[arch-dev-public] Go 1.17 released - to rebuild or not to rebuild

Christian Rebischke Chris.Rebischke at archlinux.org
Sat Aug 21 22:48:39 UTC 2021


On Sun, Aug 22, 2021 at 12:11:00AM +0300, Caleb Maclennan via arch-dev-public wrote:
> On 2021-08-17 21:36, Morten Linderud via arch-dev-public wrote:
> > People do not really see the need to rebuild $goWorld when packages a
> > compiled
> > and nothing inherently breaks unless there is a rebuild. We don't do
> > this for
> > GCC, Rust and so on. However I do think it's nice to group up these
> > ecosystem
> > changes in one swoop as it spares me from having to repeat myself for
> > the next
> > few months as people occasionally update their Go packages.
> 
> What are the relevant "ecosystem changes" in this case? In brief. Have the
> packaging guidelines been updated for 1.17 considerations?
> 
> Isn't there a CVE going around in a few projects that re-compiling with 1.17
> will automatically catch and fix?

There is at least one fixed CVE in the 1.17 release:
https://www.cvedetails.com/cve/CVE-2021-29923/

I have a very mixed opinion about rebuilding the packages.
On the hand it is a security vulnerability, hence I would argue for
rebuilding them. On the other, It is very toilsome to rebuild all
packages depending on Go. Especially, if you consider that we are not
doing this for other ecosystems like Rust or GCC (yet).

Security before toil, thus we should rebuild them.

I am not happy with it, but what alternative do we have?

(There are alternatives like building packages via pipelines and signing
them automatically, but building that up would need people, know-how and
lots of planning)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20210822/c95c2f26/attachment.sig>


More information about the arch-dev-public mailing list