.0
 	github.com/docker/cli v24.0.5+incompatible
 	github.com/docker/cli-docs-tool v0.6.0
 	github.com/docker/distribution v2.8.2+incompatible
 	github.com/docker/docker v24.0.5+incompatible
 	github.com/docker/go-units v0.5.0
 	github.com/gofrs/flock v0.8.1
@@ -55,7 +55,6 @@ require (
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/agl/ed25519 v0.0.0-20170116200512-5312a6153412 // indirect
 	github.com/apparentlymart/go-cidr v1.0.1 // indirect
 	github.com/apparentlymart/go-textseg/v12 v12.0.0 // indirect
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
@@ -71,22 +70,16 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/sts v1.18.6 // indirect
 	github.com/aws/smithy-go v1.13.5 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bugsnag/bugsnag-go v1.4.1 // indirect
 	github.com/bugsnag/panicwrap v1.2.0 // indirect
 	github.com/cenkalti/backoff v2.1.1+incompatible // indirect
 	github.com/cenkalti/backoff/v4 v4.2.0 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/cloudflare/cfssl v0.0.0-20181213083726-b94e044bb51e // indirect
 	github.com/containerd/ttrpc v1.2.2 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.3 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/distribution/distribution/v3 v3.0.0-20230214150026-36d8c594d7aa // indirect
+	github.com/docker/distribution v2.8.2+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
 	github.com/docker/libtrust v0.0.0-20150526203908-9cbd2a1374f4 // indirect
 	github.com/elazarl/goproxy v0.0.0-20191011121108-aa519ddbe484 // indirect
 	github.com/emicklei/go-restful/v3 v3.10.1 // indirect
 	github.com/felixge/httpsnoop v1.0.3 // indirect
 	github.com/fvbommel/sortorder v1.0.1 // indirect
@@ -95,26 +88,19 @@ require (
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.20.0 // indirect
 	github.com/go-openapi/swag v0.19.14 // indirect
 	github.com/go-sql-driver/mysql v1.6.0 // indirect
 	github.com/gogo/googleapis v1.4.1 // indirect
 	github.com/google/certificate-transparency-go v1.1.4 // indirect
 	github.com/google/gnostic v0.5.7-v3refs // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/gorilla/mux v1.8.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3 // indirect
 	github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/in-toto/in-toto-golang v0.5.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jinzhu/gorm v1.9.2 // indirect
 	github.com/jinzhu/inflection v0.0.0-20180308033659-04140366298a // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 // indirect
 	github.com/klauspost/compress v1.16.3 // indirect
 	github.com/kr/pretty v0.2.1 // indirect
 	github.com/mailru/easyjson v0.7.6 // indirect
 	github.com/mattn/go-shellwords v1.0.12 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
@@ -136,10 +122,8 @@ require (
 	github.com/prometheus/common v0.42.0 // indirect
 	github.com/prometheus/procfs v0.9.0 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.4.0 // indirect
 	github.com/sergi/go-diff v1.2.0 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
-	github.com/spf13/viper v1.14.0 // indirect
+	github.com/theupdateframework/notary v0.7.0 // indirect
 	github.com/theupdateframework/notary v0.6.1 // indirect
 	github.com/tonistiigi/fsutil v0.0.0-20230629203738-36ef4d8c0dbb // indirect
 	github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea // indirect
 	github.com/tonistiigi/vt100 v0.0.0-20230623042737-f9a4f7ef6531 // indirect
@@ -167,9 +151,6 @@ require (
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 // indirect
 	google.golang.org/protobuf v1.30.0 // indirect
 	gopkg.in/dancannon/gorethink.v3 v3.0.5 // indirect
 	gopkg.in/fatih/pool.v2 v2.0.0 // indirect
 	gopkg.in/gorethink/gorethink.v3 v3.0.5 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	k8s.io/klog/v2 v2.90.1 // indirect
--- a/go.sum
+++ b/go.sum
@@ -39,6 +39,7 @@ github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1/go.mod h
 github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20221215162035-5330a85ea652 h1:+vTEFqeoeur6XSq06bs+roX3YiT49gUniJK7Zky7Xjg=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0=
@@ -47,12 +48,11 @@ github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migc
 github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
 github.com/Microsoft/hcsshim v0.10.0-rc.8 h1:YSZVvlIIDD1UxQpJp0h+dnpLUw+TrY0cx8obKsp3bek=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
-github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d h1:UrqY+r/OJnIp5u0s1SbQ8dVfLCZJsnvazdBP5hS4iRs=
+github.com/Shopify/logrus-bugsnag v0.0.0-20170309145241-6dbc35f2c30d h1:hi6J4K6DKrR4/ljxn6SF6nURyu785wKMuQcjt7H3VCQ=
 github.com/Shopify/logrus-bugsnag v0.0.0-20170309145241-6dbc35f2c30d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ=
 github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=
 github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 github.com/agl/ed25519 v0.0.0-20170116200512-5312a6153412 h1:w1UutsfOrms1J05zt7ISrnJIXKzwaspym5BTKGx93EI=
 github.com/agl/ed25519 v0.0.0-20170116200512-5312a6153412/go.mod h1:WPjqKcmVOxf0XSf3YxCJs6N6AOSrOx3obionmG7T0y0=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 h1:aM1rlcoLz8y5B2r4tTLMiVTrMtpfY0O8EScKJxaSaEc=
@@ -90,17 +90,21 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.18.6 h1:rIFn5J3yDoeuKCE9sESXqM5POTAh
 github.com/aws/aws-sdk-go-v2/service/sts v1.18.6/go.mod h1:48WJ9l3dwP0GSHWGc5sFGGlCkuA82Mc2xnw+T6Q8aDw=
 github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8=
 github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
 github.com/beorn7/perks v0.0.0-20150223135152-b965b613227f/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bitly/go-hostpool v0.1.0/go.mod h1:4gOCgp6+NZnVqlKyZ/iBZFTAJKembaVENUpMkpg42fw=
 github.com/bitly/go-simplejson v0.5.0/go.mod h1:cXHtHw4XUPsvGaxgjIAn8PhEWG9NfngEKAMDJEczWVA=
 github.com/bmatcuk/doublestar v1.1.5/go.mod h1:wiQtGV+rzVYxB7WIlirSN++5HPtPlXEo9MEoZQC/PmE=
-github.com/bugsnag/bugsnag-go v1.4.1 h1:TT3P9AX69w8mbSGE8L7IJOO2KBlPN0iQtYD0dUlrWHc=
+github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4=
-github.com/bugsnag/bugsnag-go v1.4.1/go.mod h1:2oa8nejYd4cQ/b0hMIopN0lCRxU0bueqREvZLWFrtK8=
+github.com/bugsnag/bugsnag-go v1.0.5-0.20150529004307-13fd6b8acda0 h1:s7+5BfS4WFJoVF9pnB8kBk03S7pZXRdKamnV0FOl5Sc=
-github.com/bugsnag/panicwrap v1.2.0 h1:OzrKrRvXis8qEvOkfcxNcYbOd2O7xXS2nnKMEMABFQA=
+github.com/bugsnag/bugsnag-go v1.0.5-0.20150529004307-13fd6b8acda0/go.mod h1:2oa8nejYd4cQ/b0hMIopN0lCRxU0bueqREvZLWFrtK8=
-github.com/bugsnag/panicwrap v1.2.0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE=
+github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b h1:otBG+dV+YK+Soembjv71DPz3uX/V/6MMlSyD9JBQ6kQ=
-github.com/cenkalti/backoff v2.1.1+incompatible h1:tKJnvO2kl0zmb/jA5UKAt4VoEVw1qxKWjE/Bpp46npY=
+github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b/go.mod h1:obH5gd0BsqsP2LwDJ9aOkm/6J86V6lyAXCoQWGw3K50=
-github.com/cenkalti/backoff v2.1.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM=
+github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0 h1:nvj0OLI3YqYXer/kZD8Ri1aaunCxIEsOst1BVJswV0o=
 github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE=
 github.com/cenkalti/backoff/v4 v4.2.0 h1:HN5dHm3WBOgndBH6E8V0q2jIYIR3s9yglV8k/+MN3u4=
 github.com/cenkalti/backoff/v4 v4.2.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
@@ -112,8 +116,8 @@ github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWR
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cloudflare/cfssl v0.0.0-20181213083726-b94e044bb51e h1:Qux+lbuMaRzkQyTdzgtz8MgzPtzmaPQy6DXmxpdxT3U=
+github.com/cloudflare/cfssl v0.0.0-20180223231731-4e2dcbde5004 h1:lkAMpLVBDaj17e85keuznYcH5rqI438v41pKcBl4ZxQ=
-github.com/cloudflare/cfssl v0.0.0-20181213083726-b94e044bb51e/go.mod h1:yMWuSON2oQp+43nFtAV/uvKQIFpSPerB57DCt9t8sSA=
+github.com/cloudflare/cfssl v0.0.0-20180223231731-4e2dcbde5004/go.mod h1:yMWuSON2oQp+43nFtAV/uvKQIFpSPerB57DCt9t8sSA=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
@@ -122,8 +126,8 @@ github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWH
 github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE=
-github.com/compose-spec/compose-go v1.17.0 h1:cvje90CU94dQyTnJoHJYjx9yE4Iggse1XmGcO3Qi5ts=
+github.com/compose-spec/compose-go v1.18.4 h1:yLYfsc3ATAYZVAJcXyx/V847/JVBmf3pfKfR13mXU4s=
-github.com/compose-spec/compose-go v1.17.0/go.mod h1:zR2tP1+kZHi5vJz7PjpW6oMoDji/Js3GHjP+hfjf70Q=
+github.com/compose-spec/compose-go v1.18.4/go.mod h1:+MdqXV4RA7wdFsahh/Kb8U0pAJqkg7mr4PM9tFKU8RM=
 github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM=
 github.com/containerd/console v1.0.3 h1:lIr7SlA5PxZyMV30bDW0MGbiOPXwc63yRuCP0ARubLw=
 github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U=
@@ -148,12 +152,14 @@ github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxG
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/distribution/distribution/v3 v3.0.0-20230214150026-36d8c594d7aa h1:L9Ay/slwQ4ERSPaurC+TVkZrM0K98GNrEEo1En3e8as=
+github.com/denisenkom/go-mssqldb v0.0.0-20191128021309-1d7a30a10f73/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU=
-github.com/distribution/distribution/v3 v3.0.0-20230214150026-36d8c594d7aa/go.mod h1:WHNsWjnIn2V1LYOrME7e8KxSeKunYHsxEm4am0BUtcI=
+github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0=
 github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/docker/cli v24.0.5+incompatible h1:WeBimjvS0eKdH4Ygx+ihVq1Q++xg36M/rMi4aXAvodc=
 github.com/docker/cli v24.0.5+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/cli-docs-tool v0.6.0 h1:Z9x10SaZgFaB6jHgz3OWooynhSa40CsWkpe5hEnG/qA=
 github.com/docker/cli-docs-tool v0.6.0/go.mod h1:zMjqTFCU361PRh8apiXzeAZ1Q/xupbIwTusYpzCXS/o=
 github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
 github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v24.0.5+incompatible h1:WmgcE4fxyI6EEXxBRxsHnZXrO1pQ3smi0k/jho4HLeY=
@@ -165,16 +171,16 @@ github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c/go.mod h1:CADgU4DSXK
 github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
 github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
 github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c h1:+pKlWGMw7gf6bQ+oDZB4KHQFypsfjYlq/C4rfL7D3g8=
 github.com/docker/go-metrics v0.0.0-20180209012529-399ea8c73916/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI=
 github.com/docker/go-metrics v0.0.1 h1:AgB/0SvBxihN0X8OR4SjsblXkbMvalQ8cjmtKQ2rQV8=
 github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/docker/libtrust v0.0.0-20150526203908-9cbd2a1374f4 h1:k8TfKGeAcDQFFQOGCQMRN04N4a9YrPlRMMKnzAuvM9Q=
+github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 h1:UhxFibDNY/bfvqU5CAUmr9zpesgbU6SWc8/B4mflAE4=
-github.com/docker/libtrust v0.0.0-20150526203908-9cbd2a1374f4/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
+github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
-github.com/elazarl/goproxy v0.0.0-20191011121108-aa519ddbe484 h1:pEtiCjIXx3RvGjlUJuCNxNOw0MNblyR9Wi+vJGBFh+8=
+github.com/dvsekhvalnov/jose2go v0.0.0-20170216131308-f21a8cedbbae/go.mod h1:7BvyPhdbLxMXIYTFPLsyJRFMsKmOZnQmzh6Gb+uquuM=
-github.com/elazarl/goproxy v0.0.0-20191011121108-aa519ddbe484/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
+github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153 h1:yUdfgN0XgIJw7foRItutHYUIhlcKzcSf5vDpdhQAKTc=
 github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8=
 github.com/emicklei/go-restful/v3 v3.10.1 h1:rc42Y5YTp7Am7CS630D7JmhRjq4UlEUuEKfrDac4bSQ=
 github.com/emicklei/go-restful/v3 v3.10.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
@@ -184,9 +190,10 @@ github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.m
 github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
 github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5/go.mod h1:a2zkGnVExMxdzMo3M0Hi/3sEU+cWnZpSni0O6/Yb/P0=
 github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
 github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
+github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fvbommel/sortorder v1.0.1 h1:dSnXLt4mJYH25uDDGa3biZNQsozaUWDSWeKJ0qqFfzE=
 github.com/fvbommel/sortorder v1.0.1/go.mod h1:uk88iVf1ovNn1iLfgUVU2F9o5eO30ui720w+kxuqRs0=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
@@ -211,19 +218,20 @@ github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXym
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng=
 github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
-github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE=
+github.com/go-sql-driver/mysql v1.3.0 h1:pgwjLi/dvffoP9aabwkT3AKpXQM93QARkjFhDDqC1UE=
-github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
+github.com/go-sql-driver/mysql v1.3.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68=
 github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
 github.com/gofrs/flock v0.8.1 h1:+gYjHKf32LDeiEEFhQaotPbLuUXjY5ZqxKgXy7n59aw=
 github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
 github.com/gofrs/uuid v4.0.0+incompatible h1:1SD/1F5pU8p29ybwgQSwpQk+mwdRrXCYuPhW6m+TnJw=
 github.com/gogo/googleapis v1.4.1 h1:1Yx4Myt7BxzvUr5ldGSbwYiZG6t9wGBZ+8/fX3Wvtq0=
 github.com/gogo/googleapis v1.4.1/go.mod h1:2lpHqI5OcWCtVElxXnPt+s8oJvMpySlOyM6xDCrzib4=
 github.com/gogo/protobuf v1.0.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/glog v1.0.0 h1:nfP3RFugxnNRyKgeWd4oI1nYvXpxrx8ck8ZrcizshdQ=
 github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4=
@@ -259,8 +267,8 @@ github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/certificate-transparency-go v1.1.4 h1:hCyXHDbtqlr/lMXU0D4WgbalXL0Zk4dSWWMbPV8VrqY=
+github.com/google/certificate-transparency-go v1.0.10-0.20180222191210-5ab67e519c93 h1:jc2UWq7CbdszqeH6qu1ougXMIUBfSy8Pbh/anURYbGI=
-github.com/google/certificate-transparency-go v1.1.4/go.mod h1:D6lvbfwckhNrbM9WVl1EVeMOyzC19mpIjMOI4nxBHtQ=
+github.com/google/certificate-transparency-go v1.0.10-0.20180222191210-5ab67e519c93/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg=
 github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54=
 github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
@@ -297,6 +305,7 @@ github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/gorilla/mux v1.7.0/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
 github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
@@ -312,20 +321,22 @@ github.com/hashicorp/go-cty-funcs v0.0.0-20200930094925-2721b1e36840 h1:kgvybwEe
 github.com/hashicorp/go-cty-funcs v0.0.0-20200930094925-2721b1e36840/go.mod h1:Abjk0jbRkDaNCzsRhOv2iDCofYpX1eVsjozoiK63qLA=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl/v2 v2.8.2 h1:wmFle3D1vu0okesm8BTLVDyJ6/OL9DCLUwn0b2OptiY=
 github.com/hashicorp/hcl/v2 v2.8.2/go.mod h1:bQTN5mpo+jewjJgh8jr0JUguIi7qPHUF6yIfAEN3jqY=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
 github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
 github.com/in-toto/in-toto-golang v0.5.0 h1:hb8bgwr0M2hGdDsLjkJ3ZqJ8JFLL/tgYdAxF/XEFBbY=
 github.com/in-toto/in-toto-golang v0.5.0/go.mod h1:/Rq0IZHLV7Ku5gielPT4wPHJfH1GdHMCq8+WPxw8/BE=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/jinzhu/gorm v1.9.2 h1:lCvgEaqe/HVE+tjAR2mt4HbbHAZsQOv3XAZiEZV37iw=
+github.com/jinzhu/gorm v0.0.0-20170222002820-5409931a1bb8 h1:CZkYfurY6KGhVtlalI4QwQ6T0Cu6iuY3e0x5RLu96WE=
-github.com/jinzhu/gorm v1.9.2/go.mod h1:Vla75njaFJ8clLU1W44h34PjIkijhjHIYnZxMqCdxqo=
+github.com/jinzhu/gorm v0.0.0-20170222002820-5409931a1bb8/go.mod h1:Vla75njaFJ8clLU1W44h34PjIkijhjHIYnZxMqCdxqo=
-github.com/jinzhu/inflection v0.0.0-20180308033659-04140366298a h1:eeaG9XMUvRBYXJi4pg1ZKM7nxc5AfXfojeLLW7O5J3k=
+github.com/jinzhu/inflection v0.0.0-20170102125226-1c35d901db3d h1:jRQLvyVGL+iVtDElaEIDdKwpPqUIZJfzkNLV34htpEc=
-github.com/jinzhu/inflection v0.0.0-20180308033659-04140366298a/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
+github.com/jinzhu/inflection v0.0.0-20170102125226-1c35d901db3d/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.1.1/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
@@ -336,40 +347,44 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/juju/loggo v0.0.0-20190526231331-6e530bcce5d8/go.mod h1:vgyd7OREkbtVEN/8IXZe5Ooef3LQePvuBm9UWj6ZL8U=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 h1:iQTw/8FWTuc7uiaSepXwyf3o52HaUYcV+Tu66S3F5GA=
 github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0/go.mod h1:1NbS8ALrpOvjt0rHPNLyCIeMtbizbir8U//inJ+zuB8=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.16.3 h1:XuJt9zzcnaz6a16/OU53ZjWp/v7/42WcR5t2a0PcNQY=
 github.com/klauspost/compress v1.16.3/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.0 h1:s5hAObm+yFO5uHYt5dYjxi2rXrsnmRpJx4OYvIWUaQs=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
-github.com/magiconair/properties v1.8.6 h1:5ibWZ6iY0NctNGWo87LalDlEZ6R41TqbbDamhfG/Qzo=
+github.com/lib/pq v0.0.0-20150723085316-0dad96c0b94f/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/magiconair/properties v1.5.3 h1:C8fxWnhYyME3n0klPOhVM7PtYUB3eV1W3DeFmN3j53Y=
 github.com/magiconair/properties v1.5.3/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA=
 github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk=
 github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=
 github.com/mattn/go-sqlite3 v1.6.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
 github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
 github.com/miekg/pkcs11 v1.0.2/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
 github.com/miekg/pkcs11 v1.1.1 h1:Ugu9pdy6vAYku5DEpVWVFPYnzV+bxB+iRdbuFSu7TvU=
 github.com/miekg/pkcs11 v1.1.1/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7 h1:DpOJ2HYzCv8LZP15IdmG+YdwD2luVPHITV96TkirNBM=
 github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
 github.com/mitchellh/mapstructure v0.0.0-20150613213606-2caf8efc9366/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/moby/buildkit v0.12.1-0.20230804094609-b49a8873179b h1:LUpEbvxcyM0NuWk54WwNjDVZ5YujyCm1CudzZpqaohE=
@@ -401,40 +416,51 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.0 h1:Iw5WCbBcaAAd0fpRb1c9r5YCylv4XDoCSigm1zLevwU=
 github.com/onsi/ginkgo v1.12.0/go.mod h1:oUhWkIvk5aDxtKvDDuw8gItl8pKl42LzjC9KZE0HfGg=
 github.com/onsi/ginkgo/v2 v2.4.0 h1:+Ig9nvqgS5OBSACXNk15PLdp0U9XPYROt9CFzVdFGIs=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
 github.com/onsi/gomega v1.23.0 h1:/oxKu9c2HVap+F3PfKort2Hw5DEU+HGlW8n+tguWsys=
 github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
 github.com/opencontainers/image-spec v1.1.0-rc3 h1:fzg1mXZFj8YdPeNkRXMg+zb88BFV0Ys52cJydRwBkb8=
 github.com/opencontainers/image-spec v1.1.0-rc3/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8=
 github.com/opencontainers/runc v1.1.7 h1:y2EZDS8sNng4Ksf0GUYNhKbTShZJPJg1FiXJNH/uoCk=
 github.com/opencontainers/runc v1.1.7/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50=
 github.com/opencontainers/runtime-spec v1.1.0-rc.2 h1:ucBtEms2tamYYW/SvGpvq9yUN0NEVL6oyLEwDcTSrk8=
 github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU=
 github.com/opentracing/opentracing-go v1.1.0 h1:pWlfV3Bxv7k65HYwkikxat0+s3pV4bsqf19k25Ur8rU=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
 github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/pelletier/go-toml/v2 v2.0.5 h1:ipoSadvV8oGUjnUbMub59IDPPwfxF694nG/jwbMiyQg=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_golang v0.9.0-pre1.0.20180209125602-c332b6f63c06/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g=
 github.com/prometheus/client_golang v1.14.0 h1:nJdhIvne2eSX/XRAFV9PcvFFRbrjbcTUj0VP62TMhnw=
 github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y=
 github.com/prometheus/client_model v0.0.0-20171117100541-99fa1f4be8e5/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4=
 github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w=
 github.com/prometheus/common v0.0.0-20180110214958-89604d197083/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc=
 github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI1YM=
 github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc=
 github.com/prometheus/procfs v0.0.0-20180125133057-cb4147076ac7/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
@@ -442,38 +468,42 @@ github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1
 github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI=
 github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/secure-systems-lab/go-securesystemslib v0.4.0 h1:b23VGrQhTA8cN2CbBw7/FulN9fTtqYUdS5+Oxzt+DUE=
 github.com/secure-systems-lab/go-securesystemslib v0.4.0/go.mod h1:FGBZgq2tXWICsxWQW1msNf49F0Pf2Op5Htayx335Qbs=
 github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
 github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
 github.com/serialx/hashring v0.0.0-20190422032157-8b2912629002 h1:ka9QPuQg2u4LGipiZGsgkg3rJCo4iIUCy75FddM0GRQ=
 github.com/serialx/hashring v0.0.0-20190422032157-8b2912629002/go.mod h1:/yeG0My1xr/u+HZrFQ1tOQQQQrOawfyMUH13ai5brBc=
 github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI=
 github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE=
 github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spdx/tools-golang v0.5.1 h1:fJg3SVOGG+eIva9ZUBm/hvyA7PIPVFjRxUKe6fdAgwE=
-github.com/spf13/afero v1.9.2 h1:j49Hj62F0n+DaZ1dDCvhABaPNSGNkt32oRFxI33IEMw=
+github.com/spf13/cast v0.0.0-20150508191742-4d07383ffe94 h1:JmfC365KywYwHB946TTiQWEb8kqPY+pybPLoGE9GgVk=
-github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w=
+github.com/spf13/cast v0.0.0-20150508191742-4d07383ffe94/go.mod h1:r2rcYCSwa1IExKTDiTfzaxqT2FNHs8hODu4LnUfgKEg=
 github.com/spf13/cobra v0.0.1/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
 github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
 github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
-github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk=
+github.com/spf13/jwalterweatherman v0.0.0-20141219030609-3d60171a6431 h1:XTHrT015sxHyJ5FnQ0AeemSspZWaDq7DoTRW0EVsDCE=
 github.com/spf13/jwalterweatherman v0.0.0-20141219030609-3d60171a6431/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
 github.com/spf13/pflag v1.0.0/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/viper v1.14.0 h1:Rg7d3Lo706X9tHsJMUjdiwMpHB7W8WnSVOssIY+JElU=
+github.com/spf13/viper v0.0.0-20150530192845-be5ff3e4840c h1:2EejZtjFjKJGk71ANb+wtFK5EjUzUkEM3R0xnp559xg=
-github.com/spf13/viper v1.14.0/go.mod h1:WT//axPky3FdvXHzGw33dNdXXXfFQqmEalje+egj8As=
+github.com/spf13/viper v0.0.0-20150530192845-be5ff3e4840c/go.mod h1:A8kyI5cUJhb8N+3pkfONlcEcZbueH6nhAm0Fq7SrnBM=
 github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
@@ -482,9 +512,8 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/subosito/gotenv v1.4.1 h1:jyEFiXpy21Wm81FBN71l9VoMMV8H8jG+qIK3GCpY6Qs=
+github.com/theupdateframework/notary v0.7.0 h1:QyagRZ7wlSpjT5N2qQAh/pN+DVqgekv4DzbAiAiEL3c=
-github.com/theupdateframework/notary v0.6.1 h1:7wshjstgS9x9F5LuB1L5mBI2xNMObWqjz+cjWoom6l0=
+github.com/theupdateframework/notary v0.7.0/go.mod h1:c9DRxcmhHmVLDay4/2fUYdISnHqbFDGRSlXPO0AhYWw=
 github.com/theupdateframework/notary v0.6.1/go.mod h1:MOfgIfmox8s7/7fduvB2xyPPMJCrjRLRizA8OFwpnKY=
 github.com/tonistiigi/fsutil v0.0.0-20230629203738-36ef4d8c0dbb h1:uUe8rNyVXM8moActoBol6Xf6xX2GMr7SosR2EywMvGg=
 github.com/tonistiigi/fsutil v0.0.0-20230629203738-36ef4d8c0dbb/go.mod h1:SxX/oNQ/ag6Vaoli547ipFK9J7BZn5JqJG0JE8lf8bA=
 github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea h1:SXhTLE6pb6eld/v/cCndK0AMpt1wiVFb/YYmqB3/QG0=
@@ -547,12 +576,15 @@ go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200422194213-44a606286825/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201117144127-c1f2f97bffc9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.2.0 h1:BRXPfhNivWL5Yq0BGQ39a2sW6t44aODpfxkWjYdzewE=
 golang.org/x/crypto v0.2.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -592,6 +624,7 @@ golang.org/x/mod v0.11.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -644,6 +677,7 @@ golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -658,6 +692,7 @@ golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -685,6 +720,7 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
@@ -808,6 +844,7 @@ google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
 google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 h1:DdoeryqhaXp1LtT/emMP1BRJPHHKFi5akj/nbx/zNTA=
 google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4/go.mod h1:NWraEVixdDnqcqQ30jipen1STv2r/n24Wb7twVTGR4s=
 google.golang.org/grpc v1.0.5/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@@ -841,22 +878,23 @@ google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
 google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/cenkalti/backoff.v2 v2.2.1 h1:eJ9UAg01/HIHG987TwxvnzK2MgxXq97YY6rYDpY9aII=
 gopkg.in/cenkalti/backoff.v2 v2.2.1/go.mod h1:S0QdOvT2AlerfSBkp0O+dk+bbIMaNbEmVk876gPCthU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/dancannon/gorethink.v3 v3.0.5 h1:/g7PWP7zUS6vSNmHSDbjCHQh1Rqn8Jy6zSMQxAsBSMQ=
 gopkg.in/dancannon/gorethink.v3 v3.0.5/go.mod h1:GXsi1e3N2OcKhcP6nsYABTiUejbWMFO4GY5a4pEaeEc=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
-gopkg.in/fatih/pool.v2 v2.0.0 h1:xIFeWtxifuQJGk/IEPKsTduEKcKvPmhoiVDGpC40nKg=
+gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
-gopkg.in/fatih/pool.v2 v2.0.0/go.mod h1:8xVGeu1/2jr2wm5V9SPuMht2H5AEmf5aFMGSQixtjTY=
+gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo=
 gopkg.in/gorethink/gorethink.v3 v3.0.5 h1:e2Uc/Xe+hpcVQFsj6MuHlYog3r0JYpnTzwDj/y2O4MU=
 gopkg.in/gorethink/gorethink.v3 v3.0.5/go.mod h1:+3yIIHJUGMBK+wyPH+iN5TP+88ikFDfZdqTlK3Y9q8I=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
-gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
+gopkg.in/rethinkdb/rethinkdb-go.v6 v6.2.1 h1:d4KQkxAaAiRY2h5Zqis161Pv91A37uZyJOx73duwUwM=
 gopkg.in/rethinkdb/rethinkdb-go.v6 v6.2.1/go.mod h1:WbjuEoo1oadwzQ4apSDU+JTvmllEHtsNHS6y7vFc7iw=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
--- a/tests/integration_test.go
+++ b/tests/integration_test.go
@@ -4,8 +4,8 @@ import (
 	"os"
 	"testing"
 	"github.com/distribution/reference"
 	"github.com/docker/buildx/tests/workers"
 	"github.com/docker/distribution/reference"
 	"github.com/moby/buildkit/util/testutil/integration"
 	bkworkers "github.com/moby/buildkit/util/testutil/workers"
 )
--- a/util/buildflags/context.go
+++ b/util/buildflags/context.go
@@ -3,7 +3,7 @@ package buildflags
 import (
 	"strings"
-	"github.com/docker/distribution/reference"
+	"github.com/distribution/reference"
 	"github.com/pkg/errors"
 )
--- a/util/imagetools/create.go
+++ b/util/imagetools/create.go
@@ -13,7 +13,7 @@ import (
 	"github.com/containerd/containerd/images"
 	"github.com/containerd/containerd/platforms"
 	"github.com/containerd/containerd/remotes"
-	"github.com/docker/distribution/reference"
+	"github.com/distribution/reference"
 	"github.com/moby/buildkit/exporter/containerimage/exptypes"
 	"github.com/moby/buildkit/util/contentutil"
 	"github.com/opencontainers/go-digest"
--- a/util/imagetools/inspect.go
+++ b/util/imagetools/inspect.go
@@ -11,9 +11,9 @@ import (
 	"github.com/containerd/containerd/log"
 	"github.com/containerd/containerd/remotes"
 	"github.com/containerd/containerd/remotes/docker"
 	"github.com/distribution/reference"
 	"github.com/docker/buildx/util/resolver"
 	clitypes "github.com/docker/cli/cli/config/types"
 	"github.com/docker/distribution/reference"
 	"github.com/moby/buildkit/util/contentutil"
 	"github.com/moby/buildkit/util/tracing"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
--- a/util/imagetools/loader.go
+++ b/util/imagetools/loader.go
@@ -13,7 +13,7 @@ import (
 	"github.com/containerd/containerd/images"
 	"github.com/containerd/containerd/platforms"
 	"github.com/containerd/containerd/remotes"
-	"github.com/docker/distribution/reference"
+	"github.com/distribution/reference"
 	"github.com/moby/buildkit/util/contentutil"
 	"github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
--- a/util/imagetools/printers.go
+++ b/util/imagetools/printers.go
@@ -12,7 +12,7 @@ import (
 	"github.com/containerd/containerd/images"
 	"github.com/containerd/containerd/platforms"
-	"github.com/docker/distribution/reference"
+	"github.com/distribution/reference"
 	"github.com/opencontainers/go-digest"
 	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
 )
--- a/vendor/github.com/agl/ed25519/LICENSE
+++ b/vendor/github.com/agl/ed25519/LICENSE
@@ -1,27 +0,0 @@
 Copyright (c) 2012 The Go Authors. All rights reserved.
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
 met:
   * Redistributions of source code must retain the above copyright
 notice, this list of conditions and the following disclaimer.
   * Redistributions in binary form must reproduce the above
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
   * Neither the name of Google Inc. nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.
 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/vendor/github.com/agl/ed25519/ed25519.go
+++ b/vendor/github.com/agl/ed25519/ed25519.go
@@ -1,127 +0,0 @@
 // Copyright 2013 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // Package ed25519 implements the Ed25519 signature algorithm. See
 // http://ed25519.cr.yp.to/.
 package ed25519
 // This code is a port of the public domain, "ref10" implementation of ed25519
 // from SUPERCOP.
 import (
 	"crypto/sha512"
 	"crypto/subtle"
 	"io"
 	"github.com/agl/ed25519/edwards25519"
 )
 const (
 	PublicKeySize  = 32
 	PrivateKeySize = 64
 	SignatureSize  = 64
 )
 // GenerateKey generates a public/private key pair using randomness from rand.
 func GenerateKey(rand io.Reader) (publicKey *[PublicKeySize]byte, privateKey *[PrivateKeySize]byte, err error) {
 	privateKey = new([64]byte)
 	publicKey = new([32]byte)
 	_, err = io.ReadFull(rand, privateKey[:32])
 	if err != nil {
 		return nil, nil, err
 	}
 	h := sha512.New()
 	h.Write(privateKey[:32])
 	digest := h.Sum(nil)
 	digest[0] &= 248
 	digest[31] &= 127
 	digest[31] |= 64
 	var A edwards25519.ExtendedGroupElement
 	var hBytes [32]byte
 	copy(hBytes[:], digest)
 	edwards25519.GeScalarMultBase(&A, &hBytes)
 	A.ToBytes(publicKey)
 	copy(privateKey[32:], publicKey[:])
 	return
 }
 // Sign signs the message with privateKey and returns a signature.
 func Sign(privateKey *[PrivateKeySize]byte, message []byte) *[SignatureSize]byte {
 	h := sha512.New()
 	h.Write(privateKey[:32])
 	var digest1, messageDigest, hramDigest [64]byte
 	var expandedSecretKey [32]byte
 	h.Sum(digest1[:0])
 	copy(expandedSecretKey[:], digest1[:])
 	expandedSecretKey[0] &= 248
 	expandedSecretKey[31] &= 63
 	expandedSecretKey[31] |= 64
 	h.Reset()
 	h.Write(digest1[32:])
 	h.Write(message)
 	h.Sum(messageDigest[:0])
 	var messageDigestReduced [32]byte
 	edwards25519.ScReduce(&messageDigestReduced, &messageDigest)
 	var R edwards25519.ExtendedGroupElement
 	edwards25519.GeScalarMultBase(&R, &messageDigestReduced)
 	var encodedR [32]byte
 	R.ToBytes(&encodedR)
 	h.Reset()
 	h.Write(encodedR[:])
 	h.Write(privateKey[32:])
 	h.Write(message)
 	h.Sum(hramDigest[:0])
 	var hramDigestReduced [32]byte
 	edwards25519.ScReduce(&hramDigestReduced, &hramDigest)
 	var s [32]byte
 	edwards25519.ScMulAdd(&s, &hramDigestReduced, &expandedSecretKey, &messageDigestReduced)
 	signature := new([64]byte)
 	copy(signature[:], encodedR[:])
 	copy(signature[32:], s[:])
 	return signature
 }
 // Verify returns true iff sig is a valid signature of message by publicKey.
 func Verify(publicKey *[PublicKeySize]byte, message []byte, sig *[SignatureSize]byte) bool {
 	if sig[63]&224 != 0 {
 		return false
 	}
 	var A edwards25519.ExtendedGroupElement
 	if !A.FromBytes(publicKey) {
 		return false
 	}
 	edwards25519.FeNeg(&A.X, &A.X)
 	edwards25519.FeNeg(&A.T, &A.T)
 	h := sha512.New()
 	h.Write(sig[:32])
 	h.Write(publicKey[:])
 	h.Write(message)
 	var digest [64]byte
 	h.Sum(digest[:0])
 	var hReduced [32]byte
 	edwards25519.ScReduce(&hReduced, &digest)
 	var R edwards25519.ProjectiveGroupElement
 	var b [32]byte
 	copy(b[:], sig[32:])
 	edwards25519.GeDoubleScalarMultVartime(&R, &hReduced, &A, &b)
 	var checkR [32]byte
 	R.ToBytes(&checkR)
 	return subtle.ConstantTimeCompare(sig[:32], checkR[:]) == 1
 }
--- a/vendor/github.com/agl/ed25519/edwards25519/const.go
+++ b/vendor/github.com/agl/ed25519/edwards25519/const.go
--- a/vendor/github.com/agl/ed25519/edwards25519/edwards25519.go
+++ b/vendor/github.com/agl/ed25519/edwards25519/edwards25519.go
--- a/vendor/github.com/compose-spec/compose-go/cli/options.go
+++ b/vendor/github.com/compose-spec/compose-go/cli/options.go
@@ -17,6 +17,7 @@
 package cli
 import (
 	"context"
 	"io"
 	"os"
 	"path/filepath"
@@ -35,6 +36,8 @@ import (
 // ProjectOptions provides common configuration for loading a project.
 type ProjectOptions struct {
 	ctx context.Context
 	// Name is a valid Compose project name to be used or empty.
 	//
 	// If empty, the project loader will automatically infer a reasonable
@@ -63,7 +66,7 @@ type ProjectOptions struct {
 	// NOTE: For security, the loader does not automatically expose any
 	// process environment variables. For convenience, WithOsEnv can be
 	// used if appropriate.
-	Environment map[string]string
+	Environment types.Mapping
 	// EnvFiles are file paths to ".env" files with additional environment
 	// variable data.
@@ -191,7 +194,7 @@ func WithEnv(env []string) ProjectOptionsFn {
 	}
 }
-// WithDiscardEnvFiles sets discards the `env_file` section after resolving to
+// WithDiscardEnvFile sets discards the `env_file` section after resolving to
 // the `environment` section
 func WithDiscardEnvFile(o *ProjectOptions) error {
 	o.loadOptions = append(o.loadOptions, loader.WithDiscardEnvFiles)
@@ -206,6 +209,15 @@ func WithLoadOptions(loadOptions ...func(*loader.Options)) ProjectOptionsFn {
 	}
 }
 // WithDefaultProfiles uses the provided profiles (if any), and falls back to
 // profiles specified via the COMPOSE_PROFILES environment variable otherwise.
 func WithDefaultProfiles(profile ...string) ProjectOptionsFn {
 	if len(profile) == 0 {
 		profile = strings.Split(os.Getenv(consts.ComposeProfiles), ",")
 	}
 	return WithProfiles(profile)
 }
 // WithProfiles sets profiles to be activated
 func WithProfiles(profiles []string) ProjectOptionsFn {
 	return func(o *ProjectOptions) error {
@@ -225,8 +237,9 @@ func WithOsEnv(o *ProjectOptions) error {
 	return nil
 }
-// WithEnvFile set an alternate env file
+// WithEnvFile sets an alternate env file.
-// deprecated - use WithEnvFiles
+//
 // Deprecated: use WithEnvFiles instead.
 func WithEnvFile(file string) ProjectOptionsFn {
 	var files []string
 	if file != "" {
@@ -253,11 +266,7 @@ func WithDotEnv(o *ProjectOptions) error {
 	if err != nil {
 		return err
 	}
-	for k, v := range envMap {
+	o.Environment.Merge(envMap)
 		if _, set := o.Environment[k]; !set {
 			o.Environment[k] = v
 		}
 	}
 	return nil
 }
@@ -301,6 +310,24 @@ func WithResolvedPaths(resolve bool) ProjectOptionsFn {
 	}
 }
 // WithContext sets the context used to load model and resources
 func WithContext(ctx context.Context) ProjectOptionsFn {
 	return func(o *ProjectOptions) error {
 		o.ctx = ctx
 		return nil
 	}
 }
 // WithResourceLoader register support for ResourceLoader to manage remote resources
 func WithResourceLoader(r loader.ResourceLoader) ProjectOptionsFn {
 	return func(o *ProjectOptions) error {
 		o.loadOptions = append(o.loadOptions, func(options *loader.Options) {
 			options.ResourceLoaders = append(options.ResourceLoaders, r)
 		})
 		return nil
 	}
 }
 // DefaultFileNames defines the Compose file names for auto-discovery (in order of preference)
 var DefaultFileNames = []string{"compose.yaml", "compose.yml", "docker-compose.yml", "docker-compose.yaml"}
@@ -367,7 +394,12 @@ func ProjectFromOptions(options *ProjectOptions) (*types.Project, error) {
 		withNamePrecedenceLoad(absWorkingDir, options),
 		withConvertWindowsPaths(options))
-	project, err := loader.Load(types.ConfigDetails{
+	ctx := options.ctx
 	if ctx == nil {
 		ctx = context.Background()
 	}
 	project, err := loader.LoadWithContext(ctx, types.ConfigDetails{
 		ConfigFiles: configs,
 		WorkingDir:  workingDir,
 		Environment: options.Environment,
--- a/vendor/github.com/compose-spec/compose-go/loader/include.go
+++ b/vendor/github.com/compose-spec/compose-go/loader/include.go
@@ -17,10 +17,12 @@
 package loader
 import (
 	"context"
 	"fmt"
 	"path/filepath"
 	"github.com/compose-spec/compose-go/dotenv"
 	interp "github.com/compose-spec/compose-go/interpolation"
 	"github.com/compose-spec/compose-go/types"
 	"github.com/pkg/errors"
 )
@@ -43,12 +45,23 @@ var transformIncludeConfig TransformerFunc = func(data interface{}) (interface{}
 	}
 }
-func loadInclude(configDetails types.ConfigDetails, model *types.Config, options *Options, loaded []string) (*types.Config, error) {
+func loadInclude(ctx context.Context, filename string, configDetails types.ConfigDetails, model *types.Config, options *Options, loaded []string) (*types.Config, map[string][]types.IncludeConfig, error) {
 	included := make(map[string][]types.IncludeConfig)
 	for _, r := range model.Include {
 		included[filename] = append(included[filename], r)
 		for i, p := range r.Path {
-			if !filepath.IsAbs(p) {
+			for _, loader := range options.ResourceLoaders {
-				r.Path[i] = filepath.Join(configDetails.WorkingDir, p)
+				if loader.Accept(p) {
 					path, err := loader.Load(ctx, p)
 					if err != nil {
 						return nil, nil, err
 					}
 					p = path
 					break
 				}
 			}
 			r.Path[i] = absPath(configDetails.WorkingDir, p)
 		}
 		if r.ProjectDirectory == "" {
 			r.ProjectDirectory = filepath.Dir(r.Path[0])
@@ -60,27 +73,36 @@ func loadInclude(configDetails types.ConfigDetails, model *types.Config, options
 		loadOptions.SkipNormalization = true
 		loadOptions.SkipConsistencyCheck = true
-		env, err := dotenv.GetEnvFromFile(configDetails.Environment, r.ProjectDirectory, r.EnvFile)
+		envFromFile, err := dotenv.GetEnvFromFile(configDetails.Environment, r.ProjectDirectory, r.EnvFile)
 		if err != nil {
-			return nil, err
+			return nil, nil, err
 		}
-		imported, err := load(types.ConfigDetails{
+		config := types.ConfigDetails{
 			WorkingDir:  r.ProjectDirectory,
 			ConfigFiles: types.ToConfigFiles(r.Path),
-			Environment: env,
+			Environment: configDetails.Environment.Clone().Merge(envFromFile),
-		}, loadOptions, loaded)
+		}
 		loadOptions.Interpolate = &interp.Options{
 			Substitute:      options.Interpolate.Substitute,
 			LookupValue:     config.LookupEnv,
 			TypeCastMapping: options.Interpolate.TypeCastMapping,
 		}
 		imported, err := load(ctx, config, loadOptions, loaded)
 		if err != nil {
-			return nil, err
+			return nil, nil, err
 		}
 		for k, v := range imported.IncludeReferences {
 			included[k] = append(included[k], v...)
 		}
 		err = importResources(model, imported, r.Path)
 		if err != nil {
-			return nil, err
+			return nil, nil, err
 		}
 	}
 	model.Include = nil
-	return model, nil
+	return model, included, nil
 }
 // importResources import into model all resources defined by imported, and report error on conflict
@@ -92,6 +114,12 @@ func importResources(model *types.Config, imported *types.Project, path []string
 		}
 		model.Services = append(model.Services, service)
 	}
 	for _, service := range imported.DisabledServices {
 		if _, ok := services[service.Name]; ok {
 			return fmt.Errorf("imported compose file %s defines conflicting service %s", path, service.Name)
 		}
 		model.Services = append(model.Services, service)
 	}
 	for n, network := range imported.Networks {
 		if _, ok := model.Networks[n]; ok {
 			return fmt.Errorf("imported compose file %s defines conflicting network %s", path, n)
--- a/vendor/github.com/compose-spec/compose-go/loader/loader.go
+++ b/vendor/github.com/compose-spec/compose-go/loader/loader.go
@@ -17,7 +17,10 @@
 package loader
 import (
 	"bytes"
 	"context"
 	"fmt"
 	"io"
 	"os"
 	paths "path"
 	"path/filepath"
@@ -68,6 +71,16 @@ type Options struct {
 	projectNameImperativelySet bool
 	// Profiles set profiles to enable
 	Profiles []string
 	// ResourceLoaders manages support for remote resources
 	ResourceLoaders []ResourceLoader
 }
 // ResourceLoader is a plugable remote resource resolver
 type ResourceLoader interface {
 	// Accept returns `true` is the resource reference matches ResourceLoader supported protocol(s)
 	Accept(path string) bool
 	// Load returns the path to a local copy of remote resource identified by `path`.
 	Load(ctx context.Context, path string) (string, error)
 }
 func (o *Options) clone() *Options {
@@ -85,6 +98,7 @@ func (o *Options) clone() *Options {
 		projectName:                o.projectName,
 		projectNameImperativelySet: o.projectNameImperativelySet,
 		Profiles:                   o.Profiles,
 		ResourceLoaders:            o.ResourceLoaders,
 	}
 }
@@ -154,7 +168,9 @@ func WithProfiles(profiles []string) func(*Options) {
 // ParseYAML reads the bytes from a file, parses the bytes into a mapping
 // structure, and returns it.
 func ParseYAML(source []byte) (map[string]interface{}, error) {
-	m, _, err := parseYAML(source)
+	r := bytes.NewReader(source)
 	decoder := yaml.NewDecoder(r)
 	m, _, err := parseYAML(decoder)
 	return m, err
 }
@@ -167,11 +183,11 @@ type PostProcessor interface {
 	Apply(config *types.Config) error
 }
-func parseYAML(source []byte) (map[string]interface{}, PostProcessor, error) {
+func parseYAML(decoder *yaml.Decoder) (map[string]interface{}, PostProcessor, error) {
 	var cfg interface{}
 	processor := ResetProcessor{target: &cfg}
-	if err := yaml.Unmarshal(source, &processor); err != nil {
+	if err := decoder.Decode(&processor); err != nil {
 		return nil, nil, err
 	}
 	stringMap, ok := cfg.(map[string]interface{})
@@ -193,8 +209,14 @@ func parseYAML(source []byte) (map[string]interface{}, PostProcessor, error) {
 	return converted.(map[string]interface{}), &processor, nil
 }
-// Load reads a ConfigDetails and returns a fully loaded configuration
+// Load reads a ConfigDetails and returns a fully loaded configuration.
