Gentoo Archives: gentoo-dev

From: William Hubbs <williamh@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] [PATCH 1/1] go-module.eclass: introduce new eclass to handle go modules
Date: Wed, 18 Sep 2019 21:11:55
Message-Id: 20190918211143.GA8809@whubbs1.dev.av1.gaikai.org
In Reply to: Re: [gentoo-dev] [PATCH 1/1] go-module.eclass: introduce new eclass to handle go modules by Zac Medico
1 On Wed, Sep 18, 2019 at 12:28:29PM -0700, Zac Medico wrote:
2 > On 9/18/19 11:04 AM, Alec Warner wrote:
3 > >
4 > >
5 > > On Wed, Sep 18, 2019 at 10:50 AM Michael Orlitzky <mjo@g.o
6 > > <mailto:mjo@g.o>> wrote:
7 > >
8 > > On 9/16/19 10:17 AM, William Hubbs wrote:
9 > > > +
10 > > > +# @FUNCTION: go-module_pkg_postinst
11 > > > +# @DESCRIPTION:
12 > > > +# Display a warning about security updates for Go programs.
13 > > > +go-module_pkg_postinst() {
14 > > > +     ewarn "${PN} is written in the Go programming language."
15 > > > +     ewarn "Since this language is statically linked, security"
16 > > > +     ewarn "updates will be handled in individual packages and
17 > > will be"
18 > > > +     ewarn "difficult for us to track as a distribution."
19 > > > +     ewarn "For this reason, please update any go packages asap
20 > > when new"
21 > > > +     ewarn "versions enter the tree or go stable if you are
22 > > running the"
23 > > > +     ewarn "stable tree."
24 > > > +}
25 > > > +
26 > > > +fi
27 > > >
28 > >
29 > > This word salad is 100% misinformation that gets tangled in itself
30 > > trying to apologize for what we're about to do:
31 > >
32 > >   * Go is not a "statically linked language." There's gccgo, and as Alec
33 > >     pointed out, the official compiler has supported dynamic linking for
34 > >     years now.
35 > >
36 > >
37 > > I'm actually pretty fine with this wording, upstream has said not to
38 > > dynamically link in these use cases.
39 > >  
40 > >
41 > >
42 > >   * Updating DOES NOT HELP AT ALL. That's the whole problem. You're
43 > >     trying to make it sound like we haven't thrown people under a bus,
44 > >     but saying "for this reason, please update..." is just misleading.
45 > >
46 > > Here's what it should say:
47 > >
48 > >   WARNING: due to a lack of manpower/interest, Go packages on Gentoo
49 > >   are statically linked. Contrary to our existing policies and what
50 > >   the website says, Go packages will never receive any security updates
51 > >   on Gentoo. Use at your own risk!
52 > >
53 > >
54 > > So if the package *maintainer* bumps each package every time it, or a
55 > > dep has a security issue; then updating will work fine.
56 > > I'm skeptical go maintainers are volunteering for this though.
57 >
58 > There's a script here which helps to automate refresh of commit hashes
59 > in EGO_VENDOR:
60 >
61 > https://github.com/hsoft/gentoo-ego-vendor-update
62 >
63 > Just now I've used it to refresh vendored dependencies in
64 > net-misc/drive:
65 >
66 > https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3993b893d4788beaad945bc82df0f4efd91ce697
67
68 I have seen that script, and it really doesn't work for modules. it
69 would need to parse go.mod and grab the dependencies based on the
70 information in that file.
71
72 William

Attachments

File name MIME type
signature.asc application/pgp-signature