On Sun, Aug 22, 2021 at 12:11:00AM +0300, Caleb Maclennan via arch-dev-public
wrote:
> On 2021-08-17 21:36, Morten Linderud via arch-dev-public wrote:
> > People do not really see the need to rebuild $goWorld when packages a
> > compiled
> > and nothing inherently breaks unless there is a rebuild. We don't do
> > this for
> > GCC, Rust and so on. However I do think it's nice to group up these
> > ecosystem
> > changes in one swoop as it spares me from having to repeat myself for
> > the next
> > few months as people occasionally update their Go packages.
>
> What are the relevant "ecosystem changes" in this case? In brief. Have the
> packaging guidelines been updated for 1.17 considerations?
>
> Isn't there a CVE going around in a few projects that re-compiling with 1.17
> will automatically catch and fix?
There is at least one fixed CVE in the 1.17 release:
https://www.cvedetails.com/cve/CVE-2021-29923/
I have a very mixed opinion about rebuilding the packages.
On the hand it is a security vulnerability, hence I would argue for
rebuilding them. On the other, It is very toilsome to rebuild all
packages depending on Go. Especially, if you consider that we are not
doing this for other ecosystems like Rust or GCC (yet).
Security before toil, thus we should rebuild them.
I am not happy with it, but what alternative do we have?
(There are alternatives like building packages via pipelines and signing
them automatically, but building that up would need people, know-how and
lots of planning)
signature.asc
Description: PGP signature
