On Thu, Mar 20, 2025, at 10:19 AM, Zdenek Dohnal via golang wrote:
> Hi all,
>
> I maintain two components written in Go, so time to time the components 
> get CVE reports where vulnerable code comes from another component via 
> static linking during build.
>
> I was trying to figure out how to make this better, and together with 
> Jason (in CC) got an idea about automatic versioned buildrequires for Go 
> packages and versions would be taken from the package versions present 
> in buildroot.
>
> I've checked Go Fedora guidelines and saw there is 
> %go_generate_buildrequires macro, which looked promising, but 
> unfortunately it does not generate BuildRequires on golang and none of 
> the BuildRequires are versioned :( .
>
I had this issue last time too, where upstream already specifies a minimum 
version of a dependency to avoid a CVE and the information gets stripped out by 
that macro

> Do you think it is possible to have such feature?
>
Not sure how complex this is but I would love this feature too. We have it for 
Python and Rust macros after all

Best regards,

-- 
 _o) Michel Lind
_( ) identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2
     README:     https://fedoraproject.org/wiki/User:Salimma#README
-- 
_______________________________________________
golang mailing list -- golang@lists.fedoraproject.org
To unsubscribe send an email to golang-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/golang@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to