Sandboxlib

Minor release of the spec with two tooling fixes:
- Updated Godeps to the latest k8s.io packages, which should help downstream users attempting to vendor schema code (607)
- Minor fixes to the ACE validator (605)

Minor release of the spec which introduces one new backwards-compatible feature: the field `readOnlyRootFS` in the pod spec.
If this field is set for an app, the app's root filesystem must be mounted read-only by the executor.

This release of the spec contains one major change over the 0.7.x series, which is that Simple Discovery has been removed.
The value of Simple Discovery has always been somewhat dubious, and most implementations of the spec (`apcera/kurma`, `3ofcoins/jetpack`, `coreos/rkt`) never actually implemented it.
On the other hand, meta discovery is used actively and arguably is synonymous with discovery.
Simple Discovery is now removed entirely and App Container Image Discovery is what was formerly called Meta Discovery.

There is also one breaking change in the discovery code: DiscoverEndpoints and DiscoverPublicKeys have been reworked.
DiscoverEndpoints is renamed to DiscoverACIEndpoints (for consistency), and now each method returns only their requested type.

Spec changes:
- Defined a default capability set for executors
- Added specificity to metadata endpoint descriptions.
- Clarified image dependencies
- Added note that dependencies can form a tree or a directed acyclic graph as well if they share a common dependency.
- Fixed pod spec to clarify the 'mode' field is a string, not an integer.

Tooling/build changes:
- Dropped go 1.3 and 1.4 support in testing, add go 1.6
- Updated errorutil import path
- Performed an unrewrite of import paths
- Removed dependency on glibc in pkg/device, so that appc can be built as a statically linked binary on Linux
- Changed to use actual `GOOS` and `GOARCH` of system when building validator ACIs
- Implemented `actool patch-manifest --revoke-capability`

Minor release of the spec with some enhancements to the schema types and discovery code:
- Added `AsIsolator` constructors for Memory and CPU resource isolators (552)
- Added insecure flags for HTTP and TLS to discovery code, for more granular control over security during discovery (545, 551)

This is a minor release of the spec with one bug fix over the previous release:
- Fixed the `AsIsolator` function on the LinuxCapabilitiesSet isolator types so it correctly populates the value

This is a minor release of the spec which should be fully backwards-compatible but extends functionality in several ways and loosens some restrictions.

Spec changes:
- The requirement for the metadata service has been downgraded to a SHOULD. This requirement necessitated a daemon which seemed burdensome for implementations.
- Added a SHOULD requirement for Linux ACEs to provide a basic `/etc/hosts` if none already exists in application filesystems
- The requirement for `exec` fields in the `app` schema to be non-empty was removed. An ACE is permitted to override/replace this section and so this provides greater flexibility when generating images, particularly when converting from other image types to ACI.
- Added `mode`, `uid`, and `gid` parameters to empty volumes. This allows setting which permissions are applied to empty volumes.
- Changed the definition of the executable path in `app.exec` to be PATH-dependent. The procedure for an ACE to locate the executable path mimics that of the shell (as described in `man 3 exec`). This means that executable paths are no longer required to be absolute.

Other changes:
- Improved manifest parsing errors - when provided manifests are invalid JSON, the erroneous line and column number will now be highlighted in the produced error
- The discovery code now includes per-host HTTP headers, allowing authentication during discovery
- Added several new helper functions for initializing memory and CPU isolator types
- Added several helpers to work with LinuxCapabilitiesSet schema types
- Refactored the MakeQueryString helper to centralise the parsing of different comma-separated label/value strings used in several places (for volumes, ports, mountpoints, etc). This also now escapes values when parsing, allowing values with special URL characters like "+" or "&"
- Fixed a nil-pointer dereference in the schema `Volume` type's `String()` method