1 |
On Wed, Apr 01, 2020 at 04:14:48PM -0400, Michael Orlitzky wrote: |
2 |
> On 4/1/20 4:03 PM, Samuel Bernardo wrote: |
3 |
> > |
4 |
> > Couldn't security issue in a Go library be solved with keyword mask and |
5 |
> > announce in portage? |
6 |
> |
7 |
> If there's an ebuild for the library, then yeah, you've got the right |
8 |
> idea. But with the Go eclasses, there are no ebuilds for any of the |
9 |
> dependencies. |
10 |
The problem goes deeper than that, and is more of an upstream concern |
11 |
than a Gentoo concern: because the Go module ecosystem pins exact |
12 |
versions, not version ranges, and this is a crucial part of reproducible |
13 |
builds. |
14 |
|
15 |
Let the library be "L", with versions 1,2. |
16 |
The vulnerable version is L-1, and L-2 contains the fix. |
17 |
Let the package that uses the library be "P", with version 1 only. |
18 |
|
19 |
If you wanted to USE L-2 in P-1, you generally must make modifications |
20 |
to the consumers of that library. At the very least you have to modify |
21 |
the go.mod file to use the new version. To satisfy the package |
22 |
checksums/security in the Go ecosystem, you ALSO need to update the |
23 |
go.sum file. |
24 |
|
25 |
If the vulnerable library is a transitive dependency (e.g. indirect via |
26 |
another library), then you ALSO need to update that other consumer. |
27 |
|
28 |
At the point that there IS a reliable way to get lists of vulnerable |
29 |
versions of Go modules, including the horrible timestamped v0.0.0 |
30 |
versions, the EGO_SUM work does contain enough data to identify ALL |
31 |
vulnerable outputs on your system. That listing isn't available yet, due |
32 |
to upstream working on it still: |
33 |
https://github.com/golang/go/issues/24031 |
34 |
|
35 |
That listing would be transformed into a GLSA input criterion, to |
36 |
identify vulnerable Gentoo packages (at which point upstream Golang has |
37 |
hopefully also provided a cleaner way to bump/patch the dependency in |
38 |
the scope of reproducible versions). |
39 |
|
40 |
-- |
41 |
Robin Hugh Johnson |
42 |
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer |
43 |
E-Mail : robbat2@g.o |
44 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
45 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |