| 1 |
On Wed, Apr 01, 2020 at 04:14:48PM -0400, Michael Orlitzky wrote: |
| 2 |
> On 4/1/20 4:03 PM, Samuel Bernardo wrote: |
| 3 |
> > |
| 4 |
> > Couldn't security issue in a Go library be solved with keyword mask and |
| 5 |
> > announce in portage? |
| 6 |
> |
| 7 |
> If there's an ebuild for the library, then yeah, you've got the right |
| 8 |
> idea. But with the Go eclasses, there are no ebuilds for any of the |
| 9 |
> dependencies. |
| 10 |
The problem goes deeper than that, and is more of an upstream concern |
| 11 |
than a Gentoo concern: because the Go module ecosystem pins exact |
| 12 |
versions, not version ranges, and this is a crucial part of reproducible |
| 13 |
builds. |
| 14 |
|
| 15 |
Let the library be "L", with versions 1,2. |
| 16 |
The vulnerable version is L-1, and L-2 contains the fix. |
| 17 |
Let the package that uses the library be "P", with version 1 only. |
| 18 |
|
| 19 |
If you wanted to USE L-2 in P-1, you generally must make modifications |
| 20 |
to the consumers of that library. At the very least you have to modify |
| 21 |
the go.mod file to use the new version. To satisfy the package |
| 22 |
checksums/security in the Go ecosystem, you ALSO need to update the |
| 23 |
go.sum file. |
| 24 |
|
| 25 |
If the vulnerable library is a transitive dependency (e.g. indirect via |
| 26 |
another library), then you ALSO need to update that other consumer. |
| 27 |
|
| 28 |
At the point that there IS a reliable way to get lists of vulnerable |
| 29 |
versions of Go modules, including the horrible timestamped v0.0.0 |
| 30 |
versions, the EGO_SUM work does contain enough data to identify ALL |
| 31 |
vulnerable outputs on your system. That listing isn't available yet, due |
| 32 |
to upstream working on it still: |
| 33 |
https://github.com/golang/go/issues/24031 |
| 34 |
|
| 35 |
That listing would be transformed into a GLSA input criterion, to |
| 36 |
identify vulnerable Gentoo packages (at which point upstream Golang has |
| 37 |
hopefully also provided a cleaner way to bump/patch the dependency in |
| 38 |
the scope of reproducible versions). |
| 39 |
|
| 40 |
-- |
| 41 |
Robin Hugh Johnson |
| 42 |
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer |
| 43 |
E-Mail : robbat2@g.o |
| 44 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
| 45 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |
Archives