Hi all,
I maintain two components written in Go, so time to time the components
get CVE reports where vulnerable code comes from another component via
static linking during build.
I was trying to figure out how to make this better, and together with
Jason (in CC) got an idea about automatic versioned buildrequires for Go
packages and versions would be taken from the package versions present
in buildroot.
I've checked Go Fedora guidelines and saw there is
%go_generate_buildrequires macro, which looked promising, but
unfortunately it does not generate BuildRequires on golang and none of
the BuildRequires are versioned :( .
Do you think it is possible to have such feature?
e.g. BuildRequires: golang-src >= 1.24.1-1, or BuildRequires:
golang(github.com/golang/go) >= 1.24.1-1
would tell us the package is built with this golang version, and if a
golang new version comes later into repos, the package will still work
with new golang due '>='.
Once CVE fix comes into golang and new golang version is released,
presence of the older version in buildrequires of other package will
indicate the package includes vulnerable code, and it has to be rebuilt
once the original package includes a fix.
I have tried to come up at least with PoC for getting golang version
from buildroot and add the versioned buildrequires, but no luck so far.
Thank you in advance!
Zdenek
--
Zdenek Dohnal
Senior Software Engineer
Red Hat, BRQ-TPBC
--
_______________________________________________
golang mailing list -- golang@lists.fedoraproject.org
To unsubscribe send an email to golang-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/golang@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
