Am 24.06.26 um 13:15 schrieb Andrew Lee:
> Hi Simon,
> 
> On Wed, Jun 24, 2026 at 12:19 PM Simon Josefsson <[email protected]> wrote:
>> What is your recommendation?  Add 'export DEB_GOMINCOMPAT:=1.24' to
>> debian/rules?  Or something related to GO111MODULES?

Hi Simon,

please avoid to set DEB_GOMINCOMPAT manually in d/rules, unless
absolutely needed for critical security fixes. That variable is intended
as a temporary workaround to fix some security issues in the golang
ecosystem, and is probably minimal enough to be backported for stable.

I've met Andrew at the MiniDebConf in Hamburg, and we've also been
joined by Helmut Grohne. Together, we tried to find a way to implement
module-aware builds for golang, but that task is not trivial. Therefore,
Helmut had the idea of implementing a minimal patch for the golang
compiler to force it to use different compatibility settings than it
would choose normally in our builds. That is what you've discovered with
DEB_GOMINCOMPAT. The idea was to set this variable from the dh-golang
helper, so that a rebuild of all affected packages would be possible
(without doing source uploads for > 500 packages).

Please note that this patch to the golang compiler (supporting
DEB_GOMINCOMPAT) is intended to be short-lived. I plan to remove the
patch before the release of forky, so please do not rely on that behavior.

I've implemented support for the variable in the dh-golang helper script
and filed a transition bug. For more context, please see
https://bugs.debian.org/1137232. Unfortunately, that bug is stalled
right now.

However, I've been working in parallel on implementing the module-aware
build in dh-golang, based on the ideas in Andrews proof-of-concept
script. I think that is nearly done, but not quite.

Regards,
Tobias

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply via email to