 // Deprecated: use LoadWithContext.
 func Load(configDetails types.ConfigDetails, options ...func(*Options)) (*types.Project, error) {
 	return LoadWithContext(context.Background(), configDetails, options...)
 }
 // LoadWithContext reads a ConfigDetails and returns a fully loaded configuration
 func LoadWithContext(ctx context.Context, configDetails types.ConfigDetails, options ...func(*Options)) (*types.Project, error) {
 	if len(configDetails.ConfigFiles) < 1 {
 		return nil, errors.Errorf("No files specified")
 	}
@@ -217,10 +239,10 @@ func Load(configDetails types.ConfigDetails, options ...func(*Options)) (*types.
 		return nil, err
 	}
 	opts.projectName = projectName
-	return load(configDetails, opts, nil)
+	return load(ctx, configDetails, opts, nil)
 }
-func load(configDetails types.ConfigDetails, opts *Options, loaded []string) (*types.Project, error) {
+func load(ctx context.Context, configDetails types.ConfigDetails, opts *Options, loaded []string) (*types.Project, error) {
 	var model *types.Config
 	mainFile := configDetails.ConfigFiles[0].Filename
@@ -232,9 +254,56 @@ func load(configDetails types.ConfigDetails, opts *Options, loaded []string) (*t
 	}
 	loaded = append(loaded, mainFile)
-	for i, file := range configDetails.ConfigFiles {
+	includeRefs := make(map[string][]types.IncludeConfig)
 	first := true
 	for _, file := range configDetails.ConfigFiles {
 		var postProcessor PostProcessor
 		configDict := file.Config
 		processYaml := func() error {
 			if !opts.SkipValidation {
 				if err := schema.Validate(configDict); err != nil {
 					return fmt.Errorf("validating %s: %w", file.Filename, err)
 				}
 			}
 			configDict = groupXFieldsIntoExtensions(configDict)
 			cfg, err := loadSections(ctx, file.Filename, configDict, configDetails, opts)
 			if err != nil {
 				return err
 			}
 			if !opts.SkipInclude {
 				var included map[string][]types.IncludeConfig
 				cfg, included, err = loadInclude(ctx, file.Filename, configDetails, cfg, opts, loaded)
 				if err != nil {
 					return err
 				}
 				for k, v := range included {
 					includeRefs[k] = append(includeRefs[k], v...)
 				}
 			}
 			if first {
 				first = false
 				model = cfg
 				return nil
 			}
 			merged, err := merge([]*types.Config{model, cfg})
 			if err != nil {
 				return err
 			}
 			if postProcessor != nil {
 				err = postProcessor.Apply(merged)
 				if err != nil {
 					return err
 				}
 			}
 			model = merged
 			return nil
 		}
 		if configDict == nil {
 			if len(file.Content) == 0 {
 				content, err := os.ReadFile(file.Filename)
@@ -243,52 +312,29 @@ func load(configDetails types.ConfigDetails, opts *Options, loaded []string) (*t
 				}
 				file.Content = content
 			}
-			dict, p, err := parseConfig(file.Content, opts)
+
 			r := bytes.NewReader(file.Content)
 			decoder := yaml.NewDecoder(r)
 			for {
 				dict, p, err := parseConfig(decoder, opts)
 				if err != nil {
 					if err != io.EOF {
 						return nil, fmt.Errorf("parsing %s: %w", file.Filename, err)
 					}
 					break
 				}
 				configDict = dict
 			file.Config = dict
 			configDetails.ConfigFiles[i] = file
 				postProcessor = p
 		}
-		if !opts.SkipValidation {
+				if err := processYaml(); err != nil {
 			if err := schema.Validate(configDict); err != nil {
 				return nil, fmt.Errorf("validating %s: %w", file.Filename, err)
 			}
 		}
 		configDict = groupXFieldsIntoExtensions(configDict)
 		cfg, err := loadSections(file.Filename, configDict, configDetails, opts)
 		if err != nil {
 			return nil, err
 		}
 		if !opts.SkipInclude {
 			cfg, err = loadInclude(configDetails, cfg, opts, loaded)
 			if err != nil {
 					return nil, err
 				}
 			}
-
+		} else {
-		if i == 0 {
+			if err := processYaml(); err != nil {
 			model = cfg
 			continue
 		}
 		merged, err := merge([]*types.Config{model, cfg})
 		if err != nil {
 			return nil, err
 		}
 		if postProcessor != nil {
 			err = postProcessor.Apply(merged)
 			if err != nil {
 				return nil, err
 			}
 		}
 		model = merged
 	}
 	project := &types.Project{
@@ -303,6 +349,10 @@ func load(configDetails types.ConfigDetails, opts *Options, loaded []string) (*t
 		Extensions:  model.Extensions,
 	}
 	if len(includeRefs) != 0 {
 		project.IncludeReferences = includeRefs
 	}
 	if !opts.SkipNormalization {
 		err := Normalize(project)
 		if err != nil {
@@ -333,9 +383,6 @@ func load(configDetails types.ConfigDetails, opts *Options, loaded []string) (*t
 		}
 	}
 	if profiles, ok := project.Environment[consts.ComposeProfiles]; ok && len(opts.Profiles) == 0 {
 		opts.Profiles = strings.Split(profiles, ",")
 	}
 	project.ApplyProfiles(opts.Profiles)
 	err := project.ResolveServicesEnvironment(opts.discardEnvFiles)
@@ -422,8 +469,8 @@ func NormalizeProjectName(s string) string {
 	return strings.TrimLeft(s, "_-")
 }
-func parseConfig(b []byte, opts *Options) (map[string]interface{}, PostProcessor, error) {
+func parseConfig(decoder *yaml.Decoder, opts *Options) (map[string]interface{}, PostProcessor, error) {
-	yml, postProcessor, err := parseYAML(b)
+	yml, postProcessor, err := parseYAML(decoder)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -453,7 +500,7 @@ func groupXFieldsIntoExtensions(dict map[string]interface{}) map[string]interfac
 	return dict
 }
-func loadSections(filename string, config map[string]interface{}, configDetails types.ConfigDetails, opts *Options) (*types.Config, error) {
+func loadSections(ctx context.Context, filename string, config map[string]interface{}, configDetails types.ConfigDetails, opts *Options) (*types.Config, error) {
 	var err error
 	cfg := types.Config{
 		Filename: filename,
@@ -466,7 +513,7 @@ func loadSections(filename string, config map[string]interface{}, configDetails
 		}
 	}
 	cfg.Name = name
-	cfg.Services, err = LoadServices(filename, getSection(config, "services"), configDetails.WorkingDir, configDetails.LookupEnv, opts)
+	cfg.Services, err = LoadServices(ctx, filename, getSection(config, "services"), configDetails.WorkingDir, configDetails.LookupEnv, opts)
 	if err != nil {
 		return nil, err
 	}
@@ -659,7 +706,7 @@ func formatInvalidKeyError(keyPrefix string, key interface{}) error {
 // LoadServices produces a ServiceConfig map from a compose file Dict
 // the servicesDict is not validated if directly used. Use Load() to enable validation
-func LoadServices(filename string, servicesDict map[string]interface{}, workingDir string, lookupEnv template.Mapping, opts *Options) ([]types.ServiceConfig, error) {
+func LoadServices(ctx context.Context, filename string, servicesDict map[string]interface{}, workingDir string, lookupEnv template.Mapping, opts *Options) ([]types.ServiceConfig, error) {
 	var services []types.ServiceConfig
 	x, ok := servicesDict[extensions]
@@ -672,7 +719,7 @@ func LoadServices(filename string, servicesDict map[string]interface{}, workingD
 	}
 	for name := range servicesDict {
-		serviceConfig, err := loadServiceWithExtends(filename, name, servicesDict, workingDir, lookupEnv, opts, &cycleTracker{})
+		serviceConfig, err := loadServiceWithExtends(ctx, filename, name, servicesDict, workingDir, lookupEnv, opts, &cycleTracker{})
 		if err != nil {
 			return nil, err
 		}
@@ -683,7 +730,7 @@ func LoadServices(filename string, servicesDict map[string]interface{}, workingD
 	return services, nil
 }
-func loadServiceWithExtends(filename, name string, servicesDict map[string]interface{}, workingDir string, lookupEnv template.Mapping, opts *Options, ct *cycleTracker) (*types.ServiceConfig, error) {
+func loadServiceWithExtends(ctx context.Context, filename, name string, servicesDict map[string]interface{}, workingDir string, lookupEnv template.Mapping, opts *Options, ct *cycleTracker) (*types.ServiceConfig, error) {
 	if err := ct.Add(filename, name); err != nil {
 		return nil, err
 	}
@@ -707,11 +754,21 @@ func loadServiceWithExtends(filename, name string, servicesDict map[string]inter
 		var baseService *types.ServiceConfig
 		file := serviceConfig.Extends.File
 		if file == "" {
-			baseService, err = loadServiceWithExtends(filename, baseServiceName, servicesDict, workingDir, lookupEnv, opts, ct)
+			baseService, err = loadServiceWithExtends(ctx, filename, baseServiceName, servicesDict, workingDir, lookupEnv, opts, ct)
 			if err != nil {
 				return nil, err
 			}
 		} else {
 			for _, loader := range opts.ResourceLoaders {
 				if loader.Accept(file) {
 					path, err := loader.Load(ctx, file)
 					if err != nil {
 						return nil, err
 					}
 					file = path
 					break
 				}
 			}
 			// Resolve the path to the imported file, and load it.
 			baseFilePath := absPath(workingDir, file)
@@ -720,13 +777,16 @@ func loadServiceWithExtends(filename, name string, servicesDict map[string]inter
 				return nil, err
 			}
-			baseFile, _, err := parseConfig(b, opts)
+			r := bytes.NewReader(b)
 			decoder := yaml.NewDecoder(r)
 			baseFile, _, err := parseConfig(decoder, opts)
 			if err != nil {
 				return nil, err
 			}
 			baseFileServices := getSection(baseFile, "services")
-			baseService, err = loadServiceWithExtends(baseFilePath, baseServiceName, baseFileServices, filepath.Dir(baseFilePath), lookupEnv, opts, ct)
+			baseService, err = loadServiceWithExtends(ctx, baseFilePath, baseServiceName, baseFileServices, filepath.Dir(baseFilePath), lookupEnv, opts, ct)
 			if err != nil {
 				return nil, err
 			}
@@ -1038,7 +1098,12 @@ var transformServiceDeviceRequest TransformerFunc = func(data interface{}) (inte
 					value["count"] = -1
 					return value, nil
 				}
-				return data, errors.Errorf("invalid string value for 'count' (the only value allowed is 'all')")
+				i, err := strconv.ParseInt(val, 10, 64)
 				if err == nil {
 					value["count"] = i
 					return value, nil
 				}
 				return data, errors.Errorf("invalid string value for 'count' (the only value allowed is 'all' or a number)")
 			default:
 				return data, errors.Errorf("invalid type %T for device count", val)
 			}
--- a/vendor/github.com/compose-spec/compose-go/loader/paths.go
+++ b/vendor/github.com/compose-spec/compose-go/loader/paths.go
@@ -64,6 +64,25 @@ func ResolveRelativePaths(project *types.Project) error {
 			project.Volumes[name] = config
 		}
 	}
 	// don't coerce a nil map to an empty map
 	if project.IncludeReferences != nil {
 		absIncludes := make(map[string][]types.IncludeConfig, len(project.IncludeReferences))
 		for filename, config := range project.IncludeReferences {
 			filename = absPath(project.WorkingDir, filename)
 			absConfigs := make([]types.IncludeConfig, len(config))
 			for i, c := range config {
 				absConfigs[i] = types.IncludeConfig{
 					Path:             resolvePaths(project.WorkingDir, c.Path),
 					ProjectDirectory: absPath(project.WorkingDir, c.ProjectDirectory),
 					EnvFile:          resolvePaths(project.WorkingDir, c.EnvFile),
 				}
 			}
 			absIncludes[filename] = absConfigs
 		}
 		project.IncludeReferences = absIncludes
 	}
 	return nil
 }
@@ -133,3 +152,14 @@ func isRemoteContext(maybeURL string) bool {
 	}
 	return false
 }
 func resolvePaths(basePath string, in types.StringList) types.StringList {
 	if in == nil {
 		return nil
 	}
 	ret := make(types.StringList, len(in))
 	for i := range in {
 		ret[i] = absPath(basePath, in[i])
 	}
 	return ret
 }
--- a/vendor/github.com/compose-spec/compose-go/types/config.go
+++ b/vendor/github.com/compose-spec/compose-go/types/config.go
@@ -34,7 +34,7 @@ type ConfigDetails struct {
 	Version     string
 	WorkingDir  string
 	ConfigFiles []ConfigFile
-	Environment map[string]string
+	Environment Mapping
 }
 // LookupEnv provides a lookup function for environment variables
--- a/vendor/github.com/compose-spec/compose-go/types/project.go
+++ b/vendor/github.com/compose-spec/compose-go/types/project.go
@@ -24,10 +24,9 @@ import (
 	"path/filepath"
 	"sort"
 	"github.com/compose-spec/compose-go/utils"
 	"github.com/compose-spec/compose-go/dotenv"
-	"github.com/distribution/distribution/v3/reference"
+	"github.com/compose-spec/compose-go/utils"
 	"github.com/distribution/reference"
 	godigest "github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
 	"golang.org/x/sync/errgroup"
@@ -44,6 +43,12 @@ type Project struct {
 	Secrets    Secrets    `yaml:"secrets,omitempty" json:"secrets,omitempty"`
 	Configs    Configs    `yaml:"configs,omitempty" json:"configs,omitempty"`
 	Extensions Extensions `yaml:"#extensions,inline" json:"-"` // https://github.com/golang/go/issues/6213
 	// IncludeReferences is keyed by Compose YAML filename and contains config for
 	// other Compose YAML files it directly triggered a load of via `include`.
 	//
 	// Note: this is
 	IncludeReferences map[string][]IncludeConfig `yaml:"-" json:"-"`
 	ComposeFiles      []string                   `yaml:"-" json:"-"`
 	Environment       Mapping                    `yaml:"-" json:"-"`
@@ -418,18 +423,36 @@ func (p *Project) ForServices(names []string, options ...DependencyOption) error
 		if _, ok := set[s.Name]; ok {
 			for _, option := range options {
 				if option == IgnoreDependencies {
-					s.DependsOn = nil
+					// remove all dependencies but those implied by explicitly selected services
 					dependencies := s.DependsOn
 					for d := range dependencies {
 						if _, ok := set[d]; !ok {
 							delete(dependencies, d)
 						}
 					}
 					s.DependsOn = dependencies
 				}
 			}
 			enabled = append(enabled, s)
 		} else {
-			p.DisabledServices = append(p.DisabledServices, s)
+			p.DisableService(s)
 		}
 	}
 	p.Services = enabled
 	return nil
 }
 func (p *Project) DisableService(service ServiceConfig) {
 	// We should remove all dependencies which reference the disabled service
 	for i, s := range p.Services {
 		if _, ok := s.DependsOn[service.Name]; ok {
 			delete(s.DependsOn, service.Name)
 			p.Services[i] = s
 		}
 	}
 	p.DisabledServices = append(p.DisabledServices, service)
 }
 // ResolveImages updates services images to include digest computed by a resolver function
 func (p *Project) ResolveImages(resolver func(named reference.Named) (godigest.Digest, error)) error {
 	eg := errgroup.Group{}
--- a/vendor/github.com/compose-spec/compose-go/types/types.go
+++ b/vendor/github.com/compose-spec/compose-go/types/types.go
@@ -491,6 +491,16 @@ func NewMapping(values []string) Mapping {
 	return mapping
 }
 // convert values into a set of KEY=VALUE strings
 func (m Mapping) Values() []string {
 	values := make([]string, 0, len(m))
 	for k, v := range m {
 		values = append(values, fmt.Sprintf("%s=%s", k, v))
 	}
 	sort.Strings(values)
 	return values
 }
 // ToMappingWithEquals converts Mapping into a MappingWithEquals with pointer references
 func (m Mapping) ToMappingWithEquals() MappingWithEquals {
 	mapping := MappingWithEquals{}
@@ -506,6 +516,24 @@ func (m Mapping) Resolve(s string) (string, bool) {
 	return v, ok
 }
 func (m Mapping) Clone() Mapping {
 	clone := Mapping{}
 	for k, v := range m {
 		clone[k] = v
 	}
 	return clone
 }
 // Merge adds all values from second mapping which are not already defined
 func (m Mapping) Merge(o Mapping) Mapping {
 	for k, v := range o {
 		if _, set := m[k]; !set {
 			m[k] = v
 		}
 	}
 	return m
 }
 // Labels is a mapping type for labels
 type Labels map[string]string
--- a/vendor/github.com/distribution/reference/.gitattributes
+++ b/vendor/github.com/distribution/reference/.gitattributes
@@ -0,0 +1 @@
 *.go text eol=lf
--- a/vendor/github.com/distribution/reference/.gitignore
+++ b/vendor/github.com/distribution/reference/.gitignore
@@ -0,0 +1,2 @@
 # Cover profiles
 *.out
--- a/vendor/github.com/distribution/reference/.golangci.yml
+++ b/vendor/github.com/distribution/reference/.golangci.yml
@@ -0,0 +1,18 @@
 linters:
  enable:
    - bodyclose
    - dupword # Checks for duplicate words in the source code
    - gofmt
    - goimports
    - ineffassign
    - misspell
    - revive
    - staticcheck
    - unconvert
    - unused
    - vet
  disable:
    - errcheck
 run:
  deadline: 2m
--- a/vendor/github.com/distribution/reference/CODE-OF-CONDUCT.md
+++ b/vendor/github.com/distribution/reference/CODE-OF-CONDUCT.md
@@ -0,0 +1,5 @@
 # Code of Conduct
 We follow the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).
 Please contact the [CNCF Code of Conduct Committee](mailto:conduct@cncf.io) in order to report violations of the Code of Conduct.
--- a/vendor/github.com/distribution/reference/CONTRIBUTING.md
+++ b/vendor/github.com/distribution/reference/CONTRIBUTING.md
@@ -0,0 +1,114 @@
 # Contributing to the reference library
 ## Community help
 If you need help, please ask in the [#distribution](https://cloud-native.slack.com/archives/C01GVR8SY4R) channel on CNCF community slack.
 [Click here for an invite to the CNCF community slack](https://slack.cncf.io/)
 ## Reporting security issues
 The maintainers take security seriously. If you discover a security
 issue, please bring it to their attention right away!
 Please **DO NOT** file a public issue, instead send your report privately to
 [cncf-distribution-security@lists.cncf.io](mailto:cncf-distribution-security@lists.cncf.io).
 ## Reporting an issue properly
 By following these simple rules you will get better and faster feedback on your issue.
 - search the bugtracker for an already reported issue
 ### If you found an issue that describes your problem:
 - please read other user comments first, and confirm this is the same issue: a given error condition might be indicative of different problems - you may also find a workaround in the comments
 - please refrain from adding "same thing here" or "+1" comments
 - you don't need to comment on an issue to get notified of updates: just hit the "subscribe" button
 - comment if you have some new, technical and relevant information to add to the case
 - __DO NOT__ comment on closed issues or merged PRs. If you think you have a related problem, open up a new issue and reference the PR or issue.
 ### If you have not found an existing issue that describes your problem:
 1. create a new issue, with a succinct title that describes your issue:
   - bad title: "It doesn't work with my docker"
   - good title: "Private registry push fail: 400 error with E_INVALID_DIGEST"
 2. copy the output of (or similar for other container tools):
   - `docker version`
   - `docker info`
   - `docker exec <registry-container> registry --version`
 3. copy the command line you used to launch your Registry
 4. restart your docker daemon in debug mode (add `-D` to the daemon launch arguments)
 5. reproduce your problem and get your docker daemon logs showing the error
 6. if relevant, copy your registry logs that show the error
 7. provide any relevant detail about your specific Registry configuration (e.g., storage backend used)
 8. indicate if you are using an enterprise proxy, Nginx, or anything else between you and your Registry
 ## Contributing Code
 Contributions should be made via pull requests. Pull requests will be reviewed
 by one or more maintainers or reviewers and merged when acceptable.
 You should follow the basic GitHub workflow:
 1. Use your own [fork](https://help.github.com/en/articles/about-forks)
 2. Create your [change](https://github.com/containerd/project/blob/master/CONTRIBUTING.md#successful-changes)
 3. Test your code
 4. [Commit](https://github.com/containerd/project/blob/master/CONTRIBUTING.md#commit-messages) your work, always [sign your commits](https://github.com/containerd/project/blob/master/CONTRIBUTING.md#commit-messages)
 5. Push your change to your fork and create a [Pull Request](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request-from-a-fork)
 Refer to [containerd's contribution guide](https://github.com/containerd/project/blob/master/CONTRIBUTING.md#successful-changes)
 for tips on creating a successful contribution.
 ## Sign your work
 The sign-off is a simple line at the end of the explanation for the patch. Your
 signature certifies that you wrote the patch or otherwise have the right to pass
 it on as an open-source patch. The rules are pretty simple: if you can certify
 the below (from [developercertificate.org](http://developercertificate.org/)):
 ```
 Developer Certificate of Origin
 Version 1.1
 Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
 660 York Street, Suite 102,
 San Francisco, CA 94110 USA
 Everyone is permitted to copy and distribute verbatim copies of this
 license document, but changing it is not allowed.
 Developer's Certificate of Origin 1.1
 By making a contribution to this project, I certify that:
 (a) The contribution was created in whole or in part by me and I
    have the right to submit it under the open source license
    indicated in the file; or
 (b) The contribution is based upon previous work that, to the best
    of my knowledge, is covered under an appropriate open source
    license and I have the right under that license to submit that
    work with modifications, whether created in whole or in part
    by me, under the same open source license (unless I am
    permitted to submit under a different license), as indicated
    in the file; or
 (c) The contribution was provided directly to me by some other
    person who certified (a), (b) or (c) and I have not modified
    it.
 (d) I understand and agree that this project and the contribution
    are public and that a record of the contribution (including all
    personal information I submit with it, including my sign-off) is
    maintained indefinitely and may be redistributed consistent with
    this project or the open source license(s) involved.
 ```
 Then you just add a line to every git commit message:
    Signed-off-by: Joe Smith <joe.smith@email.com>
 Use your real name (sorry, no pseudonyms or anonymous contributions.)
 If you set your `user.name` and `user.email` git configs, you can sign your
 commit automatically with `git commit -s`.
--- a/vendor/github.com/distribution/reference/GOVERNANCE.md
+++ b/vendor/github.com/distribution/reference/GOVERNANCE.md
@@ -0,0 +1,144 @@
 # distribution/reference Project Governance
 Distribution [Code of Conduct](./CODE-OF-CONDUCT.md) can be found here.
 For specific guidance on practical contribution steps please
 see our [CONTRIBUTING.md](./CONTRIBUTING.md) guide.
 ## Maintainership
 There are different types of maintainers, with different responsibilities, but
 all maintainers have 3 things in common:
 1) They share responsibility in the project's success.
 2) They have made a long-term, recurring time investment to improve the project.
 3) They spend that time doing whatever needs to be done, not necessarily what
 is the most interesting or fun.
 Maintainers are often under-appreciated, because their work is harder to appreciate.
 It's easy to appreciate a really cool and technically advanced feature. It's harder
 to appreciate the absence of bugs, the slow but steady improvement in stability,
 or the reliability of a release process. But those things distinguish a good
 project from a great one.
 ## Reviewers
 A reviewer is a core role within the project.
 They share in reviewing issues and pull requests and their LGTM counts towards the
 required LGTM count to merge a code change into the project.
 Reviewers are part of the organization but do not have write access.
 Becoming a reviewer is a core aspect in the journey to becoming a maintainer.
 ## Adding maintainers
 Maintainers are first and foremost contributors that have shown they are
 committed to the long term success of a project. Contributors wanting to become
 maintainers are expected to be deeply involved in contributing code, pull
 request review, and triage of issues in the project for more than three months.
 Just contributing does not make you a maintainer, it is about building trust
 with the current maintainers of the project and being a person that they can
 depend on and trust to make decisions in the best interest of the project.
 Periodically, the existing maintainers curate a list of contributors that have
 shown regular activity on the project over the prior months. From this list,
 maintainer candidates are selected and proposed in a pull request or a
 maintainers communication channel.
 After a candidate has been announced to the maintainers, the existing
 maintainers are given five business days to discuss the candidate, raise
 objections and cast their vote. Votes may take place on the communication
 channel or via pull request comment. Candidates must be approved by at least 66%
 of the current maintainers by adding their vote on the mailing list. The
 reviewer role has the same process but only requires 33% of current maintainers.
 Only maintainers of the repository that the candidate is proposed for are
 allowed to vote.
 If a candidate is approved, a maintainer will contact the candidate to invite
 the candidate to open a pull request that adds the contributor to the
 MAINTAINERS file. The voting process may take place inside a pull request if a
 maintainer has already discussed the candidacy with the candidate and a
 maintainer is willing to be a sponsor by opening the pull request. The candidate
 becomes a maintainer once the pull request is merged.
 ## Stepping down policy
 Life priorities, interests, and passions can change. If you're a maintainer but
 feel you must remove yourself from the list, inform other maintainers that you
 intend to step down, and if possible, help find someone to pick up your work.
 At the very least, ensure your work can be continued where you left off.
 After you've informed other maintainers, create a pull request to remove
 yourself from the MAINTAINERS file.
 ## Removal of inactive maintainers
 Similar to the procedure for adding new maintainers, existing maintainers can
 be removed from the list if they do not show significant activity on the
 project. Periodically, the maintainers review the list of maintainers and their
 activity over the last three months.
 If a maintainer has shown insufficient activity over this period, a neutral
 person will contact the maintainer to ask if they want to continue being
 a maintainer. If the maintainer decides to step down as a maintainer, they
 open a pull request to be removed from the MAINTAINERS file.
 If the maintainer wants to remain a maintainer, but is unable to perform the
 required duties they can be removed with a vote of at least 66% of the current
 maintainers. In this case, maintainers should first propose the change to
 maintainers via the maintainers communication channel, then open a pull request
 for voting. The voting period is five business days. The voting pull request
 should not come as a surpise to any maintainer and any discussion related to
 performance must not be discussed on the pull request.
 ## How are decisions made?
 Docker distribution is an open-source project with an open design philosophy.
 This means that the repository is the source of truth for EVERY aspect of the
 project, including its philosophy, design, road map, and APIs. *If it's part of
 the project, it's in the repo. If it's in the repo, it's part of the project.*
 As a result, all decisions can be expressed as changes to the repository. An
 implementation change is a change to the source code. An API change is a change
 to the API specification. A philosophy change is a change to the philosophy
 manifesto, and so on.
 All decisions affecting distribution, big and small, follow the same 3 steps:
 * Step 1: Open a pull request. Anyone can do this.
 * Step 2: Discuss the pull request. Anyone can do this.
 * Step 3: Merge or refuse the pull request. Who does this depends on the nature
 of the pull request and which areas of the project it affects.
 ## Helping contributors with the DCO
 The [DCO or `Sign your work`](./CONTRIBUTING.md#sign-your-work)
 requirement is not intended as a roadblock or speed bump.
 Some contributors are not as familiar with `git`, or have used a web
 based editor, and thus asking them to `git commit --amend -s` is not the best
 way forward.
 In this case, maintainers can update the commits based on clause (c) of the DCO.
 The most trivial way for a contributor to allow the maintainer to do this, is to
 add a DCO signature in a pull requests's comment, or a maintainer can simply
 note that the change is sufficiently trivial that it does not substantially
 change the existing contribution - i.e., a spelling change.
 When you add someone's DCO, please also add your own to keep a log.
 ## I'm a maintainer. Should I make pull requests too?
 Yes. Nobody should ever push to master directly. All changes should be
 made through a pull request.
 ## Conflict Resolution
 If you have a technical dispute that you feel has reached an impasse with a
 subset of the community, any contributor may open an issue, specifically
 calling for a resolution vote of the current core maintainers to resolve the
 dispute. The same voting quorums required (2/3) for adding and removing
 maintainers will apply to conflict resolution.
--- a/vendor/github.com/distribution/distribution/v3/LICENSE
+++ b/vendor/github.com/distribution/distribution/v3/LICENSE
--- a/vendor/github.com/distribution/reference/MAINTAINERS
+++ b/vendor/github.com/distribution/reference/MAINTAINERS
@@ -0,0 +1,26 @@
 # Distribution project maintainers & reviewers
 #
 # See GOVERNANCE.md for maintainer versus reviewer roles
 #
 # MAINTAINERS (cncf-distribution-maintainers@lists.cncf.io)
 # GitHub ID, Name, Email address
 "chrispat","Chris Patterson","chrispat@github.com"
 "clarkbw","Bryan Clark","clarkbw@github.com"
 "corhere","Cory Snider","csnider@mirantis.com"
 "deleteriousEffect","Hayley Swimelar","hswimelar@gitlab.com"
 "heww","He Weiwei","hweiwei@vmware.com"
 "joaodrp","João Pereira","jpereira@gitlab.com"
 "justincormack","Justin Cormack","justin.cormack@docker.com"
 "squizzi","Kyle Squizzato","ksquizzato@mirantis.com"
 "milosgajdos","Milos Gajdos","milosthegajdos@gmail.com"
 "sargun","Sargun Dhillon","sargun@sargun.me"
 "wy65701436","Wang Yan","wangyan@vmware.com"
 "stevelasker","Steve Lasker","steve.lasker@microsoft.com"
 #
 # REVIEWERS
 # GitHub ID, Name, Email address
 "dmcgowan","Derek McGowan","derek@mcgstyle.net"
 "stevvooe","Stephen Day","stevvooe@gmail.com"
 "thajeztah","Sebastiaan van Stijn","github@gone.nl"
 "DavidSpek", "David van der Spek", "vanderspek.david@gmail.com"
 "Jamstah", "James Hewitt", "james.hewitt@gmail.com"
--- a/vendor/github.com/distribution/reference/Makefile
+++ b/vendor/github.com/distribution/reference/Makefile
@@ -0,0 +1,25 @@
 # Project packages.
 PACKAGES=$(shell go list ./...)
 # Flags passed to `go test`
 BUILDFLAGS ?= 
 TESTFLAGS ?= 
 .PHONY: all build test coverage
 .DEFAULT: all
 all: build
 build: ## no binaries to build, so just check compilation suceeds
 	go build ${BUILDFLAGS} ./...
 test: ## run tests
 	go test ${TESTFLAGS} ./...
 coverage: ## generate coverprofiles from the unit tests
 	rm -f coverage.txt
 	go test ${TESTFLAGS} -cover -coverprofile=cover.out ./...
 .PHONY: help
 help:
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m\033[0m\n"} /^[a-zA-Z_\/%-]+:.*?##/ { printf "  \033[36m%-27s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
--- a/vendor/github.com/distribution/reference/README.md
+++ b/vendor/github.com/distribution/reference/README.md
@@ -0,0 +1,30 @@
 # Distribution reference
 Go library to handle references to container images.
 <img src="/distribution-logo.svg" width="200px" />
 [![Build Status](https://github.com/distribution/reference/actions/workflows/test.yml/badge.svg?branch=main&event=push)](https://github.com/distribution/reference/actions?query=workflow%3ACI)
 [![GoDoc](https://img.shields.io/badge/go.dev-reference-007d9c?logo=go&logoColor=white&style=flat-square)](https://pkg.go.dev/github.com/distribution/reference)
 [![License: Apache-2.0](https://img.shields.io/badge/License-Apache--2.0-blue.svg)](LICENSE)
 [![codecov](https://codecov.io/gh/distribution/reference/branch/main/graph/badge.svg)](https://codecov.io/gh/distribution/reference)
 [![FOSSA Status](https://app.fossa.com/api/projects/custom%2B162%2Fgithub.com%2Fdistribution%2Freference.svg?type=shield)](https://app.fossa.com/projects/custom%2B162%2Fgithub.com%2Fdistribution%2Freference?ref=badge_shield)
 This repository contains a library for handling refrences to container images held in container registries. Please see [godoc](https://pkg.go.dev/github.com/distribution/reference) for details.
 ## Contribution
 Please see [CONTRIBUTING.md](CONTRIBUTING.md) for details on how to contribute
 issues, fixes, and patches to this project.
 ## Communication
 For async communication and long running discussions please use issues and pull requests on the github repo.
 This will be the best place to discuss design and implementation.
 For sync communication we have a #distribution channel in the [CNCF Slack](https://slack.cncf.io/)
 that everyone is welcome to join and chat about development.
 ## Licenses
 The distribution codebase is released under the [Apache 2.0 license](LICENSE).
--- a/vendor/github.com/distribution/reference/SECURITY.md
+++ b/vendor/github.com/distribution/reference/SECURITY.md
@@ -0,0 +1,7 @@
 # Security Policy
 ## Reporting a Vulnerability
 The maintainers take security seriously. If you discover a security issue, please bring it to their attention right away!
 Please DO NOT file a public issue, instead send your report privately to cncf-distribution-security@lists.cncf.io.
--- a/vendor/github.com/distribution/reference/distribution-logo.svg
+++ b/vendor/github.com/distribution/reference/distribution-logo.svg
--- a/vendor/github.com/distribution/distribution/v3/reference/helpers.go
+++ b/vendor/github.com/distribution/distribution/v3/reference/helpers.go
--- a/vendor/github.com/distribution/distribution/v3/reference/normalize.go
+++ b/vendor/github.com/distribution/distribution/v3/reference/normalize.go
@@ -140,7 +140,7 @@ func splitDockerDomain(name string) (domain, remainder string) {
 }
 // familiarizeName returns a shortened version of the name familiar
-// to to the Docker UI. Familiar names have the default domain
+// to the Docker UI. Familiar names have the default domain
 // "docker.io" and "library/" repository prefix removed.
 // For example, "docker.io/library/redis" will have the familiar
 // name "redis" and "docker.io/dmcgowan/myapp" will be "dmcgowan/myapp".
--- a/vendor/github.com/distribution/distribution/v3/reference/reference.go
+++ b/vendor/github.com/distribution/distribution/v3/reference/reference.go
--- a/vendor/github.com/distribution/distribution/v3/reference/regexp.go
+++ b/vendor/github.com/distribution/distribution/v3/reference/regexp.go
--- a/vendor/github.com/distribution/distribution/v3/reference/sort.go
+++ b/vendor/github.com/distribution/distribution/v3/reference/sort.go
--- a/vendor/github.com/theupdateframework/notary/.gitignore
+++ b/vendor/github.com/theupdateframework/notary/.gitignore
@@ -14,3 +14,4 @@ cross
 *.iml
 *.test
 coverage*.txt
 gosec_output.csv
--- a/vendor/github.com/theupdateframework/notary/CHANGELOG.md
+++ b/vendor/github.com/theupdateframework/notary/CHANGELOG.md
@@ -1,5 +1,12 @@
 # Changelog
 ## [v0.7.0](https://github.com/docker/notary/releases/tag/v0.7.0) 12/01/2021
 + Switch to Go modules [#1523](https://github.com/theupdateframework/notary/pull/1523)
 + Use golang/x/crypto for ed25519 [#1344](https://github.com/theupdateframework/notary/pull/1344)
 + Update Go version
 + Update dependency versions
 + Fixes from using Gosec for source analysis
 ## [v0.6.1](https://github.com/docker/notary/releases/tag/v0.6.0) 04/10/2018
 + Fixed bug where CLI requested admin privileges for all metadata operations, including listing targets on a repo [#1315](https://github.com/theupdateframework/notary/pull/1315)
 + Prevented notary signer from being dumpable or ptraceable in Linux, except in debug mode [#1327](https://github.com/theupdateframework/notary/pull/1327)
--- a/vendor/github.com/theupdateframework/notary/CODE_OF_CONDUCT.md
+++ b/vendor/github.com/theupdateframework/notary/CODE_OF_CONDUCT.md
@@ -0,0 +1,43 @@
 ## CNCF Community Code of Conduct v1.0
 ### Contributor Code of Conduct
 As contributors and maintainers of this project, and in the interest of fostering
 an open and welcoming community, we pledge to respect all people who contribute
 through reporting issues, posting feature requests, updating documentation,
 submitting pull requests or patches, and other activities.
 We are committed to making participation in this project a harassment-free experience for
 everyone, regardless of level of experience, gender, gender identity and expression,
 sexual orientation, disability, personal appearance, body size, race, ethnicity, age,
 religion, or nationality.
 Examples of unacceptable behavior by participants include:
 * The use of sexualized language or imagery
 * Personal attacks
 * Trolling or insulting/derogatory comments
 * Public or private harassment
 * Publishing other's private information, such as physical or electronic addresses,
 without explicit permission
 * Other unethical or unprofessional conduct.
 Project maintainers have the right and responsibility to remove, edit, or reject
 comments, commits, code, wiki edits, issues, and other contributions that are not
 aligned to this Code of Conduct. By adopting this Code of Conduct, project maintainers
 commit themselves to fairly and consistently applying these principles to every aspect
 of managing this project. Project maintainers who do not follow or enforce the Code of
 Conduct may be permanently removed from the project team.
 This code of conduct applies both within project spaces and in public spaces
 when an individual is representing the project or its community.
 Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting a CNCF project maintainer, Sarah Novotny <sarahnovotny@google.com>, and/or Dan Kohn <dan@linuxfoundation.org>.
 This Code of Conduct is adapted from the Contributor Covenant
 (https://contributor-covenant.org), version 1.2.0, available at
 https://contributor-covenant.org/version/1/2/0/
 ### CNCF Events Code of Conduct
 CNCF events are governed by the Linux Foundation [Code of Conduct](https://events.linuxfoundation.org/events/cloudnativecon/attend/code-of-conduct) available on the event page. This is designed to be compatible with the above policy and also includes more details on responding to incidents.
--- a/vendor/github.com/theupdateframework/notary/Dockerfile
+++ b/vendor/github.com/theupdateframework/notary/Dockerfile
@@ -1,9 +1,8 @@
-FROM golang:1.10.1
+FROM golang:1.14.1
 RUN apt-get update && apt-get install -y \
 	curl \
 	clang \
 	libltdl-dev \
 	libsqlite3-dev \
 	patch \
 	tar \
@@ -16,11 +15,13 @@ RUN apt-get update && apt-get install -y \
 RUN useradd -ms /bin/bash notary \
 	&& pip install codecov \
-	&& go get github.com/golang/lint/golint github.com/fzipp/gocyclo github.com/client9/misspell/cmd/misspell github.com/gordonklaus/ineffassign github.com/HewlettPackard/gas
+	&& go get golang.org/x/lint/golint github.com/fzipp/gocyclo github.com/client9/misspell/cmd/misspell github.com/gordonklaus/ineffassign github.com/securego/gosec/cmd/gosec/...
 ENV NOTARYDIR /go/src/github.com/theupdateframework/notary
 COPY . ${NOTARYDIR}
 RUN chmod -R a+rw /go && chmod 0600 ${NOTARYDIR}/fixtures/database/*
 ENV GO111MODULE=on
 WORKDIR ${NOTARYDIR}
--- a/vendor/github.com/theupdateframework/notary/MAINTAINERS
+++ b/vendor/github.com/theupdateframework/notary/MAINTAINERS
@@ -16,6 +16,7 @@
 			"endophage",
 			"ecordell",
 			"hukeping",
 			"justincormack",
 			"nathanmccauley",
 			"riyazdf",
 		]
@@ -53,6 +54,11 @@
 	Email = "hukeping@huawei.com"
 	GitHub = "hukeping"
 	[people.justincormack]
 	Name = "Justin Cormack"
 	Email = "justin.cormack@docker.com"
 	GitHub = "justincormack"
 	[people.nathanmccauley]
 	Name = "Nathan McCauley"
 	Email = "nathan.mccauley@docker.com"
--- a/vendor/github.com/theupdateframework/notary/Makefile
+++ b/vendor/github.com/theupdateframework/notary/Makefile
@@ -1,6 +1,8 @@
 # Set an output prefix, which is the local directory if not specified
 PREFIX?=$(shell pwd)
 GOFLAGS := -mod=vendor
 # Populate version variables
 # Add to compile time flags
 NOTARY_PKG := github.com/theupdateframework/notary
@@ -17,14 +19,6 @@ GOOSES = darwin linux windows
 NOTARY_BUILDTAGS ?= pkcs11
 NOTARYDIR := /go/src/github.com/theupdateframework/notary
 GO_VERSION := $(shell go version | grep "1\.\(7\|8\|9\|10\)\(\.[0-9]+\)*\|devel")
 # check to make sure we have the right version. development versions of Go are
 # not officially supported, but allowed for building
 ifeq ($(strip $(GO_VERSION))$(SKIPENVCHECK),)
 $(error Bad Go version - please install Go >= 1.7)
 endif
 # check to be sure pkcs11 lib is always imported with a build tag
 GO_LIST_PKCS11 := $(shell go list -tags "${NOTARY_BUILDTAGS}" -e -f '{{join .Deps "\n"}}' ./... | grep -v /vendor/ | xargs go list -e -f '{{if not .Standard}}{{.ImportPath}}{{end}}' | grep -q pkcs11)
 ifeq ($(GO_LIST_PKCS11),)
@@ -104,7 +98,7 @@ ifeq ($(shell uname -s), Darwin)
 else
 	@test -z "$(shell find . -iname *test*.go | grep -v _test.go | grep -v vendor | xargs -r echo "This file should end with '_test':"  | tee /dev/stderr)"
 endif
-	@test -z "$$(go tool vet -printf=false . 2>&1 | grep -v vendor/ | tee /dev/stderr)"
+	@test -z "$$(go vet -printf=false . 2>&1 | grep -v vendor/ | tee /dev/stderr)"
 	# gocyclo - we require cyclomatic complexity to be < 16
 	@test -z "$(shell find . -type f -name "*.go" -not -path "./vendor/*" -not -name "*.pb.*" -exec gocyclo -over 15 {} \; | tee /dev/stderr)"
 	# misspell - requires that the following be run first:
@@ -113,9 +107,10 @@ endif
 	# ineffassign - requires that the following be run first:
 	#    go get -u github.com/gordonklaus/ineffassign
 	@test -z "$(shell find . -type f -name "*.go" -not -path "./vendor/*" -not -name "*.pb.*" -exec ineffassign {} \; | tee /dev/stderr)"
-	# gas - requires that the following be run first:
+	# gosec - requires that the following be run first:
-	#    go get -u github.com/HewlettPackard/gas
+	#    go get -u github.com/securego/gosec/cmd/gosec/...
-	# @gas -skip=vendor -skip=*/*_test.go -skip=*/*/*_test.go -fmt=csv -out=gas_output.csv ./... && test -z "$$(cat gas_output.csv | tee /dev/stderr)"
+	@rm -f gosec_output.csv
 	@gosec -fmt=csv -out=gosec_output.csv -exclude=G104,G304 ./... || (cat gosec_output.csv >&2; exit 1)
 build:
 	@echo "+ $@"
@@ -148,7 +143,7 @@ protos:
 # be run first
 gen-cover:
 gen-cover:
-	@python -u buildscripts/covertest.py --tags "$(NOTARY_BUILDTAGS)" --pkgs="$(PKGS)" --testopts="${TESTOPTS}" --debug
+	@python -u buildscripts/covertest.py --tags "$(NOTARY_BUILDTAGS)" --pkgs="$(PKGS)" --testopts="${TESTOPTS}"
 # Generates the cover binaries and runs them all in serial, so this can be used
 # run all tests with a yubikey without any problems
--- a/vendor/github.com/theupdateframework/notary/README.md
+++ b/vendor/github.com/theupdateframework/notary/README.md
@@ -21,7 +21,7 @@ for more information.
 Notary aims to make the internet more secure by making it easy for people to
 publish and verify content. We often rely on TLS to secure our communications
-with a web server which is inherently flawed, as any compromise of the server
+with a web server, which is inherently flawed, as any compromise of the server
 enables malicious content to be substituted for the legitimate content.
 With Notary, publishers can sign their content offline using keys kept highly
@@ -46,11 +46,16 @@ Notary is based on [The Update Framework](https://www.theupdateframework.com/),
 ## Security
 Any security vulnerabilities can be reported to security@docker.com.
 See Notary's [service architecture docs](docs/service_architecture.md#threat-model) for more information about our threat model, which details the varying survivability and severities for key compromise as well as mitigations.
-Notary's last security audit was on July 31, 2015 by NCC ([results](docs/resources/ncc_docker_notary_audit_2015_07_31.pdf)).
+### Security Audits
-Any security vulnerabilities can be reported to security@docker.com.
+Notary has had two public security audits:
 * [August 7, 2018 by Cure53](docs/resources/cure53_tuf_notary_audit_2018_08_07.pdf) covering TUF and Notary
 * [July 31, 2015 by NCC](docs/resources/ncc_docker_notary_audit_2015_07_31.pdf) covering Notary
 # Getting started with the Notary CLI
@@ -65,7 +70,7 @@ For more advanced usage, see the
 To use the CLI against a local Notary server rather than against Docker Hub:
-1. Ensure that you have [docker and docker-compose](http://docs.docker.com/compose/install/) installed.
+1. Ensure that you have [docker and docker-compose](https://docs.docker.com/compose/install/) installed.
 1. `git clone https://github.com/theupdateframework/notary.git` and from the cloned repository path,
    start up a local Notary server and signer and copy the config file and testing certs to your
    local Notary config directory:
@@ -88,6 +93,20 @@ URL is specified already in the configuration, file you copied.
 You can also leave off the `-d ~/.docker/trust` argument if you do not care
 to use `notary` with Docker images.
 ## Upgrading dependencies
 To prevent mistakes in vendoring the go modules a buildscript has been added to properly vendor the modules using the correct version of Go to mitigate differences in CI and development environment.
 Following procedure should be executed to upgrade a dependency. Preferably keep dependency upgrades in a separate commit from your code changes.
 ```bash
 go get -u github.com/spf13/viper
 buildscripts/circle-validate-vendor.sh
 git add .
 git commit -m "Upgraded github.com/spf13/viper"
 ```
 The `buildscripts/circle-validate-vendor.sh` runs `go mod tidy` and `go mod vendor` using the given version of Go to prevent differences if you are for example running on a different version of Go.
 ## Building Notary
@@ -97,25 +116,20 @@ branch and contains features for the next release.
 Prerequisites:
- Go >= 1.7.1
+* Go >= 1.12
    - Fedora: `dnf install golang`
 - libtool development headers installed
    - Ubuntu: `apt-get install libltdl-dev`
    - CentOS/RedHat: `yum install libtool-ltdl-devel`
    - Fedora: `dnf install libtool-ltdl-devel`
    - Mac OS ([Homebrew](http://brew.sh/)): `brew install libtool`
 Set [```GOPATH```](https://golang.org/doc/code.html#GOPATH). Then, run:
 ```bash
 $ export GO111MODULE=on
 $ go get github.com/theupdateframework/notary
-# build with pcks11 support by default to support yubikey
+# build with pkcs11 support by default to support yubikey
 $ go install -tags pkcs11 github.com/theupdateframework/notary/cmd/notary
 $ notary
 ```
 To build the server and signer, run `docker-compose build`.
 ## License
 [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Ftheupdateframework%2Fnotary.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Ftheupdateframework%2Fnotary?ref=badge_large)
--- a/vendor/github.com/theupdateframework/notary/ROADMAP.md
+++ b/vendor/github.com/theupdateframework/notary/ROADMAP.md
@@ -1,7 +0,0 @@
 # Roadmap
 The Trust project consists of a number of moving parts of which Notary Server is one. Notary Server is the front line metadata service
 that clients interact with. It manages TUF metadata and interacts with a pluggable signing service to issue new TUF timestamp
 files.
 The Notary-signer is provided as our reference implementation of a signing service. It supports HSMs along with Ed25519 software signing.
--- a/vendor/github.com/theupdateframework/notary/circle.yml
+++ b/vendor/github.com/theupdateframework/notary/circle.yml
@@ -1,23 +0,0 @@
 machine:
  pre:
  # Upgrade docker
    - curl -sSL https://s3.amazonaws.com/circle-downloads/install-circleci-docker.sh | bash -s -- 1.10.0
  # upgrade compose
    - sudo pip install --upgrade docker-compose
  services:
    - docker
 dependencies:
  override:
    - docker build -t notary_client .
 test:
  override:
  # circleci only supports manual parellism
    - buildscripts/circle_parallelism.sh:
        parallel: true
        timeout: 600
  post:
    - docker-compose -f docker-compose.yml down -v
    - docker-compose -f docker-compose.rethink.yml down -v
--- a/vendor/github.com/theupdateframework/notary/client/changelist/file_changelist.go
+++ b/vendor/github.com/theupdateframework/notary/client/changelist/file_changelist.go
@@ -35,7 +35,10 @@ func getFileNames(dirName string) ([]os.FileInfo, error) {
 	if err != nil {
 		return fileInfos, err
 	}
-	defer dir.Close()
+	defer func() {
 		_ = dir.Close()
 	}()
 	dirListing, err = dir.Readdir(0)
 	if err != nil {
 		return fileInfos, err
@@ -89,7 +92,7 @@ func (cl FileChangelist) Add(c Change) error {
 		return err
 	}
 	filename := fmt.Sprintf("%020d_%s.change", time.Now().UnixNano(), uuid.Generate())
-	return ioutil.WriteFile(filepath.Join(cl.dir, filename), cJSON, 0644)
+	return ioutil.WriteFile(filepath.Join(cl.dir, filename), cJSON, 0600)
 }
 // Remove deletes the changes found at the given indices
@@ -120,7 +123,10 @@ func (cl FileChangelist) Clear(archive string) error {
 	if err != nil {
 		return err
 	}
-	defer dir.Close()
+	defer func() {
 		_ = dir.Close()
 	}()
 	files, err := dir.Readdir(0)
 	if err != nil {
 		return err
--- a/vendor/github.com/theupdateframework/notary/client/changelist/interface.go
+++ b/vendor/github.com/theupdateframework/notary/client/changelist/interface.go
@@ -20,7 +20,7 @@ type Changelist interface {
 	// Remove deletes the changes corresponding with the indices given
 	Remove(idxs []int) error
-	// Close syncronizes any pending writes to the underlying
+	// Close synchronizes any pending writes to the underlying
 	// storage and closes the file/connection
 	Close() error
--- a/vendor/github.com/theupdateframework/notary/client/client.go
+++ b/vendor/github.com/theupdateframework/notary/client/client.go
@@ -7,10 +7,8 @@ import (
 	"fmt"
 	"io/ioutil"
 	"net/http"
 	"net/url"
 	"os"
 	"path/filepath"
 	"regexp"
 	"time"
 	canonicaljson "github.com/docker/go/canonical/json"
@@ -39,7 +37,6 @@ func init() {
 // repository stores all the information needed to operate on a notary repository.
 type repository struct {
 	baseDir        string
 	gun            data.GUN
 	baseURL        string
 	changelist     changelist.Changelist
@@ -56,7 +53,8 @@ type repository struct {
 // NewFileCachedRepository is a wrapper for NewRepository that initializes
 // a file cache from the provided repository, local config information and a crypto service.
 // It also retrieves the remote store associated to the base directory under where all the
-// trust files will be stored and the specified GUN.
+// trust files will be stored (This is normally defaults to "~/.notary" or "~/.docker/trust"
 // when enabling Docker content trust) and the specified GUN.
 //
 // In case of a nil RoundTripper, a default offline store is used instead.
 func NewFileCachedRepository(baseDir string, gun data.GUN, baseURL string, rt http.RoundTripper,
@@ -90,16 +88,13 @@ func NewFileCachedRepository(baseDir string, gun data.GUN, baseURL string, rt ht
 		return nil, err
 	}
-	return NewRepository(baseDir, gun, baseURL, remoteStore, cache, trustPinning, cryptoService, cl)
+	return NewRepository(gun, baseURL, remoteStore, cache, trustPinning, cryptoService, cl)
 }
 // NewRepository is the base method that returns a new notary repository.
 // It takes the base directory under where all the trust files will be stored
 // (This is normally defaults to "~/.notary" or "~/.docker/trust" when enabling
 // docker content trust).
 // It expects an initialized cache. In case of a nil remote store, a default
 // offline store is used.
-func NewRepository(baseDir string, gun data.GUN, baseURL string, remoteStore store.RemoteStore, cache store.MetadataStore,
+func NewRepository(gun data.GUN, baseURL string, remoteStore store.RemoteStore, cache store.MetadataStore,
 	trustPinning trustpinning.TrustPinConfig, cryptoService signed.CryptoService, cl changelist.Changelist) (Repository, error) {
 	// Repo's remote store is either a valid remote store or an OfflineStore
@@ -114,7 +109,6 @@ func NewRepository(baseDir string, gun data.GUN, baseURL string, remoteStore sto
 	nRepo := &repository{
 		gun:            gun,
 		baseURL:        baseURL,
 		baseDir:        baseDir,
 		changelist:     cl,
 		cache:          cache,
 		remoteStore:    remoteStore,
@@ -131,20 +125,62 @@ func (r *repository) GetGUN() data.GUN {
 	return r.gun
 }
-// Target represents a simplified version of the data TUF operates on, so external
+func (r *repository) updateTUF(forWrite bool) error {
-// applications don't have to depend on TUF data types.
+	repo, invalid, err := LoadTUFRepo(TUFLoadOptions{
-type Target struct {
+		GUN:                    r.gun,
-	Name   string                    // the name of the target
+		TrustPinning:           r.trustPinning,
-	Hashes data.Hashes               // the hash of the target
+		CryptoService:          r.cryptoService,
-	Length int64                     // the size in bytes of the target
+		Cache:                  r.cache,
-	Custom *canonicaljson.RawMessage // the custom data provided to describe the file at TARGETPATH
+		RemoteStore:            r.remoteStore,
 		AlwaysCheckInitialized: forWrite,
 	})
 	if err != nil {
 		return err
 	}
 	r.tufRepo = repo
 	r.invalid = invalid
 	return nil
 }
-// TargetWithRole represents a Target that exists in a particular role - this is
+// ListTargets calls update first before listing targets
-// produced by ListTargets and GetTargetByName
+func (r *repository) ListTargets(roles ...data.RoleName) ([]*TargetWithRole, error) {
-type TargetWithRole struct {
+	if err := r.updateTUF(false); err != nil {
-	Target
+		return nil, err
-	Role data.RoleName
+	}
 	return NewReadOnly(r.tufRepo).ListTargets(roles...)
 }
 // GetTargetByName calls update first before getting target by name
 func (r *repository) GetTargetByName(name string, roles ...data.RoleName) (*TargetWithRole, error) {
 	if err := r.updateTUF(false); err != nil {
 		return nil, err
 	}
 	return NewReadOnly(r.tufRepo).GetTargetByName(name, roles...)
 }
 // GetAllTargetMetadataByName calls update first before getting targets by name
 func (r *repository) GetAllTargetMetadataByName(name string) ([]TargetSignedStruct, error) {
 	if err := r.updateTUF(false); err != nil {
 		return nil, err
 	}
 	return NewReadOnly(r.tufRepo).GetAllTargetMetadataByName(name)
 }
 // ListRoles calls update first before getting roles
 func (r *repository) ListRoles() ([]RoleWithSignatures, error) {
 	if err := r.updateTUF(false); err != nil {
 		return nil, err
 	}
 	return NewReadOnly(r.tufRepo).ListRoles()
 }
 // GetDelegationRoles calls update first before getting all delegation roles
 func (r *repository) GetDelegationRoles() ([]data.Role, error) {
 	if err := r.updateTUF(false); err != nil {
 		return nil, err
 	}
 	return NewReadOnly(r.tufRepo).GetDelegationRoles()
 }
 // NewTarget is a helper method that returns a Target
@@ -493,167 +529,6 @@ func (r *repository) RemoveTarget(targetName string, roles ...data.RoleName) err
 	return addChange(r.changelist, template, roles...)
 }
 // ListTargets lists all targets for the current repository. The list of
 // roles should be passed in order from highest to lowest priority.
 //
 // IMPORTANT: if you pass a set of roles such as [ "targets/a", "targets/x"
 // "targets/a/b" ], even though "targets/a/b" is part of the "targets/a" subtree
 // its entries will be strictly shadowed by those in other parts of the "targets/a"
 // subtree and also the "targets/x" subtree, as we will defer parsing it until
 // we explicitly reach it in our iteration of the provided list of roles.
 func (r *repository) ListTargets(roles ...data.RoleName) ([]*TargetWithRole, error) {
 	if err := r.Update(false); err != nil {
 		return nil, err
 	}
 	if len(roles) == 0 {
 		roles = []data.RoleName{data.CanonicalTargetsRole}
 	}
 	targets := make(map[string]*TargetWithRole)
 	for _, role := range roles {
 		// Define an array of roles to skip for this walk (see IMPORTANT comment above)
 		skipRoles := utils.RoleNameSliceRemove(roles, role)
 		// Define a visitor function to populate the targets map in priority order
 		listVisitorFunc := func(tgt *data.SignedTargets, validRole data.DelegationRole) interface{} {
 			// We found targets so we should try to add them to our targets map
 			for targetName, targetMeta := range tgt.Signed.Targets {
 				// Follow the priority by not overriding previously set targets
 				// and check that this path is valid with this role
 				if _, ok := targets[targetName]; ok || !validRole.CheckPaths(targetName) {
 					continue
 				}
 				targets[targetName] = &TargetWithRole{
 					Target: Target{
 						Name:   targetName,
 						Hashes: targetMeta.Hashes,
 						Length: targetMeta.Length,
 						Custom: targetMeta.Custom,
 					},
 					Role: validRole.Name,
 				}
 			}
 			return nil
 		}
 		r.tufRepo.WalkTargets("", role, listVisitorFunc, skipRoles...)
 	}
 	var targetList []*TargetWithRole
 	for _, v := range targets {
 		targetList = append(targetList, v)
 	}
 	return targetList, nil
 }
 // GetTargetByName returns a target by the given name. If no roles are passed
 // it uses the targets role and does a search of the entire delegation
 // graph, finding the first entry in a breadth first search of the delegations.
 // If roles are passed, they should be passed in descending priority and
 // the target entry found in the subtree of the highest priority role
 // will be returned.
 // See the IMPORTANT section on ListTargets above. Those roles also apply here.
 func (r *repository) GetTargetByName(name string, roles ...data.RoleName) (*TargetWithRole, error) {
 	if err := r.Update(false); err != nil {
 		return nil, err
 	}
 	if len(roles) == 0 {
 		roles = append(roles, data.CanonicalTargetsRole)
 	}
 	var resultMeta data.FileMeta
 	var resultRoleName data.RoleName
 	var foundTarget bool
 	for _, role := range roles {
 		// Define an array of roles to skip for this walk (see IMPORTANT comment above)
 		skipRoles := utils.RoleNameSliceRemove(roles, role)
 		// Define a visitor function to find the specified target
 		getTargetVisitorFunc := func(tgt *data.SignedTargets, validRole data.DelegationRole) interface{} {
 			if tgt == nil {
 				return nil
 			}
 			// We found the target and validated path compatibility in our walk,
 			// so we should stop our walk and set the resultMeta and resultRoleName variables
 			if resultMeta, foundTarget = tgt.Signed.Targets[name]; foundTarget {
 				resultRoleName = validRole.Name
 				return tuf.StopWalk{}
 			}
 			return nil
 		}
 		// Check that we didn't error, and that we assigned to our target
 		if err := r.tufRepo.WalkTargets(name, role, getTargetVisitorFunc, skipRoles...); err == nil && foundTarget {
 			return &TargetWithRole{Target: Target{Name: name, Hashes: resultMeta.Hashes, Length: resultMeta.Length, Custom: resultMeta.Custom}, Role: resultRoleName}, nil
 		}
 	}
 	return nil, ErrNoSuchTarget(name)
 }
 // TargetSignedStruct is a struct that contains a Target, the role it was found in, and the list of signatures for that role
 type TargetSignedStruct struct {
 	Role       data.DelegationRole
 	Target     Target
 	Signatures []data.Signature
 }
 //ErrNoSuchTarget is returned when no valid trust data is found.
 type ErrNoSuchTarget string
 func (f ErrNoSuchTarget) Error() string {
 	return fmt.Sprintf("No valid trust data for %s", string(f))
 }
 // GetAllTargetMetadataByName searches the entire delegation role tree to find the specified target by name for all
 // roles, and returns a list of TargetSignedStructs for each time it finds the specified target.
 // If given an empty string for a target name, it will return back all targets signed into the repository in every role
 func (r *repository) GetAllTargetMetadataByName(name string) ([]TargetSignedStruct, error) {
 	if err := r.Update(false); err != nil {
 		return nil, err
 	}
 	var targetInfoList []TargetSignedStruct
 	// Define a visitor function to find the specified target
 	getAllTargetInfoByNameVisitorFunc := func(tgt *data.SignedTargets, validRole data.DelegationRole) interface{} {
 		if tgt == nil {
 			return nil
 		}
 		// We found a target and validated path compatibility in our walk,
 		// so add it to our list if we have a match
 		// if we have an empty name, add all targets, else check if we have it
 		var targetMetaToAdd data.Files
 		if name == "" {
 			targetMetaToAdd = tgt.Signed.Targets
 		} else {
 			if meta, ok := tgt.Signed.Targets[name]; ok {
 				targetMetaToAdd = data.Files{name: meta}
 			}
 		}
 		for targetName, resultMeta := range targetMetaToAdd {
 			targetInfo := TargetSignedStruct{
 				Role:       validRole,
 				Target:     Target{Name: targetName, Hashes: resultMeta.Hashes, Length: resultMeta.Length, Custom: resultMeta.Custom},
 				Signatures: tgt.Signatures,
 			}
 			targetInfoList = append(targetInfoList, targetInfo)
 		}
 		// continue walking to all child roles
 		return nil
 	}
 	// Check that we didn't error, and that we found the target at least once
 	if err := r.tufRepo.WalkTargets(name, "", getAllTargetInfoByNameVisitorFunc); err != nil {
 		return nil, err
 	}
 	if len(targetInfoList) == 0 {
 		return nil, ErrNoSuchTarget(name)
 	}
 	return targetInfoList, nil
 }
 // GetChangelist returns the list of the repository's unpublished changes
 func (r *repository) GetChangelist() (changelist.Changelist, error) {
 	return r.changelist, nil
@@ -671,51 +546,6 @@ func (r *repository) getRemoteStore() store.RemoteStore {
 	return r.remoteStore
 }
 // RoleWithSignatures is a Role with its associated signatures
 type RoleWithSignatures struct {
 	Signatures []data.Signature
 	data.Role
 }
 // ListRoles returns a list of RoleWithSignatures objects for this repo
 // This represents the latest metadata for each role in this repo
 func (r *repository) ListRoles() ([]RoleWithSignatures, error) {
 	// Update to latest repo state
 	if err := r.Update(false); err != nil {
 		return nil, err
 	}
 	// Get all role info from our updated keysDB, can be empty
 	roles := r.tufRepo.GetAllLoadedRoles()
 	var roleWithSigs []RoleWithSignatures
 	// Populate RoleWithSignatures with Role from keysDB and signatures from TUF metadata
 	for _, role := range roles {
 		roleWithSig := RoleWithSignatures{Role: *role, Signatures: nil}
 		switch role.Name {
 		case data.CanonicalRootRole:
 			roleWithSig.Signatures = r.tufRepo.Root.Signatures
 		case data.CanonicalTargetsRole:
 			roleWithSig.Signatures = r.tufRepo.Targets[data.CanonicalTargetsRole].Signatures
 		case data.CanonicalSnapshotRole:
 			roleWithSig.Signatures = r.tufRepo.Snapshot.Signatures
 		case data.CanonicalTimestampRole:
 			roleWithSig.Signatures = r.tufRepo.Timestamp.Signatures
 		default:
 			if !data.IsDelegation(role.Name) {
 				continue
 			}
 			if _, ok := r.tufRepo.Targets[role.Name]; ok {
 				// We'll only find a signature if we've published any targets with this delegation
 				roleWithSig.Signatures = r.tufRepo.Targets[role.Name].Signatures
 			}
 		}
 		roleWithSigs = append(roleWithSigs, roleWithSig)
 	}
 	return roleWithSigs, nil
 }
 // Publish pushes the local changes in signed material to the remote notary-server
 // Conceptually it performs an operation similar to a `git rebase`
 func (r *repository) Publish() error {
@@ -736,7 +566,7 @@ func (r *repository) Publish() error {
 func (r *repository) publish(cl changelist.Changelist) error {
 	var initialPublish bool
 	// update first before publishing
-	if err := r.Update(true); err != nil {
+	if err := r.updateTUF(true); err != nil {
 		// If the remote is not aware of the repo, then this is being published
 		// for the first time.  Try to initialize the repository before publishing.
 		if _, ok := err.(ErrRepositoryNotExist); ok {
@@ -863,7 +693,14 @@ func (r *repository) oldKeysForLegacyClientSupport(legacyVersions int, initialPu
 	}
 	oldKeys := make(map[string]data.PublicKey)
-	c, err := r.bootstrapClient(true)
+	c, err := bootstrapClient(TUFLoadOptions{
 		GUN:                    r.gun,
 		TrustPinning:           r.trustPinning,
 		CryptoService:          r.cryptoService,
 		Cache:                  r.cache,
 		RemoteStore:            r.remoteStore,
 		AlwaysCheckInitialized: true,
 	})
 	// require a server connection to fetch old roots
 	if err != nil {
 		return nil, err
@@ -1003,135 +840,6 @@ func (r *repository) saveMetadata(ignoreSnapshot bool) error {
 	return r.cache.Set(data.CanonicalSnapshotRole.String(), snapshotJSON)
 }
 // returns a properly constructed ErrRepositoryNotExist error based on this
 // repo's information
 func (r *repository) errRepositoryNotExist() error {
 	host := r.baseURL
 	parsed, err := url.Parse(r.baseURL)
 	if err == nil {
 		host = parsed.Host // try to exclude the scheme and any paths
 	}
 	return ErrRepositoryNotExist{remote: host, gun: r.gun}
 }
 // Update bootstraps a trust anchor (root.json) before updating all the
 // metadata from the repo.
 func (r *repository) Update(forWrite bool) error {
 	c, err := r.bootstrapClient(forWrite)
 	if err != nil {
 		if _, ok := err.(store.ErrMetaNotFound); ok {
 			return r.errRepositoryNotExist()
 		}
 		return err
 	}
 	repo, invalid, err := c.Update()
 	if err != nil {
 		// notFound.Resource may include a version or checksum so when the role is root,
 		// it will be root, <version>.root or root.<checksum>.
 		notFound, ok := err.(store.ErrMetaNotFound)
 		isRoot, _ := regexp.MatchString(`\.?`+data.CanonicalRootRole.String()+`\.?`, notFound.Resource)
 		if ok && isRoot {
 			return r.errRepositoryNotExist()
 		}
 		return err
 	}
 	// we can be assured if we are at this stage that the repo we built is good
 	// no need to test the following function call for an error as it will always be fine should the repo be good- it is!
 	r.tufRepo = repo
 	r.invalid = invalid
 	warnRolesNearExpiry(repo)
 	return nil
 }
 // bootstrapClient attempts to bootstrap a root.json to be used as the trust
 // anchor for a repository. The checkInitialized argument indicates whether
 // we should always attempt to contact the server to determine if the repository
 // is initialized or not. If set to true, we will always attempt to download
 // and return an error if the remote repository errors.
 //
 // Populates a tuf.RepoBuilder with this root metadata. If the root metadata
 // downloaded is a newer version than what is on disk, then intermediate
 // versions will be downloaded and verified in order to rotate trusted keys
 // properly. Newer root metadata must always be signed with the previous
 // threshold and keys.
 //
 // Fails if the remote server is reachable and does not know the repo
 // (i.e. before the first r.Publish()), in which case the error is
 // store.ErrMetaNotFound, or if the root metadata (from whichever source is used)
 // is not trusted.
 //
 // Returns a TUFClient for the remote server, which may not be actually
 // operational (if the URL is invalid but a root.json is cached).
 func (r *repository) bootstrapClient(checkInitialized bool) (*tufClient, error) {
 	minVersion := 1
 	// the old root on disk should not be validated against any trust pinning configuration
 	// because if we have an old root, it itself is the thing that pins trust
 	oldBuilder := tuf.NewRepoBuilder(r.gun, r.GetCryptoService(), trustpinning.TrustPinConfig{})
 	// by default, we want to use the trust pinning configuration on any new root that we download
 	newBuilder := tuf.NewRepoBuilder(r.gun, r.GetCryptoService(), r.trustPinning)
 	// Try to read root from cache first. We will trust this root until we detect a problem
 	// during update which will cause us to download a new root and perform a rotation.
 	// If we have an old root, and it's valid, then we overwrite the newBuilder to be one
 	// preloaded with the old root or one which uses the old root for trust bootstrapping.
 	if rootJSON, err := r.cache.GetSized(data.CanonicalRootRole.String(), store.NoSizeLimit); err == nil {
 		// if we can't load the cached root, fail hard because that is how we pin trust
 		if err := oldBuilder.Load(data.CanonicalRootRole, rootJSON, minVersion, true); err != nil {
 			return nil, err
 		}
 		// again, the root on disk is the source of trust pinning, so use an empty trust
 		// pinning configuration
 		newBuilder = tuf.NewRepoBuilder(r.gun, r.GetCryptoService(), trustpinning.TrustPinConfig{})
 		if err := newBuilder.Load(data.CanonicalRootRole, rootJSON, minVersion, false); err != nil {
 			// Ok, the old root is expired - we want to download a new one.  But we want to use the
 			// old root to verify the new root, so bootstrap a new builder with the old builder
 			// but use the trustpinning to validate the new root
 			minVersion = oldBuilder.GetLoadedVersion(data.CanonicalRootRole)
 			newBuilder = oldBuilder.BootstrapNewBuilderWithNewTrustpin(r.trustPinning)
 		}
 	}
 	remote := r.getRemoteStore()
 	if !newBuilder.IsLoaded(data.CanonicalRootRole) || checkInitialized {
 		// remoteErr was nil and we were not able to load a root from cache or
 		// are specifically checking for initialization of the repo.
 		// if remote store successfully set up, try and get root from remote
 		// We don't have any local data to determine the size of root, so try the maximum (though it is restricted at 100MB)
 		tmpJSON, err := remote.GetSized(data.CanonicalRootRole.String(), store.NoSizeLimit)
 		if err != nil {
 			// we didn't have a root in cache and were unable to load one from
 			// the server. Nothing we can do but error.
 			return nil, err
 		}
 		if !newBuilder.IsLoaded(data.CanonicalRootRole) {
 			// we always want to use the downloaded root if we couldn't load from cache
 			if err := newBuilder.Load(data.CanonicalRootRole, tmpJSON, minVersion, false); err != nil {
 				return nil, err
 			}
 			err = r.cache.Set(data.CanonicalRootRole.String(), tmpJSON)
 			if err != nil {
 				// if we can't write cache we should still continue, just log error
 				logrus.Errorf("could not save root to cache: %s", err.Error())
 			}
 		}
 	}
 	// We can only get here if remoteErr != nil (hence we don't download any new root),
 	// and there was no root on disk
 	if !newBuilder.IsLoaded(data.CanonicalRootRole) {
 		return nil, ErrRepoNotInitialized{}
 	}
 	return newTufClient(oldBuilder, newBuilder, remote, r.cache), nil
 }
 // RotateKey removes all existing keys associated with the role. If no keys are
 // specified in keyList, then this creates and adds one new key or delegates
 // managing the key to the server. If key(s) are specified by keyList, then they are
@@ -1273,7 +981,7 @@ func DeleteTrustData(baseDir string, gun data.GUN, URL string, rt http.RoundTrip
 	if deleteRemote {
 		remote, err := getRemoteStore(URL, gun, rt)
 		if err != nil {
-			logrus.Error("unable to instantiate a remote store: %v", err)
+			logrus.Errorf("unable to instantiate a remote store: %v", err)
 			return err
 		}
 		if err := remote.RemoveAll(); err != nil {
--- a/vendor/github.com/theupdateframework/notary/client/delegations.go
+++ b/vendor/github.com/theupdateframework/notary/client/delegations.go
@@ -7,7 +7,6 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/theupdateframework/notary"
 	"github.com/theupdateframework/notary/client/changelist"
 	store "github.com/theupdateframework/notary/storage"
 	"github.com/theupdateframework/notary/tuf/data"
 	"github.com/theupdateframework/notary/tuf/utils"
 )
@@ -77,7 +76,7 @@ func (r *repository) AddDelegationPaths(name data.RoleName, paths []string) erro
 }
 // RemoveDelegationKeysAndPaths creates changelist entries to remove provided delegation key IDs and paths.
-// This method composes RemoveDelegationPaths and RemoveDelegationKeys (each creates one changelist if called).
+// This method composes RemoveDelegationPaths and RemoveDelegationKeys (each creates one changelist entry if called).
 func (r *repository) RemoveDelegationKeysAndPaths(name data.RoleName, keyIDs, paths []string) error {
 	if len(paths) > 0 {
 		err := r.RemoveDelegationPaths(name, paths)
@@ -201,41 +200,6 @@ func newDeleteDelegationChange(name data.RoleName, content []byte) *changelist.T
 	)
 }
 // GetDelegationRoles returns the keys and roles of the repository's delegations
 // Also converts key IDs to canonical key IDs to keep consistent with signing prompts
 func (r *repository) GetDelegationRoles() ([]data.Role, error) {
 	// Update state of the repo to latest
 	if err := r.Update(false); err != nil {
 		return nil, err
 	}
 	// All top level delegations (ex: targets/level1) are stored exclusively in targets.json
 	_, ok := r.tufRepo.Targets[data.CanonicalTargetsRole]
 	if !ok {
 		return nil, store.ErrMetaNotFound{Resource: data.CanonicalTargetsRole.String()}
 	}
 	// make a copy for traversing nested delegations
 	allDelegations := []data.Role{}
 	// Define a visitor function to populate the delegations list and translate their key IDs to canonical IDs
 	delegationCanonicalListVisitor := func(tgt *data.SignedTargets, validRole data.DelegationRole) interface{} {
 		// For the return list, update with a copy that includes canonicalKeyIDs
 		// These aren't validated by the validRole
 		canonicalDelegations, err := translateDelegationsToCanonicalIDs(tgt.Signed.Delegations)
 		if err != nil {
 			return err
 		}
 		allDelegations = append(allDelegations, canonicalDelegations...)
 		return nil
 	}
 	err := r.tufRepo.WalkTargets("", "", delegationCanonicalListVisitor)
 	if err != nil {
 		return nil, err
 	}
 	return allDelegations, nil
 }
 func translateDelegationsToCanonicalIDs(delegationInfo data.Delegations) ([]data.Role, error) {
 	canonicalDelegations := make([]data.Role, len(delegationInfo.Roles))
 	// Do a copy by value to ensure local delegation metadata is untouched
--- a/vendor/github.com/theupdateframework/notary/client/interface.go
+++ b/vendor/github.com/theupdateframework/notary/client/interface.go
@@ -6,42 +6,145 @@ import (
 	"github.com/theupdateframework/notary/tuf/signed"
 )
-// Repository represents the set of options that must be supported over a TUF repo.
+// ReadOnly represents the set of options that must be supported over a TUF repo for
-type Repository interface {
+// reading
-	// General management operations
+type ReadOnly interface {
-	Initialize(rootKeyIDs []string, serverManagedRoles ...data.RoleName) error
+	// ListTargets lists all targets for the current repository. The list of
-	InitializeWithCertificate(rootKeyIDs []string, rootCerts []data.PublicKey, serverManagedRoles ...data.RoleName) error
+	// roles should be passed in order from highest to lowest priority.
-	Publish() error
+	//
-
+	// IMPORTANT: if you pass a set of roles such as [ "targets/a", "targets/x"
-	// Target Operations
+	// "targets/a/b" ], even though "targets/a/b" is part of the "targets/a" subtree
-	AddTarget(target *Target, roles ...data.RoleName) error
+	// its entries will be strictly shadowed by those in other parts of the "targets/a"
-	RemoveTarget(targetName string, roles ...data.RoleName) error
+	// subtree and also the "targets/x" subtree, as we will defer parsing it until
 	// we explicitly reach it in our iteration of the provided list of roles.
 	ListTargets(roles ...data.RoleName) ([]*TargetWithRole, error)
 	// GetTargetByName returns a target by the given name. If no roles are passed
 	// it uses the targets role and does a search of the entire delegation
 	// graph, finding the first entry in a breadth first search of the delegations.
 	// If roles are passed, they should be passed in descending priority and
 	// the target entry found in the subtree of the highest priority role
 	// will be returned.
 	// See the IMPORTANT section on ListTargets above. Those roles also apply here.
 	GetTargetByName(name string, roles ...data.RoleName) (*TargetWithRole, error)
 	// GetAllTargetMetadataByName searches the entire delegation role tree to find
 	// the specified target by name for all roles, and returns a list of
 	// TargetSignedStructs for each time it finds the specified target.
 	// If given an empty string for a target name, it will return back all targets
 	// signed into the repository in every role
 	GetAllTargetMetadataByName(name string) ([]TargetSignedStruct, error)
-	// Changelist operations
+	// ListRoles returns a list of RoleWithSignatures objects for this repo
 	// This represents the latest metadata for each role in this repo
 	ListRoles() ([]RoleWithSignatures, error)
 	// GetDelegationRoles returns the keys and roles of the repository's delegations
 	// Also converts key IDs to canonical key IDs to keep consistent with signing prompts
 	GetDelegationRoles() ([]data.Role, error)
 }
 // Repository represents the set of options that must be supported over a TUF repo
 // for both reading and writing.
 type Repository interface {
 	ReadOnly
 	// ------------------- Publishing operations -------------------
 	// GetGUN returns the GUN associated with the repository
 	GetGUN() data.GUN
 	// SetLegacyVersion sets the number of versions back to fetch roots to sign with
 	SetLegacyVersions(int)
 	// ----- General management operations -----
 	// Initialize creates a new repository by using rootKey as the root Key for the
 	// TUF repository. The remote store/server must be reachable (and is asked to
 	// generate a timestamp key and possibly other serverManagedRoles), but the
 	// created repository result is only stored on local cache, not published to
 	// the remote store. To do that, use r.Publish() eventually.
 	Initialize(rootKeyIDs []string, serverManagedRoles ...data.RoleName) error
 	// InitializeWithCertificate initializes the repository with root keys and their
 	// corresponding certificates
 	InitializeWithCertificate(rootKeyIDs []string, rootCerts []data.PublicKey, serverManagedRoles ...data.RoleName) error
 	// Publish pushes the local changes in signed material to the remote notary-server
 	// Conceptually it performs an operation similar to a `git rebase`
 	Publish() error
 	// ----- Target Operations -----
 	// AddTarget creates new changelist entries to add a target to the given roles
 	// in the repository when the changelist gets applied at publish time.
 	// If roles are unspecified, the default role is "targets"
 	AddTarget(target *Target, roles ...data.RoleName) error
 	// RemoveTarget creates new changelist entries to remove a target from the given
 	// roles in the repository when the changelist gets applied at publish time.
 	// If roles are unspecified, the default role is "target".
 	RemoveTarget(targetName string, roles ...data.RoleName) error
 	// ----- Changelist operations -----
 	// GetChangelist returns the list of the repository's unpublished changes
 	GetChangelist() (changelist.Changelist, error)
-	// Role operations
+	// ----- Role operations -----
-	ListRoles() ([]RoleWithSignatures, error)
+
-	GetDelegationRoles() ([]data.Role, error)
+	// AddDelegation creates changelist entries to add provided delegation public keys and paths.
 	// This method composes AddDelegationRoleAndKeys and AddDelegationPaths (each creates one changelist if called).
 	AddDelegation(name data.RoleName, delegationKeys []data.PublicKey, paths []string) error
 	// AddDelegationRoleAndKeys creates a changelist entry to add provided delegation public keys.
 	// This method is the simplest way to create a new delegation, because the delegation must have at least
 	// one key upon creation to be valid since we will reject the changelist while validating the threshold.
 	AddDelegationRoleAndKeys(name data.RoleName, delegationKeys []data.PublicKey) error
 	// AddDelegationPaths creates a changelist entry to add provided paths to an existing delegation.
 	// This method cannot create a new delegation itself because the role must meet the key threshold upon
 	// creation.
 	AddDelegationPaths(name data.RoleName, paths []string) error
 	// RemoveDelegationKeysAndPaths creates changelist entries to remove provided delegation key IDs and
 	// paths. This method composes RemoveDelegationPaths and RemoveDelegationKeys (each creates one
 	// changelist entry if called).
 	RemoveDelegationKeysAndPaths(name data.RoleName, keyIDs, paths []string) error
 	// RemoveDelegationRole creates a changelist to remove all paths and keys from a role, and delete the
 	// role in its entirety.
 	RemoveDelegationRole(name data.RoleName) error
 	// RemoveDelegationPaths creates a changelist entry to remove provided paths from an existing delegation.
 	RemoveDelegationPaths(name data.RoleName, paths []string) error
 	// RemoveDelegationKeys creates a changelist entry to remove provided keys from an existing delegation.
 	// When this changelist is applied, if the specified keys are the only keys left in the role,
 	// the role itself will be deleted in its entirety.
 	// It can also delete a key from all delegations under a parent using a name
 	// with a wildcard at the end.
 	RemoveDelegationKeys(name data.RoleName, keyIDs []string) error
 	// ClearDelegationPaths creates a changelist entry to remove all paths from an existing delegation.
 	ClearDelegationPaths(name data.RoleName) error
-	// Witness and other re-signing operations
+	// ----- Witness and other re-signing operations -----
 	// Witness creates change objects to witness (i.e. re-sign) the given
 	// roles on the next publish. One change is created per role
 	Witness(roles ...data.RoleName) ([]data.RoleName, error)
-	// Key Operations
+	// ----- Key Operations -----
 	// RotateKey removes all existing keys associated with the role. If no keys are
 	// specified in keyList, then this creates and adds one new key or delegates
 	// managing the key to the server. If key(s) are specified by keyList, then they are
 	// used for signing the role.
 	// These changes are staged in a changelist until publish is called.
 	RotateKey(role data.RoleName, serverManagesKey bool, keyList []string) error
 	// GetCryptoService is the getter for the repository's CryptoService, which is used
 	// to sign all updates.
 	GetCryptoService() signed.CryptoService
 	SetLegacyVersions(int)
 	GetGUN() data.GUN
 }
--- a/vendor/github.com/theupdateframework/notary/client/reader.go
+++ b/vendor/github.com/theupdateframework/notary/client/reader.go
@@ -0,0 +1,257 @@
 package client
 import (
 	"fmt"
 	canonicaljson "github.com/docker/go/canonical/json"
 	store "github.com/theupdateframework/notary/storage"
 	"github.com/theupdateframework/notary/tuf"
 	"github.com/theupdateframework/notary/tuf/data"
 	"github.com/theupdateframework/notary/tuf/utils"
 )
 // Target represents a simplified version of the data TUF operates on, so external
 // applications don't have to depend on TUF data types.
 type Target struct {
 	Name   string                    // the name of the target
 	Hashes data.Hashes               // the hash of the target
 	Length int64                     // the size in bytes of the target
 	Custom *canonicaljson.RawMessage // the custom data provided to describe the file at TARGETPATH
 }
 // TargetWithRole represents a Target that exists in a particular role - this is
 // produced by ListTargets and GetTargetByName
 type TargetWithRole struct {
 	Target
 	Role data.RoleName
 }
 // TargetSignedStruct is a struct that contains a Target, the role it was found in, and the list of signatures for that role
 type TargetSignedStruct struct {
 	Role       data.DelegationRole
 	Target     Target
 	Signatures []data.Signature
 }
 //ErrNoSuchTarget is returned when no valid trust data is found.
 type ErrNoSuchTarget string
 func (f ErrNoSuchTarget) Error() string {
 	return fmt.Sprintf("No valid trust data for %s", string(f))
 }
 // RoleWithSignatures is a Role with its associated signatures
 type RoleWithSignatures struct {
 	Signatures []data.Signature
 	data.Role
 }
 // NewReadOnly is the base method that returns a new notary repository for reading.
 // It expects an initialized cache. In case of a nil remote store, a default
 // offline store is used.
 func NewReadOnly(repo *tuf.Repo) ReadOnly {
 	return &reader{tufRepo: repo}
 }
 type reader struct {
 	tufRepo *tuf.Repo
 }
 // ListTargets lists all targets for the current repository. The list of
 // roles should be passed in order from highest to lowest priority.
 //
 // IMPORTANT: if you pass a set of roles such as [ "targets/a", "targets/x"
 // "targets/a/b" ], even though "targets/a/b" is part of the "targets/a" subtree
 // its entries will be strictly shadowed by those in other parts of the "targets/a"
 // subtree and also the "targets/x" subtree, as we will defer parsing it until
 // we explicitly reach it in our iteration of the provided list of roles.
 func (r *reader) ListTargets(roles ...data.RoleName) ([]*TargetWithRole, error) {
 	if len(roles) == 0 {
 		roles = []data.RoleName{data.CanonicalTargetsRole}
 	}
 	targets := make(map[string]*TargetWithRole)
 	for _, role := range roles {
 		// Define an array of roles to skip for this walk (see IMPORTANT comment above)
 		skipRoles := utils.RoleNameSliceRemove(roles, role)
 		// Define a visitor function to populate the targets map in priority order
 		listVisitorFunc := func(tgt *data.SignedTargets, validRole data.DelegationRole) interface{} {
 			// We found targets so we should try to add them to our targets map
 			for targetName, targetMeta := range tgt.Signed.Targets {
 				// Follow the priority by not overriding previously set targets
 				// and check that this path is valid with this role
 				if _, ok := targets[targetName]; ok || !validRole.CheckPaths(targetName) {
 					continue
 				}
 				targets[targetName] = &TargetWithRole{
 					Target: Target{
 						Name:   targetName,
 						Hashes: targetMeta.Hashes,
 						Length: targetMeta.Length,
 						Custom: targetMeta.Custom,
 					},
 					Role: validRole.Name,
 				}
 			}
 			return nil
 		}
 		r.tufRepo.WalkTargets("", role, listVisitorFunc, skipRoles...)
 	}
 	var targetList []*TargetWithRole
 	for _, v := range targets {
 		targetList = append(targetList, v)
 	}
 	return targetList, nil
 }
 // GetTargetByName returns a target by the given name. If no roles are passed
 // it uses the targets role and does a search of the entire delegation
 // graph, finding the first entry in a breadth first search of the delegations.
 // If roles are passed, they should be passed in descending priority and
 // the target entry found in the subtree of the highest priority role
 // will be returned.
 // See the IMPORTANT section on ListTargets above. Those roles also apply here.
 func (r *reader) GetTargetByName(name string, roles ...data.RoleName) (*TargetWithRole, error) {
 	if len(roles) == 0 {
 		roles = append(roles, data.CanonicalTargetsRole)
 	}
 	var resultMeta data.FileMeta
 	var resultRoleName data.RoleName
 	var foundTarget bool
 	for _, role := range roles {
 		// Define an array of roles to skip for this walk (see IMPORTANT comment above)
 		skipRoles := utils.RoleNameSliceRemove(roles, role)
 		// Define a visitor function to find the specified target
 		getTargetVisitorFunc := func(tgt *data.SignedTargets, validRole data.DelegationRole) interface{} {
 			if tgt == nil {
 				return nil
 			}
 			// We found the target and validated path compatibility in our walk,
 			// so we should stop our walk and set the resultMeta and resultRoleName variables
 			if resultMeta, foundTarget = tgt.Signed.Targets[name]; foundTarget {
 				resultRoleName = validRole.Name
 				return tuf.StopWalk{}
 			}
 			return nil
 		}
 		// Check that we didn't error, and that we assigned to our target
 		if err := r.tufRepo.WalkTargets(name, role, getTargetVisitorFunc, skipRoles...); err == nil && foundTarget {
 			return &TargetWithRole{Target: Target{Name: name, Hashes: resultMeta.Hashes, Length: resultMeta.Length, Custom: resultMeta.Custom}, Role: resultRoleName}, nil
 		}
 	}
 	return nil, ErrNoSuchTarget(name)
 }
 // GetAllTargetMetadataByName searches the entire delegation role tree to find the specified target by name for all
 // roles, and returns a list of TargetSignedStructs for each time it finds the specified target.
