On Wed, 2026-06-24 at 14:24 +0200, Dr. Tobias Quathamer wrote: > Am 24.06.26 um 13:15 schrieb Andrew Lee: > > Hi Simon, > > > > On Wed, Jun 24, 2026 at 12:19 PM Simon Josefsson <[email protected]> > > wrote: > > > What is your recommendation? Add 'export DEB_GOMINCOMPAT:=1.24' to > > > debian/rules? Or something related to GO111MODULES? > > Hi Simon, > > please avoid to set DEB_GOMINCOMPAT manually in d/rules, unless > absolutely needed for critical security fixes. That variable is intended > as a temporary workaround to fix some security issues in the golang > ecosystem, and is probably minimal enough to be backported for stable. > > I've met Andrew at the MiniDebConf in Hamburg, and we've also been > joined by Helmut Grohne. Together, we tried to find a way to implement > module-aware builds for golang, but that task is not trivial. Therefore, > Helmut had the idea of implementing a minimal patch for the golang > compiler to force it to use different compatibility settings than it > would choose normally in our builds. That is what you've discovered with > DEB_GOMINCOMPAT. The idea was to set this variable from the dh-golang > helper, so that a rebuild of all affected packages would be possible > (without doing source uploads for > 500 packages). > > Please note that this patch to the golang compiler (supporting > DEB_GOMINCOMPAT) is intended to be short-lived. I plan to remove the > patch before the release of forky, so please do not rely on that behavior. > > I've implemented support for the variable in the dh-golang helper script > and filed a transition bug. For more context, please see > https://bugs.debian.org/1137232. Unfortunately, that bug is stalled > right now. > > However, I've been working in parallel on implementing the module-aware > build in dh-golang, based on the ideas in Andrews proof-of-concept > script. I think that is nearly done, but not quite.
This seems like a great (and impactful) project to work on during DebCamp/DebConf. I've not fully read up on what's already been done, but could we maybe come up with a plan of action? I'll be around in person, and would be happy to help out. Getting Debian's packaging of Golang packages to use modern techniques would be a huge win for forky. :) Mathias
signature.asc
Description: This is a digitally signed message part
