Summary
src/cmd/linuxkit/pkglib/dockerimpl.go uses authprovider.DockerAuthProviderConfig{ConfigFile: cf} (around line 609), but the ConfigFile field was removed from DockerAuthProviderConfig in github.com/moby/buildkit v0.27.0. This makes linuxkit fail to compile when vendored into a project using buildkit v0.27.0 or later.
Error
# github.com/linuxkit/linuxkit/src/cmd/linuxkit/pkglib
pkglib/dockerimpl.go:609:76: unknown field ConfigFile in struct literal of type authprovider.DockerAuthProviderConfig
Security context
buildkit v0.28.1 fixes CVE-2026-33747 (GHSA-4c29-8rgm-jvjj), a path traversal vulnerability (CVSS 8.4 HIGH) where a malicious custom frontend can write files outside the BuildKit state directory. The fix is only available in v0.28.1 — it was not backported to v0.26.x or v0.27.x.
Projects that depend on both linuxkit and buildkit are currently unable to pick up this security fix because linuxkit's last buildkit bump was to v0.26.3 (commit e0151386c8d2).
Required change
In buildkit v0.27.0+, DockerAuthProviderConfig replaced ConfigFile *configfile.ConfigFile with an AuthConfigProvider interface:
type DockerAuthProviderConfig struct {
AuthConfigProvider AuthConfigProvider
TLSConfigs map[string]*AuthTLSConfig
ExpireCachedAuth ExpireCachedAuthCheck
}The linuxkit code in dockerimpl.go needs to be updated to use this new interface instead of passing the raw configfile.ConfigFile.
Request
Please update github.com/moby/buildkit in src/cmd/linuxkit/go.mod to v0.28.1 (or at minimum v0.27.0) and fix the authprovider.DockerAuthProviderConfig usage in pkglib/dockerimpl.go accordingly.
Summary
src/cmd/linuxkit/pkglib/dockerimpl.gousesauthprovider.DockerAuthProviderConfig{ConfigFile: cf}(around line 609), but theConfigFilefield was removed fromDockerAuthProviderConfigingithub.com/moby/buildkitv0.27.0. This makes linuxkit fail to compile when vendored into a project using buildkit v0.27.0 or later.Error
Security context
buildkit v0.28.1 fixes CVE-2026-33747 (GHSA-4c29-8rgm-jvjj), a path traversal vulnerability (CVSS 8.4 HIGH) where a malicious custom frontend can write files outside the BuildKit state directory. The fix is only available in v0.28.1 — it was not backported to v0.26.x or v0.27.x.
Projects that depend on both linuxkit and buildkit are currently unable to pick up this security fix because linuxkit's last buildkit bump was to v0.26.3 (commit
e0151386c8d2).Required change
In buildkit v0.27.0+,
DockerAuthProviderConfigreplacedConfigFile *configfile.ConfigFilewith anAuthConfigProviderinterface:The linuxkit code in
dockerimpl.goneeds to be updated to use this new interface instead of passing the rawconfigfile.ConfigFile.Request
Please update
github.com/moby/buildkitinsrc/cmd/linuxkit/go.modto v0.28.1 (or at minimum v0.27.0) and fix theauthprovider.DockerAuthProviderConfigusage inpkglib/dockerimpl.goaccordingly.