 // If given an empty string for a target name, it will return back all targets signed into the repository in every role
 func (r *reader) GetAllTargetMetadataByName(name string) ([]TargetSignedStruct, error) {
 	var targetInfoList []TargetSignedStruct
 	// Define a visitor function to find the specified target
 	getAllTargetInfoByNameVisitorFunc := func(tgt *data.SignedTargets, validRole data.DelegationRole) interface{} {
 		if tgt == nil {
 			return nil
 		}
 		// We found a target and validated path compatibility in our walk,
 		// so add it to our list if we have a match
 		// if we have an empty name, add all targets, else check if we have it
 		var targetMetaToAdd data.Files
 		if name == "" {
 			targetMetaToAdd = tgt.Signed.Targets
 		} else {
 			if meta, ok := tgt.Signed.Targets[name]; ok {
 				targetMetaToAdd = data.Files{name: meta}
 			}
 		}
 		for targetName, resultMeta := range targetMetaToAdd {
 			targetInfo := TargetSignedStruct{
 				Role:       validRole,
 				Target:     Target{Name: targetName, Hashes: resultMeta.Hashes, Length: resultMeta.Length, Custom: resultMeta.Custom},
 				Signatures: tgt.Signatures,
 			}
 			targetInfoList = append(targetInfoList, targetInfo)
 		}
 		// continue walking to all child roles
 		return nil
 	}
 	// Check that we didn't error, and that we found the target at least once
 	if err := r.tufRepo.WalkTargets(name, "", getAllTargetInfoByNameVisitorFunc); err != nil {
 		return nil, err
 	}
 	if len(targetInfoList) == 0 {
 		return nil, ErrNoSuchTarget(name)
 	}
 	return targetInfoList, nil
 }
 // ListRoles returns a list of RoleWithSignatures objects for this repo
 // This represents the latest metadata for each role in this repo
 func (r *reader) ListRoles() ([]RoleWithSignatures, error) {
 	// Get all role info from our updated keysDB, can be empty
 	roles := r.tufRepo.GetAllLoadedRoles()
 	var roleWithSigs []RoleWithSignatures
 	// Populate RoleWithSignatures with Role from keysDB and signatures from TUF metadata
 	for _, role := range roles {
 		roleWithSig := RoleWithSignatures{Role: *role, Signatures: nil}
 		switch role.Name {
 		case data.CanonicalRootRole:
 			roleWithSig.Signatures = r.tufRepo.Root.Signatures
 		case data.CanonicalTargetsRole:
 			roleWithSig.Signatures = r.tufRepo.Targets[data.CanonicalTargetsRole].Signatures
 		case data.CanonicalSnapshotRole:
 			roleWithSig.Signatures = r.tufRepo.Snapshot.Signatures
 		case data.CanonicalTimestampRole:
 			roleWithSig.Signatures = r.tufRepo.Timestamp.Signatures
 		default:
 			if !data.IsDelegation(role.Name) {
 				continue
 			}
 			if _, ok := r.tufRepo.Targets[role.Name]; ok {
 				// We'll only find a signature if we've published any targets with this delegation
 				roleWithSig.Signatures = r.tufRepo.Targets[role.Name].Signatures
 			}
 		}
 		roleWithSigs = append(roleWithSigs, roleWithSig)
 	}
 	return roleWithSigs, nil
 }
 // GetDelegationRoles returns the keys and roles of the repository's delegations
 // Also converts key IDs to canonical key IDs to keep consistent with signing prompts
 func (r *reader) GetDelegationRoles() ([]data.Role, error) {
 	// All top level delegations (ex: targets/level1) are stored exclusively in targets.json
 	_, ok := r.tufRepo.Targets[data.CanonicalTargetsRole]
 	if !ok {
 		return nil, store.ErrMetaNotFound{Resource: data.CanonicalTargetsRole.String()}
 	}
 	// make a copy for traversing nested delegations
 	allDelegations := []data.Role{}
 	// Define a visitor function to populate the delegations list and translate their key IDs to canonical IDs
 	delegationCanonicalListVisitor := func(tgt *data.SignedTargets, validRole data.DelegationRole) interface{} {
 		// For the return list, update with a copy that includes canonicalKeyIDs
 		// These aren't validated by the validRole
 		canonicalDelegations, err := translateDelegationsToCanonicalIDs(tgt.Signed.Delegations)
 		if err != nil {
 			return err
 		}
 		allDelegations = append(allDelegations, canonicalDelegations...)
 		return nil
 	}
 	err := r.tufRepo.WalkTargets("", "", delegationCanonicalListVisitor)
 	if err != nil {
 		return nil, err
 	}
 	return allDelegations, nil
 }
--- a/vendor/github.com/theupdateframework/notary/client/tufclient.go
+++ b/vendor/github.com/theupdateframework/notary/client/tufclient.go
@@ -3,9 +3,11 @@ package client
 import (
 	"encoding/json"
 	"fmt"
 	"regexp"
 	"github.com/sirupsen/logrus"
 	"github.com/theupdateframework/notary"
 	"github.com/theupdateframework/notary/cryptoservice"
 	store "github.com/theupdateframework/notary/storage"
 	"github.com/theupdateframework/notary/trustpinning"
 	"github.com/theupdateframework/notary/tuf"
@@ -21,16 +23,6 @@ type tufClient struct {
 	newBuilder tuf.RepoBuilder
 }
 // newTufClient initialized a tufClient with the given repo, remote source of content, and cache
 func newTufClient(oldBuilder, newBuilder tuf.RepoBuilder, remote store.RemoteStore, cache store.MetadataStore) *tufClient {
 	return &tufClient{
 		oldBuilder: oldBuilder,
 		newBuilder: newBuilder,
 		remote:     remote,
 		cache:      cache,
 	}
 }
 // Update performs an update to the TUF repo as defined by the TUF spec
 func (c *tufClient) Update() (*tuf.Repo, *tuf.Repo, error) {
 	// 1. Get timestamp
@@ -139,7 +131,7 @@ func (c *tufClient) updateRoot() error {
 	// Write newest to cache
 	if err := c.cache.Set(data.CanonicalRootRole.String(), raw); err != nil {
-		logrus.Debugf("unable to write %s to cache: %d.%s", newestVersion, data.CanonicalRootRole, err)
+		logrus.Debugf("unable to write %d.%s to cache: %s", newestVersion, data.CanonicalRootRole, err)
 	}
 	logrus.Debugf("finished updating root files")
 	return nil
@@ -323,3 +315,149 @@ func (c *tufClient) tryLoadRemote(consistentInfo tuf.ConsistentInfo, old []byte)
 	}
 	return raw, nil
 }
 // TUFLoadOptions are provided to LoadTUFRepo, which loads a TUF repo from cache,
 // from a remote store, or both
 type TUFLoadOptions struct {
 	GUN                    data.GUN
 	TrustPinning           trustpinning.TrustPinConfig
 	CryptoService          signed.CryptoService
 	Cache                  store.MetadataStore
 	RemoteStore            store.RemoteStore
 	AlwaysCheckInitialized bool
 }
 // bootstrapClient attempts to bootstrap a root.json to be used as the trust
 // anchor for a repository. The checkInitialized argument indicates whether
 // we should always attempt to contact the server to determine if the repository
 // is initialized or not. If set to true, we will always attempt to download
 // and return an error if the remote repository errors.
 //
 // Populates a tuf.RepoBuilder with this root metadata. If the root metadata
 // downloaded is a newer version than what is on disk, then intermediate
 // versions will be downloaded and verified in order to rotate trusted keys
 // properly. Newer root metadata must always be signed with the previous
 // threshold and keys.
 //
 // Fails if the remote server is reachable and does not know the repo
 // (i.e. before any metadata has been published), in which case the error is
 // store.ErrMetaNotFound, or if the root metadata (from whichever source is used)
 // is not trusted.
 //
 // Returns a TUFClient for the remote server, which may not be actually
 // operational (if the URL is invalid but a root.json is cached).
 func bootstrapClient(l TUFLoadOptions) (*tufClient, error) {
 	minVersion := 1
 	// the old root on disk should not be validated against any trust pinning configuration
 	// because if we have an old root, it itself is the thing that pins trust
 	oldBuilder := tuf.NewRepoBuilder(l.GUN, l.CryptoService, trustpinning.TrustPinConfig{})
 	// by default, we want to use the trust pinning configuration on any new root that we download
 	newBuilder := tuf.NewRepoBuilder(l.GUN, l.CryptoService, l.TrustPinning)
 	// Try to read root from cache first. We will trust this root until we detect a problem
 	// during update which will cause us to download a new root and perform a rotation.
 	// If we have an old root, and it's valid, then we overwrite the newBuilder to be one
 	// preloaded with the old root or one which uses the old root for trust bootstrapping.
 	if rootJSON, err := l.Cache.GetSized(data.CanonicalRootRole.String(), store.NoSizeLimit); err == nil {
 		// if we can't load the cached root, fail hard because that is how we pin trust
 		if err := oldBuilder.Load(data.CanonicalRootRole, rootJSON, minVersion, true); err != nil {
 			return nil, err
 		}
 		// again, the root on disk is the source of trust pinning, so use an empty trust
 		// pinning configuration
 		newBuilder = tuf.NewRepoBuilder(l.GUN, l.CryptoService, trustpinning.TrustPinConfig{})
 		if err := newBuilder.Load(data.CanonicalRootRole, rootJSON, minVersion, false); err != nil {
 			// Ok, the old root is expired - we want to download a new one.  But we want to use the
 			// old root to verify the new root, so bootstrap a new builder with the old builder
 			// but use the trustpinning to validate the new root
 			minVersion = oldBuilder.GetLoadedVersion(data.CanonicalRootRole)
 			newBuilder = oldBuilder.BootstrapNewBuilderWithNewTrustpin(l.TrustPinning)
 		}
 	}
 	if !newBuilder.IsLoaded(data.CanonicalRootRole) || l.AlwaysCheckInitialized {
 		// remoteErr was nil and we were not able to load a root from cache or
 		// are specifically checking for initialization of the repo.
 		// if remote store successfully set up, try and get root from remote
 		// We don't have any local data to determine the size of root, so try the maximum (though it is restricted at 100MB)
 		tmpJSON, err := l.RemoteStore.GetSized(data.CanonicalRootRole.String(), store.NoSizeLimit)
 		if err != nil {
 			// we didn't have a root in cache and were unable to load one from
 			// the server. Nothing we can do but error.
 			return nil, err
 		}
 		if !newBuilder.IsLoaded(data.CanonicalRootRole) {
 			// we always want to use the downloaded root if we couldn't load from cache
 			if err := newBuilder.Load(data.CanonicalRootRole, tmpJSON, minVersion, false); err != nil {
 				return nil, err
 			}
 			err = l.Cache.Set(data.CanonicalRootRole.String(), tmpJSON)
 			if err != nil {
 				// if we can't write cache we should still continue, just log error
 				logrus.Errorf("could not save root to cache: %s", err.Error())
 			}
 		}
 	}
 	// We can only get here if remoteErr != nil (hence we don't download any new root),
 	// and there was no root on disk
 	if !newBuilder.IsLoaded(data.CanonicalRootRole) {
 		return nil, ErrRepoNotInitialized{}
 	}
 	return &tufClient{
 		oldBuilder: oldBuilder,
 		newBuilder: newBuilder,
 		remote:     l.RemoteStore,
 		cache:      l.Cache,
 	}, nil
 }
 // LoadTUFRepo bootstraps a trust anchor (root.json) from cache (if provided) before updating
 // all the metadata for the repo from the remote (if provided). It loads a TUF repo from cache,
 // from a remote store, or both.
 func LoadTUFRepo(options TUFLoadOptions) (*tuf.Repo, *tuf.Repo, error) {
 	// set some sane defaults, so nothing has to be provided necessarily
 	if options.RemoteStore == nil {
 		options.RemoteStore = store.OfflineStore{}
 	}
 	if options.Cache == nil {
 		options.Cache = store.NewMemoryStore(nil)
 	}
 	if options.CryptoService == nil {
 		options.CryptoService = cryptoservice.EmptyService
 	}
 	c, err := bootstrapClient(options)
 	if err != nil {
 		if _, ok := err.(store.ErrMetaNotFound); ok {
 			return nil, nil, ErrRepositoryNotExist{
 				remote: options.RemoteStore.Location(),
 				gun:    options.GUN,
 			}
 		}
 		return nil, nil, err
 	}
 	repo, invalid, err := c.Update()
 	if err != nil {
 		// notFound.Resource may include a version or checksum so when the role is root,
 		// it will be root, <version>.root or root.<checksum>.
 		notFound, ok := err.(store.ErrMetaNotFound)
 		isRoot, _ := regexp.MatchString(`\.?`+data.CanonicalRootRole.String()+`\.?`, notFound.Resource)
 		if ok && isRoot {
 			return nil, nil, ErrRepositoryNotExist{
 				remote: options.RemoteStore.Location(),
 				gun:    options.GUN,
 			}
 		}
 		return nil, nil, err
 	}
 	warnRolesNearExpiry(repo)
 	return repo, invalid, nil
 }
--- a/vendor/github.com/theupdateframework/notary/cross.Dockerfile
+++ b/vendor/github.com/theupdateframework/notary/cross.Dockerfile
@@ -1,10 +1,9 @@
-FROM golang:1.10.1
+FROM dockercore/golang-cross:1.12.15
 RUN apt-get update && apt-get install -y \
 	curl \
 	clang \
 	file \
 	libltdl-dev \
 	libsqlite3-dev \
 	patch \
 	tar \
@@ -16,20 +15,11 @@ RUN apt-get update && apt-get install -y \
 RUN useradd -ms /bin/bash notary \
 	&& pip install codecov \
-	&& go get github.com/golang/lint/golint github.com/fzipp/gocyclo github.com/client9/misspell/cmd/misspell github.com/gordonklaus/ineffassign github.com/HewlettPackard/gas
+	&& go get golang.org/x/lint/golint github.com/fzipp/gocyclo github.com/client9/misspell/cmd/misspell github.com/gordonklaus/ineffassign github.com/securego/gosec/cmd/gosec/...
 # Configure the container for OSX cross compilation
 ENV OSX_SDK MacOSX10.11.sdk
 ENV OSX_CROSS_COMMIT 1a1733a773fe26e7b6c93b16fbf9341f22fac831
 RUN set -x \
 	&& export OSXCROSS_PATH="/osxcross" \
 	&& git clone https://github.com/tpoechtrager/osxcross.git $OSXCROSS_PATH \
 	&& ( cd $OSXCROSS_PATH && git checkout -q $OSX_CROSS_COMMIT) \
 	&& curl -sSL https://s3.dockerproject.org/darwin/v2/${OSX_SDK}.tar.xz -o "${OSXCROSS_PATH}/tarballs/${OSX_SDK}.tar.xz" \
 	&& UNATTENDED=yes OSX_VERSION_MIN=10.6 ${OSXCROSS_PATH}/build.sh > /dev/null
 ENV PATH /osxcross/target/bin:$PATH
 ENV NOTARYDIR /go/src/github.com/theupdateframework/notary
 ENV GO111MODULE=on
 ENV GOFLAGS=-mod=vendor
 COPY . ${NOTARYDIR}
 RUN chmod -R a+rw /go
--- a/vendor/github.com/theupdateframework/notary/cryptoservice/crypto_service.go
+++ b/vendor/github.com/theupdateframework/notary/cryptoservice/crypto_service.go
@@ -21,6 +21,9 @@ var (
 	// ErrRootKeyNotEncrypted is returned if a root key being imported is
 	// unencrypted
 	ErrRootKeyNotEncrypted = errors.New("only encrypted root keys may be imported")
 	// EmptyService is an empty crypto service
 	EmptyService = NewCryptoService()
 )
 // CryptoService implements Sign and Create, holding a specific GUN and keystore to
--- a/vendor/github.com/theupdateframework/notary/development.mysql.yml
+++ b/vendor/github.com/theupdateframework/notary/development.mysql.yml
@@ -33,7 +33,7 @@ services:
      - mdb
    volumes:
      - ./notarysql/mysql-initdb.d:/docker-entrypoint-initdb.d
-    image: mariadb:10.1.28
+    image: mariadb:10.4
    environment:
      - TERM=dumb
      - MYSQL_ALLOW_EMPTY_PASSWORD="true"
--- a/vendor/github.com/theupdateframework/notary/docker-compose.yml
+++ b/vendor/github.com/theupdateframework/notary/docker-compose.yml
@@ -34,7 +34,7 @@ services:
    volumes:
      - ./notarysql/mysql-initdb.d:/docker-entrypoint-initdb.d
      - notary_data:/var/lib/mysql
-    image: mariadb:10.1.28
+    image: mariadb:10.4
    environment:
      - TERM=dumb
      - MYSQL_ALLOW_EMPTY_PASSWORD="true"
--- a/vendor/github.com/theupdateframework/notary/escrow.Dockerfile
+++ b/vendor/github.com/theupdateframework/notary/escrow.Dockerfile
@@ -1,6 +1,7 @@
-FROM golang:1.10.1-alpine
+FROM golang:1.14.1-alpine
 ENV NOTARYPKG github.com/theupdateframework/notary
 ENV GO111MODULE=on
 # Copy the local repo to the expected go path
 COPY . /go/src/${NOTARYPKG}
--- a/vendor/github.com/theupdateframework/notary/fips.go
+++ b/vendor/github.com/theupdateframework/notary/fips.go
@@ -3,7 +3,7 @@ package notary
 import (
 	"crypto"
 	// Need to import md5 so can test availability.
-	_ "crypto/md5"
+	_ "crypto/md5" // #nosec
 )
 // FIPSEnabled returns true if running in FIPS mode.
--- a/vendor/github.com/theupdateframework/notary/passphrase/passphrase.go
+++ b/vendor/github.com/theupdateframework/notary/passphrase/passphrase.go
@@ -12,7 +12,7 @@ import (
 	"strings"
 	"github.com/theupdateframework/notary"
-	"golang.org/x/crypto/ssh/terminal"
+	"golang.org/x/term"
 )
 const (
@@ -49,7 +49,7 @@ var (
 // Upon successful passphrase retrievals, the passphrase will be cached such that
 // subsequent prompts will produce the same passphrase.
 func PromptRetriever() notary.PassRetriever {
-	if !terminal.IsTerminal(int(os.Stdin.Fd())) {
+	if !term.IsTerminal(int(os.Stdin.Fd())) {
 		return func(string, string, bool, int) (string, bool, error) {
 			return "", false, ErrNoInput
 		}
@@ -200,8 +200,8 @@ func GetPassphrase(in *bufio.Reader) ([]byte, error) {
 		err        error
 	)
-	if terminal.IsTerminal(int(os.Stdin.Fd())) {
+	if term.IsTerminal(int(os.Stdin.Fd())) {
-		passphrase, err = terminal.ReadPassword(int(os.Stdin.Fd()))
+		passphrase, err = term.ReadPassword(int(os.Stdin.Fd()))
 	} else {
 		passphrase, err = in.ReadBytes('\n')
 	}
--- a/vendor/github.com/theupdateframework/notary/server.Dockerfile
+++ b/vendor/github.com/theupdateframework/notary/server.Dockerfile
@@ -1,10 +1,13 @@
-FROM golang:1.10.1-alpine
+FROM golang:1.14.1-alpine
 RUN apk add --update git gcc libc-dev
-# Pin to the specific v3.0.0 version
+ENV GO111MODULE=on
 RUN go get -tags 'mysql postgres file' github.com/mattes/migrate/cli && mv /go/bin/cli /go/bin/migrate
 ARG MIGRATE_VER=v4.6.2
 RUN go get -tags 'mysql postgres file' github.com/golang-migrate/migrate/v4/cli@${MIGRATE_VER} && mv /go/bin/cli /go/bin/migrate
 ENV GOFLAGS=-mod=vendor
 ENV NOTARYPKG github.com/theupdateframework/notary
 # Copy the local repo to the expected go path
--- a/vendor/github.com/theupdateframework/notary/server.minimal.Dockerfile
+++ b/vendor/github.com/theupdateframework/notary/server.minimal.Dockerfile
@@ -1,8 +1,13 @@
-FROM golang:1.10.1-alpine AS build-env
+FROM golang:1.14.1-alpine AS build-env
 RUN apk add --update git gcc libc-dev
 # Pin to the specific v3.0.0 version
 RUN go get -tags 'mysql postgres file' github.com/mattes/migrate/cli && mv /go/bin/cli /go/bin/migrate
 RUN apk add --update git gcc libc-dev
 ENV GO111MODULE=on
 ARG MIGRATE_VER=v4.6.2
 RUN go get -tags 'mysql postgres file' github.com/golang-migrate/migrate/v4/cli@${MIGRATE_VER} && mv /go/bin/cli /go/bin/migrate
 ENV GOFLAGS=-mod=vendor
 ENV NOTARYPKG github.com/theupdateframework/notary
 # Copy the local repo to the expected go path
--- a/vendor/github.com/theupdateframework/notary/signer.Dockerfile
+++ b/vendor/github.com/theupdateframework/notary/signer.Dockerfile
@@ -1,10 +1,13 @@
-FROM golang:1.10.1-alpine
+FROM golang:1.14.1-alpine
 RUN apk add --update git gcc libc-dev
-# Pin to the specific v3.0.0 version
+ENV GO111MODULE=on
 RUN go get -tags 'mysql postgres file' github.com/mattes/migrate/cli && mv /go/bin/cli /go/bin/migrate
 ARG MIGRATE_VER=v4.6.2
 RUN go get -tags 'mysql postgres file' github.com/golang-migrate/migrate/v4/cli@${MIGRATE_VER} && mv /go/bin/cli /go/bin/migrate
 ENV GOFLAGS=-mod=vendor
 ENV NOTARYPKG github.com/theupdateframework/notary
 # Copy the local repo to the expected go path
--- a/vendor/github.com/theupdateframework/notary/signer.minimal.Dockerfile
+++ b/vendor/github.com/theupdateframework/notary/signer.minimal.Dockerfile
@@ -1,8 +1,13 @@
-FROM golang:1.10.1-alpine AS build-env
+FROM golang:1.14.1-alpine AS build-env
 RUN apk add --update git gcc libc-dev
 # Pin to the specific v3.0.0 version
 RUN go get -tags 'mysql postgres file' github.com/mattes/migrate/cli && mv /go/bin/cli /go/bin/migrate
 RUN apk add --update git gcc libc-dev
 ENV GO111MODULE=on
 ARG MIGRATE_VER=v4.6.2
 RUN go get -tags 'mysql postgres file' github.com/golang-migrate/migrate/v4/cli@${MIGRATE_VER} && mv /go/bin/cli /go/bin/migrate
 ENV GOFLAGS=-mod=vendor
 ENV NOTARYPKG github.com/theupdateframework/notary
 # Copy the local repo to the expected go path
--- a/vendor/github.com/theupdateframework/notary/storage/filestore.go
+++ b/vendor/github.com/theupdateframework/notary/storage/filestore.go
@@ -137,14 +137,16 @@ func (f *FilesystemStore) GetSized(name string, size int64) ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	file, err := os.OpenFile(p, os.O_RDONLY, notary.PrivNoExecPerms)
+	file, err := os.Open(p)
 	if err != nil {
 		if os.IsNotExist(err) {
 			err = ErrMetaNotFound{Resource: name}
 		}
 		return nil, err
 	}
-	defer file.Close()
+	defer func() {
 		_ = file.Close()
 	}()
 	if size == NoSizeLimit {
 		size = notary.MaxDownloadSize
--- a/vendor/github.com/theupdateframework/notary/storage/httpstore.go
+++ b/vendor/github.com/theupdateframework/notary/storage/httpstore.go
@@ -111,6 +111,18 @@ type HTTPStore struct {
 	roundTrip     http.RoundTripper
 }
 // NewNotaryServerStore returns a new HTTPStore against a URL which should represent a notary
 // server
 func NewNotaryServerStore(serverURL string, gun data.GUN, roundTrip http.RoundTripper) (RemoteStore, error) {
 	return NewHTTPStore(
 		serverURL+"/v2/"+gun.String()+"/_trust/tuf/",
 		"",
 		"json",
 		"key",
 		roundTrip,
 	)
 }
 // NewHTTPStore initializes a new store against a URL and a number of configuration options.
 //
 // In case of a nil `roundTrip`, a default offline store is used instead.
@@ -363,5 +375,5 @@ func (s HTTPStore) RotateKey(role data.RoleName) ([]byte, error) {
 // Location returns a human readable name for the storage location
 func (s HTTPStore) Location() string {
-	return s.baseURL.String()
+	return s.baseURL.Host
 }
--- a/vendor/github.com/theupdateframework/notary/storage/interfaces.go
+++ b/vendor/github.com/theupdateframework/notary/storage/interfaces.go
@@ -15,6 +15,7 @@ type MetadataStore interface {
 	SetMulti(map[string][]byte) error
 	RemoveAll() error
 	Remove(name string) error
 	Location() string
 }
 // PublicKeyStore must be implemented by a key service
--- a/vendor/github.com/theupdateframework/notary/tuf/builder.go
+++ b/vendor/github.com/theupdateframework/notary/tuf/builder.go
@@ -359,7 +359,7 @@ func (rb *repoBuilder) GenerateSnapshot(prev *data.SignedSnapshot) ([]byte, int,
 	// loadedNotChecksummed should currently contain the root awaiting checksumming,
 	// since it has to have been loaded.  Since the snapshot was generated using
-	// the root and targets data (there may not be any) that that have been loaded,
+	// the root and targets data (there may not be any) that have been loaded,
 	// remove all of them from rb.loadedNotChecksummed
 	for tgtName := range rb.repo.Targets {
 		delete(rb.loadedNotChecksummed, data.RoleName(tgtName))
--- a/vendor/github.com/theupdateframework/notary/tuf/data/keys.go
+++ b/vendor/github.com/theupdateframework/notary/tuf/data/keys.go
@@ -12,9 +12,9 @@ import (
 	"io"
 	"math/big"
 	"github.com/agl/ed25519"
 	"github.com/docker/go/canonical/json"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/crypto/ed25519"
 )
 // PublicKey is the necessary interface for public keys
@@ -484,9 +484,10 @@ func (k RSAPrivateKey) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts)
 // Sign creates an ed25519 signature
 func (k ED25519PrivateKey) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) (signature []byte, err error) {
-	priv := [ed25519.PrivateKeySize]byte{}
+	priv := make([]byte, ed25519.PrivateKeySize)
-	copy(priv[:], k.private[ed25519.PublicKeySize:])
+	// The ed25519 key is serialized as public key then private key, so just use private key here.
