On Wed, Sep 18, 2019 at 10:50 AM Michael Orlitzky <m...@gentoo.org> wrote:
> On 9/16/19 10:17 AM, William Hubbs wrote:
> > +
> > +# @FUNCTION: go-module_pkg_postinst
> > +# @DESCRIPTION:
> > +# Display a warning about security updates for Go programs.
> > +go-module_pkg_postinst() {
> > + ewarn "${PN} is written in the Go programming language."
> > + ewarn "Since this language is statically linked, security"
> > + ewarn "updates will be handled in individual packages and will be"
> > + ewarn "difficult for us to track as a distribution."
> > + ewarn "For this reason, please update any go packages asap when
> new"
> > + ewarn "versions enter the tree or go stable if you are running the"
> > + ewarn "stable tree."
> > +}
> > +
> > +fi
> >
>
> This word salad is 100% misinformation that gets tangled in itself
> trying to apologize for what we're about to do:
>
> * Go is not a "statically linked language." There's gccgo, and as Alec
> pointed out, the official compiler has supported dynamic linking for
> years now.
>
I'm actually pretty fine with this wording, upstream has said not to
dynamically link in these use cases.
>
> * Updating DOES NOT HELP AT ALL. That's the whole problem. You're
> trying to make it sound like we haven't thrown people under a bus,
> but saying "for this reason, please update..." is just misleading.
>
> Here's what it should say:
>
> WARNING: due to a lack of manpower/interest, Go packages on Gentoo
> are statically linked. Contrary to our existing policies and what
> the website says, Go packages will never receive any security updates
> on Gentoo. Use at your own risk!
So if the package *maintainer* bumps each package every time it, or a dep
has a security issue; then updating will work fine.
I'm skeptical go maintainers are volunteering for this though.
-A
