On Mon, 13 Oct 2025 at 10:05, Tianon Gravi <[email protected]> wrote: > > On Sun, 12 Oct 2025 at 06:32, Reinhard Tartler <[email protected]> wrote: > > > > Dear fellow Debian Golang Packagers, > > > > I am writing to give you a heads-up about a subtle change in Golang 1.25.2 > > that makes X.509 certificate verification more strict in the `crypto/x509` > > package, which is part of the standard library. The change in question is > > https://github.com/golang/go/commit/3fc4c79fdbb17b9b29ea9f8c29dd780df075d4c4 > > and I expect it to break rebuilds of several golang packages in Debian. > > > > Specifically, the DNS in the X.509v3 Subject Alternative Name can no longer > > be empty (cf. > > https://github.com/etcd-io/etcd/pull/20775#issuecomment-3385325872). This > > change caused #1117747. I have also seen a similar issue when rebuilding > > `sigstore-go`, and I plan to file a proper bug report later. > > > > I hope this heads-up saves valuable time for others who are surprised by > > test failures containing the error: "x509: SAN rfc822Name is malformed". > > Looks like they've already rolled it back and are thinking about doing > a patch release. 👀 > > https://github.com/golang/go/issues/75828#issuecomment-3393726547 > > > We have merged a change which addresses this, and are determining the > > feasibility of doing a point release before our next scheduled release > > (currently scheduled for Nov 4) so that we can get a fixed version out as > > soon as possible.
Nice, and there's 1.25.2 and 1.24.8 which include this revert: https://groups.google.com/g/golang-announce/c/YEyj6FUNbik/m/_SDlIvxuCAAJ I'll try to get those uploaded ASAP (if someone else doesn't beat me to the dance). ♥, - Tianon 4096R / B42F 6819 007F 00F8 8E36 4FD4 036A 9C25 BF35 7DD4