-	return ed25519.Sign(&priv, msg)[:], nil
+	copy(priv, k.private[ed25519.PublicKeySize:])
 	return ed25519.Sign(ed25519.PrivateKey(priv), msg)[:], nil
 }
 // Sign on an UnknownPrivateKey raises an error because the client does not
--- a/vendor/github.com/theupdateframework/notary/tuf/data/roles.go
+++ b/vendor/github.com/theupdateframework/notary/tuf/data/roles.go
@@ -55,7 +55,7 @@ func (e ErrInvalidRole) Error() string {
 // ValidRole only determines the name is semantically
 // correct. For target delegated roles, it does NOT check
-// the the appropriate parent roles exist.
+// the appropriate parent roles exist.
 func ValidRole(name RoleName) bool {
 	if IsDelegation(name) {
 		return true
--- a/vendor/github.com/theupdateframework/notary/tuf/data/snapshot.go
+++ b/vendor/github.com/theupdateframework/notary/tuf/data/snapshot.go
@@ -59,7 +59,7 @@ func IsValidSnapshotStructure(s Snapshot) error {
 	return nil
 }
-// NewSnapshot initilizes a SignedSnapshot with a given top level root
+// NewSnapshot initializes a SignedSnapshot with a given top level root
 // and targets objects
 func NewSnapshot(root *Signed, targets *Signed) (*SignedSnapshot, error) {
 	logrus.Debug("generating new snapshot...")
--- a/vendor/github.com/theupdateframework/notary/tuf/data/targets.go
+++ b/vendor/github.com/theupdateframework/notary/tuf/data/targets.go
@@ -54,7 +54,7 @@ func isValidTargetsStructure(t Targets, roleName RoleName) error {
 	return nil
 }
-// NewTargets intiializes a new empty SignedTargets object
+// NewTargets initializes a new empty SignedTargets object
 func NewTargets() *SignedTargets {
 	return &SignedTargets{
 		Signatures: make([]Signature, 0),
--- a/vendor/github.com/theupdateframework/notary/tuf/data/types.go
+++ b/vendor/github.com/theupdateframework/notary/tuf/data/types.go
@@ -186,7 +186,7 @@ type FileMeta struct {
 // Equals returns true if the other FileMeta object is equivalent to this one
 func (f FileMeta) Equals(o FileMeta) bool {
-	if o.Length != f.Length || len(f.Hashes) != len(f.Hashes) {
+	if o.Length != f.Length || len(o.Hashes) != len(f.Hashes) {
 		return false
 	}
 	if f.Custom == nil && o.Custom != nil || f.Custom != nil && o.Custom == nil {
--- a/vendor/github.com/theupdateframework/notary/tuf/signed/interface.go
+++ b/vendor/github.com/theupdateframework/notary/tuf/signed/interface.go
@@ -39,7 +39,7 @@ type CryptoService interface {
 	KeyService
 }
-// Verifier defines an interface for verfying signatures. An implementer
+// Verifier defines an interface for verifying signatures. An implementer
 // of this interface should verify signatures for one and only one
 // signing scheme.
 type Verifier interface {
--- a/vendor/github.com/theupdateframework/notary/tuf/signed/sign.go
+++ b/vendor/github.com/theupdateframework/notary/tuf/signed/sign.go
@@ -87,7 +87,8 @@ func Sign(service CryptoService, s *data.Signed, signingKeys []data.PublicKey,
 		})
 	}
-	for _, sig := range s.Signatures {
+	for i := range s.Signatures {
 		sig := s.Signatures[i]
 		if _, ok := signingKeyIDs[sig.KeyID]; ok {
 			// key is in the set of key IDs for which a signature has been created
 			continue
--- a/vendor/github.com/theupdateframework/notary/tuf/signed/verifiers.go
+++ b/vendor/github.com/theupdateframework/notary/tuf/signed/verifiers.go
@@ -10,9 +10,9 @@ import (
 	"fmt"
 	"math/big"
 	"github.com/agl/ed25519"
 	"github.com/sirupsen/logrus"
 	"github.com/theupdateframework/notary/tuf/data"
 	"golang.org/x/crypto/ed25519"
 )
 const (
@@ -39,26 +39,26 @@ func (v Ed25519Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) erro
 	if key.Algorithm() != data.ED25519Key {
 		return ErrInvalidKeyType{}
 	}
-	var sigBytes [ed25519.SignatureSize]byte
+	sigBytes := make([]byte, ed25519.SignatureSize)
 	if len(sig) != ed25519.SignatureSize {
 		logrus.Debugf("signature length is incorrect, must be %d, was %d.", ed25519.SignatureSize, len(sig))
 		return ErrInvalid
 	}
-	copy(sigBytes[:], sig)
+	copy(sigBytes, sig)
-	var keyBytes [ed25519.PublicKeySize]byte
+	keyBytes := make([]byte, ed25519.PublicKeySize)
 	pub := key.Public()
 	if len(pub) != ed25519.PublicKeySize {
 		logrus.Errorf("public key is incorrect size, must be %d, was %d.", ed25519.PublicKeySize, len(pub))
 		return ErrInvalidKeyLength{msg: fmt.Sprintf("ed25519 public key must be %d bytes.", ed25519.PublicKeySize)}
 	}
-	n := copy(keyBytes[:], key.Public())
+	n := copy(keyBytes, key.Public())
 	if n < ed25519.PublicKeySize {
 		logrus.Errorf("failed to copy the key, must have %d bytes, copied %d bytes.", ed25519.PublicKeySize, n)
 		return ErrInvalid
 	}
-	if !ed25519.Verify(&keyBytes, msg, &sigBytes) {
+	if !ed25519.Verify(ed25519.PublicKey(keyBytes), msg, sigBytes) {
 		logrus.Debugf("failed ed25519 verification")
 		return ErrInvalid
 	}
--- a/vendor/github.com/theupdateframework/notary/tuf/utils/pkcs8.go
+++ b/vendor/github.com/theupdateframework/notary/tuf/utils/pkcs8.go
@@ -39,7 +39,7 @@ import (
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
-	"crypto/sha1"
+	"crypto/sha1" // #nosec
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
--- a/vendor/github.com/theupdateframework/notary/tuf/utils/utils.go
+++ b/vendor/github.com/theupdateframework/notary/tuf/utils/utils.go
@@ -30,7 +30,7 @@ func RoleNameSliceContains(ss []data.RoleName, s data.RoleName) bool {
 	return false
 }
-// RoleNameSliceRemove removes the the given RoleName from the slice, returning a new slice
+// RoleNameSliceRemove removes the given RoleName from the slice, returning a new slice
 func RoleNameSliceRemove(ss []data.RoleName, s data.RoleName) []data.RoleName {
 	res := []data.RoleName{}
 	for _, v := range ss {
--- a/vendor/github.com/theupdateframework/notary/tuf/utils/x509.go
+++ b/vendor/github.com/theupdateframework/notary/tuf/utils/x509.go
@@ -16,10 +16,10 @@ import (
 	"math/big"
 	"time"
 	"github.com/agl/ed25519"
 	"github.com/sirupsen/logrus"
 	"github.com/theupdateframework/notary"
 	"github.com/theupdateframework/notary/tuf/data"
 	"golang.org/x/crypto/ed25519"
 )
 // CanonicalKeyID returns the ID of the public bytes version of a TUF key.
--- a/vendor/github.com/theupdateframework/notary/vendor.conf
+++ b/vendor/github.com/theupdateframework/notary/vendor.conf
@@ -1,59 +0,0 @@
 github.com/Shopify/logrus-bugsnag   6dbc35f2c30d1e37549f9673dd07912452ab28a5
 github.com/sirupsen/logrus          f006c2ac4710855cf0f916dd6b77acf6b048dc6e  # v1.0.3
 github.com/agl/ed25519              278e1ec8e8a6e017cd07577924d6766039146ced
 github.com/bugsnag/bugsnag-go       13fd6b8acda029830ef9904df6b63be0a83369d0
 github.com/bugsnag/panicwrap	    e2c28503fcd0675329da73bf48b33404db873782
 github.com/bugsnag/osext	    0dd3f918b21bec95ace9dc86c7e70266cfc5c702
 github.com/docker/distribution      edc3ab29cdff8694dd6feb85cfeb4b5f1b38ed9c
 github.com/opencontainers/go-digest a6d0ee40d4207ea02364bd3b9e8e77b9159ba1eb
 github.com/docker/go-connections    7395e3f8aa162843a74ed6d48e79627d9792ac55
 github.com/docker/go                d30aec9fd63c35133f8f79c3412ad91a3b08be06
 github.com/dvsekhvalnov/jose2go     f21a8cedbbae609f623613ec8f81125c243212e6   # v1.3
 github.com/go-sql-driver/mysql      a0583e0143b1624142adab07e0e97fe106d99561   # v1.3
 github.com/gorilla/mux              53c1911da2b537f792e7cafcb446b05ffe33b996   # v1.6.1
 github.com/jinzhu/gorm              5409931a1bb87e484d68d649af9367c207713ea2
 github.com/jinzhu/inflection        1c35d901db3da928c72a72d8458480cc9ade058f
 github.com/lib/pq                   0dad96c0b94f8dee039aa40467f767467392a0af
 github.com/mattn/go-sqlite3         6c771bb9887719704b210e87e934f08be014bdb1   # v1.6.0
 github.com/miekg/pkcs11             5f6e0d0dad6f472df908c8e968a98ef00c9224bb
 github.com/prometheus/client_golang 449ccefff16c8e2b7229f6be1921ba22f62461fe
 github.com/prometheus/client_model  fa8ad6fec33561be4280a8f0514318c79d7f6cb6   # model-0.0.2-12-gfa8ad6f
 github.com/prometheus/procfs	    b1afdc266f54247f5dc725544f5d351a8661f502
 github.com/prometheus/common	    4fdc91a58c9d3696b982e8a680f4997403132d44
 github.com/golang/protobuf          c3cefd437628a0b7d31b34fe44b3a7a540e98527
 github.com/spf13/cobra              7b2c5ac9fc04fc5efafb60700713d4fa609b777b   # v0.0.1
 github.com/spf13/viper              be5ff3e4840cf692388bde7a057595a474ef379e
 golang.org/x/crypto                 76eec36fa14229c4b25bb894c2d0e591527af429
 golang.org/x/net                    6a513affb38dc9788b449d59ffed099b8de18fa0
 golang.org/x/sys                    314a259e304ff91bd6985da2a7149bbf91237993
 google.golang.org/grpc              708a7f9f3283aa2d4f6132d287d78683babe55c8   # v1.0.5
 github.com/pkg/errors 		    839d9e913e063e28dfd0e6c7b7512793e0a48be9
 github.com/spf13/pflag		    e57e3eeb33f795204c1ca35f56c44f83227c6e66  # v1.0.0
 github.com/spf13/cast		    4d07383ffe94b5e5a6fa3af9211374a4507a0184
 gopkg.in/yaml.v2 		    5420a8b6744d3b0345ab293f6fcba19c978f1183  # v2.2.1
 gopkg.in/fatih/pool.v2		    cba550ebf9bce999a02e963296d4bc7a486cb715
 github.com/gorilla/context	    14f550f51af52180c2eefed15e5fd18d63c0a64a  # unused
 github.com/spf13/jwalterweatherman  3d60171a64319ef63c78bd45bd60e6eab1e75f8b
 github.com/mitchellh/mapstructure   2caf8efc93669b6c43e0441cdc6aed17546c96f3
 github.com/magiconair/properties    624009598839a9432bd97bb75552389422357723  # v1.5.3
 github.com/kr/text		    6807e777504f54ad073ecef66747de158294b639
 github.com/kr/pretty		    bc9499caa0f45ee5edb2f0209fbd61fbf3d9018f  # go.weekly.2011-12-22-18-gbc9499c
 github.com/hailocab/go-hostpool	    e80d13ce29ede4452c43dea11e79b9bc8a15b478
 github.com/docker/libtrust	    aabc10ec26b754e797f9028f4589c5b7bd90dc20
 github.com/beorn7/perks		    b965b613227fddccbfffe13eae360ed3fa822f8d
 github.com/BurntSushi/toml	    a368813c5e648fee92e5f6c30e3944ff9d5e8895
 github.com/matttproud/golang_protobuf_extensions	d0c3fe89de86839aecf2e0579c40ba3bb336a453
 github.com/inconshreveable/mousetrap			76626ae9c91c4f2a10f34cad8ce83ea42c93bb75
 gopkg.in/dancannon/gorethink.v3        e324d6ad938205da6c1e8a0179dc97a5b1a92185  https://github.com/docker/gorethink # v3.0.0-logrus
 # dependencies of gorethink.v3
 gopkg.in/gorethink/gorethink.v2        ac5be4ae8538d44ae8843b97fc9f90860cb48a85  https://github.com/docker/gorethink # v2.2.2-logrus
 github.com/cenk/backoff             32cd0c5b3aef12c76ed64aaf678f6c79736be7dc  # v1.0.0
 # Testing requirements
 github.com/stretchr/testify                     089c7181b8c728499929ff09b62d3fdd8df8adff
 github.com/cloudflare/cfssl                     4e2dcbde500472449917533851bf4bae9bdff562 # v1.3.1
 github.com/google/certificate-transparency-go   5ab67e519c93568ac3ee50fd6772a5bcf8aa460d
 github.com/gogo/protobuf                        1adfc126b41513cc696b209667c8656ea7aac67c # v1.0.0
--- a/vendor/golang.org/x/crypto/ssh/terminal/terminal.go
+++ b/vendor/golang.org/x/crypto/ssh/terminal/terminal.go
@@ -1,76 +0,0 @@
 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // Package terminal provides support functions for dealing with terminals, as
 // commonly found on UNIX systems.
 //
 // Deprecated: this package moved to golang.org/x/term.
 package terminal
 import (
 	"io"
 	"golang.org/x/term"
 )
 // EscapeCodes contains escape sequences that can be written to the terminal in
 // order to achieve different styles of text.
 type EscapeCodes = term.EscapeCodes
 // Terminal contains the state for running a VT100 terminal that is capable of
 // reading lines of input.
 type Terminal = term.Terminal
 // NewTerminal runs a VT100 terminal on the given ReadWriter. If the ReadWriter is
 // a local terminal, that terminal must first have been put into raw mode.
 // prompt is a string that is written at the start of each input line (i.e.
 // "> ").
 func NewTerminal(c io.ReadWriter, prompt string) *Terminal {
 	return term.NewTerminal(c, prompt)
 }
 // ErrPasteIndicator may be returned from ReadLine as the error, in addition
 // to valid line data. It indicates that bracketed paste mode is enabled and
 // that the returned line consists only of pasted data. Programs may wish to
 // interpret pasted data more literally than typed data.
 var ErrPasteIndicator = term.ErrPasteIndicator
 // State contains the state of a terminal.
 type State = term.State
 // IsTerminal returns whether the given file descriptor is a terminal.
 func IsTerminal(fd int) bool {
 	return term.IsTerminal(fd)
 }
 // ReadPassword reads a line of input from a terminal without local echo.  This
 // is commonly used for inputting passwords and other sensitive data. The slice
 // returned does not include the \n.
 func ReadPassword(fd int) ([]byte, error) {
 	return term.ReadPassword(fd)
 }
 // MakeRaw puts the terminal connected to the given file descriptor into raw
 // mode and returns the previous state of the terminal so that it can be
 // restored.
 func MakeRaw(fd int) (*State, error) {
 	return term.MakeRaw(fd)
 }
 // Restore restores the terminal connected to the given file descriptor to a
 // previous state.
 func Restore(fd int, oldState *State) error {
 	return term.Restore(fd, oldState)
 }
 // GetState returns the current state of a terminal which may be useful to
 // restore the terminal after a signal.
 func GetState(fd int) (*State, error) {
 	return term.GetState(fd)
 }
 // GetSize returns the dimensions of the given terminal.
 func GetSize(fd int) (width, height int, err error) {
 	return term.GetSize(fd)
 }
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -18,10 +18,6 @@ github.com/Microsoft/go-winio/pkg/guid
 # github.com/agext/levenshtein v1.2.3
 ## explicit
 github.com/agext/levenshtein
 # github.com/agl/ed25519 v0.0.0-20170116200512-5312a6153412
 ## explicit
 github.com/agl/ed25519
 github.com/agl/ed25519/edwards25519
 # github.com/apparentlymart/go-cidr v1.0.1
 ## explicit
 github.com/apparentlymart/go-cidr/cidr
@@ -117,21 +113,13 @@ github.com/aws/smithy-go/transport/http/internal/io
 # github.com/beorn7/perks v1.0.1
 ## explicit; go 1.11
 github.com/beorn7/perks/quantile
 # github.com/bugsnag/bugsnag-go v1.4.1
 ## explicit
 # github.com/bugsnag/panicwrap v1.2.0
 ## explicit
 # github.com/cenkalti/backoff v2.1.1+incompatible
 ## explicit
 # github.com/cenkalti/backoff/v4 v4.2.0
 ## explicit; go 1.18
 github.com/cenkalti/backoff/v4
 # github.com/cespare/xxhash/v2 v2.2.0
 ## explicit; go 1.11
 github.com/cespare/xxhash/v2
-# github.com/cloudflare/cfssl v0.0.0-20181213083726-b94e044bb51e
+# github.com/compose-spec/compose-go v1.18.4
 ## explicit
 # github.com/compose-spec/compose-go v1.17.0
 ## explicit; go 1.19
 github.com/compose-spec/compose-go/cli
 github.com/compose-spec/compose-go/consts
@@ -206,9 +194,9 @@ github.com/cyphar/filepath-securejoin
 # github.com/davecgh/go-spew v1.1.1
 ## explicit
 github.com/davecgh/go-spew/spew
-# github.com/distribution/distribution/v3 v3.0.0-20230214150026-36d8c594d7aa
+# github.com/distribution/reference v0.5.0
-## explicit; go 1.18
+## explicit; go 1.20
-github.com/distribution/distribution/v3/reference
+github.com/distribution/reference
 # github.com/docker/cli v24.0.5+incompatible
 ## explicit
 github.com/docker/cli/cli
@@ -309,10 +297,6 @@ github.com/docker/go-metrics
 # github.com/docker/go-units v0.5.0
 ## explicit
 github.com/docker/go-units
 # github.com/docker/libtrust v0.0.0-20150526203908-9cbd2a1374f4
 ## explicit
 # github.com/elazarl/goproxy v0.0.0-20191011121108-aa519ddbe484
 ## explicit
 # github.com/emicklei/go-restful/v3 v3.10.1
 ## explicit; go 1.13
 github.com/emicklei/go-restful/v3
@@ -340,8 +324,6 @@ github.com/go-openapi/jsonreference/internal
 # github.com/go-openapi/swag v0.19.14
 ## explicit; go 1.11
 github.com/go-openapi/swag
 # github.com/go-sql-driver/mysql v1.6.0
 ## explicit; go 1.10
 # github.com/gofrs/flock v0.8.1
 ## explicit
 github.com/gofrs/flock
@@ -390,8 +372,6 @@ github.com/golang/protobuf/ptypes
 github.com/golang/protobuf/ptypes/any
 github.com/golang/protobuf/ptypes/duration
 github.com/golang/protobuf/ptypes/timestamp
 # github.com/google/certificate-transparency-go v1.1.4
 ## explicit; go 1.17
 # github.com/google/gnostic v0.5.7-v3refs
 ## explicit; go 1.12
 github.com/google/gnostic/compiler
@@ -427,8 +407,6 @@ github.com/grpc-ecosystem/go-grpc-middleware
 github.com/grpc-ecosystem/grpc-gateway/v2/internal/httprule
 github.com/grpc-ecosystem/grpc-gateway/v2/runtime
 github.com/grpc-ecosystem/grpc-gateway/v2/utilities
 # github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed
 ## explicit
 # github.com/hashicorp/go-cty-funcs v0.0.0-20200930094925-2721b1e36840
 ## explicit; go 1.14
 github.com/hashicorp/go-cty-funcs/cidr
@@ -458,18 +436,12 @@ github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2
 # github.com/inconshreveable/mousetrap v1.1.0
 ## explicit; go 1.18
 github.com/inconshreveable/mousetrap
 # github.com/jinzhu/gorm v1.9.2
 ## explicit
 # github.com/jinzhu/inflection v0.0.0-20180308033659-04140366298a
 ## explicit
 # github.com/josharian/intern v1.0.0
 ## explicit; go 1.5
 github.com/josharian/intern
 # github.com/json-iterator/go v1.1.12
 ## explicit; go 1.12
 github.com/json-iterator/go
 # github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0
 ## explicit
 # github.com/klauspost/compress v1.16.3
 ## explicit; go 1.18
 github.com/klauspost/compress
@@ -479,8 +451,6 @@ github.com/klauspost/compress/internal/cpuinfo
 github.com/klauspost/compress/internal/snapref
 github.com/klauspost/compress/zstd
 github.com/klauspost/compress/zstd/internal/xxhash
 # github.com/kr/pretty v0.2.1
 ## explicit; go 1.12
 # github.com/mailru/easyjson v0.7.6
 ## explicit; go 1.12
 github.com/mailru/easyjson/buffer
@@ -653,8 +623,6 @@ github.com/prometheus/procfs/internal/util
 ## explicit; go 1.17
 github.com/secure-systems-lab/go-securesystemslib/cjson
 github.com/secure-systems-lab/go-securesystemslib/dsse
 # github.com/sergi/go-diff v1.2.0
 ## explicit; go 1.12
 # github.com/serialx/hashring v0.0.0-20190422032157-8b2912629002
 ## explicit
 github.com/serialx/hashring
@@ -670,14 +638,12 @@ github.com/spf13/cobra
 # github.com/spf13/pflag v1.0.5
 ## explicit; go 1.12
 github.com/spf13/pflag
 # github.com/spf13/viper v1.14.0
 ## explicit; go 1.17
 # github.com/stretchr/testify v1.8.4
 ## explicit; go 1.20
 github.com/stretchr/testify/assert
 github.com/stretchr/testify/require
-# github.com/theupdateframework/notary v0.6.1
+# github.com/theupdateframework/notary v0.7.0
-## explicit
+## explicit; go 1.12
 github.com/theupdateframework/notary
 github.com/theupdateframework/notary/client
 github.com/theupdateframework/notary/client/changelist
@@ -799,7 +765,6 @@ golang.org/x/crypto/pbkdf2
 golang.org/x/crypto/ssh
 golang.org/x/crypto/ssh/agent
 golang.org/x/crypto/ssh/internal/bcrypt_pbkdf
 golang.org/x/crypto/ssh/terminal
 # golang.org/x/exp v0.0.0-20230713183714-613f0c0eb8a1
 ## explicit; go 1.20
 golang.org/x/exp/constraints
@@ -980,12 +945,6 @@ google.golang.org/protobuf/types/known/structpb
 google.golang.org/protobuf/types/known/timestamppb
 google.golang.org/protobuf/types/known/wrapperspb
 google.golang.org/protobuf/types/pluginpb
 # gopkg.in/dancannon/gorethink.v3 v3.0.5
 ## explicit
 # gopkg.in/fatih/pool.v2 v2.0.0
 ## explicit
 # gopkg.in/gorethink/gorethink.v3 v3.0.5
 ## explicit
 # gopkg.in/inf.v0 v0.9.1
 ## explicit
 gopkg.in/inf.v0