On Sun, Aug 22, 2021 at 12:11:00AM +0300, Caleb Maclennan via arch-dev-public wrote:
On 2021-08-17 21:36, Morten Linderud via arch-dev-public wrote:
People do not really see the need to rebuild $goWorld when packages a compiled and nothing inherently breaks unless there is a rebuild. We don't do this for GCC, Rust and so on. However I do think it's nice to group up these ecosystem changes in one swoop as it spares me from having to repeat myself for the next few months as people occasionally update their Go packages.
What are the relevant "ecosystem changes" in this case? In brief. Have the packaging guidelines been updated for 1.17 considerations?
Isn't there a CVE going around in a few projects that re-compiling with 1.17 will automatically catch and fix?
There is at least one fixed CVE in the 1.17 release: https://www.cvedetails.com/cve/CVE-2021-29923/ I have a very mixed opinion about rebuilding the packages. On the hand it is a security vulnerability, hence I would argue for rebuilding them. On the other, It is very toilsome to rebuild all packages depending on Go. Especially, if you consider that we are not doing this for other ecosystems like Rust or GCC (yet). Security before toil, thus we should rebuild them. I am not happy with it, but what alternative do we have? (There are alternatives like building packages via pipelines and signing them automatically, but building that up would need people, know-how and lots of planning)