On Thu, Mar 20, 2025, at 10:19 AM, Zdenek Dohnal via golang wrote: > Hi all, > > I maintain two components written in Go, so time to time the components > get CVE reports where vulnerable code comes from another component via > static linking during build. > > I was trying to figure out how to make this better, and together with > Jason (in CC) got an idea about automatic versioned buildrequires for Go > packages and versions would be taken from the package versions present > in buildroot. > > I've checked Go Fedora guidelines and saw there is > %go_generate_buildrequires macro, which looked promising, but > unfortunately it does not generate BuildRequires on golang and none of > the BuildRequires are versioned :( . > I had this issue last time too, where upstream already specifies a minimum version of a dependency to avoid a CVE and the information gets stripped out by that macro
> Do you think it is possible to have such feature? > Not sure how complex this is but I would love this feature too. We have it for Python and Rust macros after all Best regards, -- _o) Michel Lind _( ) identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2 README: https://fedoraproject.org/wiki/User:Salimma#README -- _______________________________________________ golang mailing list -- golang@lists.fedoraproject.org To unsubscribe send an email to golang-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/golang@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue