Am 21.03.25 um 13:55 schrieb Alejandro Saez Morollon via golang:
On Thu, Mar 20, 2025 at 4:22 PM Zdenek Dohnal via golang
<golang@lists.fedoraproject.org <mailto:golang@lists.fedoraproject.org>>
wrote:
Hi all,
I maintain two components written in Go, so time to time the components
get CVE reports where vulnerable code comes from another component via
static linking during build.
I was trying to figure out how to make this better, and together with
Jason (in CC) got an idea about automatic versioned buildrequires
for Go
packages and versions would be taken from the package versions present
in buildroot.
I've checked Go Fedora guidelines and saw there is
%go_generate_buildrequires macro, which looked promising, but
unfortunately it does not generate BuildRequires on golang and none of
the BuildRequires are versioned :( .
Do you think it is possible to have such feature?
e.g. BuildRequires: golang-src >= 1.24.1-1, or BuildRequires:
golang(github.com/golang/go <http://github.com/golang/go>) >= 1.24.1-1
would tell us the package is built with this golang version, and if a
golang new version comes later into repos, the package will still work
with new golang due '>='.
Once CVE fix comes into golang and new golang version is released,
presence of the older version in buildrequires of other package will
indicate the package includes vulnerable code, and it has to be rebuilt
once the original package includes a fix.
I have tried to come up at least with PoC for getting golang version
from buildroot and add the versioned buildrequires, but no luck so far.
I'm not really sure if I understand the problem, but hope these two
things help:
First, this is not exactly what you want to do, but we have a script in
the rpms/golang package to generate the provides, maybe you can draw
inspiration from it:
https://src.fedoraproject.org/rpms/golang/blob/rawhide/f/bundled-deps.sh
<https://src.fedoraproject.org/rpms/golang/blob/rawhide/f/bundled-deps.sh>
This applies only for builds that use the vendored approach.
Already used while packaging. The trick for them is to add
"%license vendor/modules.txt" to the "%files" section
(activates the corresponding generator).
IIUC, this does not cover everything, right?
In the build dir, this "go list -json | jq .Imports " shows all imports.
Second, regarding the %go_generate_buildrequires macro, have you tried
using go2rpm (again, I checked your golang packages, and it seems you
generated them years ago with an old version of go2rpm), in the most
recent versions it uses go_generate_buildrequires by default.
Just in case there are some issues in the way you are invoking the macro.
--
_______________________________________________
golang mailing list -- golang@lists.fedoraproject.org
To unsubscribe send an email to golang-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/golang@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
