Re: [gentoo-dev] [PATCH 1/1] go-module.eclass: introduce new eclass to handle go modules

Wed, 18 Sep 2019 12:28:43 -0700 

On 9/18/19 11:04 AM, Alec Warner wrote:
> 
> 
> On Wed, Sep 18, 2019 at 10:50 AM Michael Orlitzky <m...@gentoo.org
> <mailto:m...@gentoo.org>> wrote:
> 
>     On 9/16/19 10:17 AM, William Hubbs wrote:
>     > +
>     > +# @FUNCTION: go-module_pkg_postinst
>     > +# @DESCRIPTION:
>     > +# Display a warning about security updates for Go programs.
>     > +go-module_pkg_postinst() {
>     > +     ewarn "${PN} is written in the Go programming language."
>     > +     ewarn "Since this language is statically linked, security"
>     > +     ewarn "updates will be handled in individual packages and
>     will be"
>     > +     ewarn "difficult for us to track as a distribution."
>     > +     ewarn "For this reason, please update any go packages asap
>     when new"
>     > +     ewarn "versions enter the tree or go stable if you are
>     running the"
>     > +     ewarn "stable tree."
>     > +}
>     > +
>     > +fi
>     >
> 
>     This word salad is 100% misinformation that gets tangled in itself
>     trying to apologize for what we're about to do:
> 
>       * Go is not a "statically linked language." There's gccgo, and as Alec
>         pointed out, the official compiler has supported dynamic linking for
>         years now.
> 
> 
> I'm actually pretty fine with this wording, upstream has said not to
> dynamically link in these use cases.
>  
> 
> 
>       * Updating DOES NOT HELP AT ALL. That's the whole problem. You're
>         trying to make it sound like we haven't thrown people under a bus,
>         but saying "for this reason, please update..." is just misleading.
> 
>     Here's what it should say:
> 
>       WARNING: due to a lack of manpower/interest, Go packages on Gentoo
>       are statically linked. Contrary to our existing policies and what
>       the website says, Go packages will never receive any security updates
>       on Gentoo. Use at your own risk!
> 
> 
> So if the package *maintainer* bumps each package every time it, or a
> dep has a security issue; then updating will work fine.
> I'm skeptical go maintainers are volunteering for this though.

There's a script here which helps to automate refresh of commit hashes
in EGO_VENDOR:

    https://github.com/hsoft/gentoo-ego-vendor-update

Just now I've used it to refresh vendored dependencies in
net-misc/drive:

    
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3993b893d4788beaad945bc82df0f4efd91ce697
-- 
Thanks,
Zac

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to