Hi Simon,
My heads-up concerns a change in `crypto/x509`, which is part of the Go
standard library and distributed with the `golang` compiler.
The package you are working on, `golang-go.crypto 0.43.0`, refers to `
golang.org/x/crypto`. These are related but distinct packages.
Best regards,
Reinhard
regards,
Reinhard
On Sun, Oct 12, 2025, 14:06 Simon Josefsson <[email protected]> wrote:
> Thanks for heads-up! I am working on golang-go.crypto 0.43.0, that
> wouldn't really be a problem related to this, right? Presumable the
> change below is for some good reason, in which case we ought to fix the
> breakage rather than holding back package updates.
>
> /Simon
>
> Reinhard Tartler <[email protected]> writes:
>
> > Dear fellow Debian Golang Packagers,
> >
> > I am writing to give you a heads-up about a subtle change in Golang
> 1.25.2
> > that makes X.509 certificate verification more strict in the
> `crypto/x509`
> > package, which is part of the standard library. The change in question is
> >
> https://github.com/golang/go/commit/3fc4c79fdbb17b9b29ea9f8c29dd780df075d4c4
> > and I expect it to break rebuilds of several golang packages in Debian.
> >
> > Specifically, the DNS in the X.509v3 Subject Alternative Name can no
> longer
> > be empty (cf.
> > https://github.com/etcd-io/etcd/pull/20775#issuecomment-3385325872).
> This
> > change caused #1117747. I have also seen a similar issue when rebuilding
> > `sigstore-go`, and I plan to file a proper bug report later.
> >
> > I hope this heads-up saves valuable time for others who are surprised by
> > test failures containing the error: "x509: SAN rfc822Name is malformed".
> >
> >
> >
> > Best regards,
> > Reinhard
>
