On Wed, 2026-06-24 at 14:24 +0200, Dr. Tobias Quathamer wrote:
> Am 24.06.26 um 13:15 schrieb Andrew Lee:
> > Hi Simon,
> > 
> > On Wed, Jun 24, 2026 at 12:19 PM Simon Josefsson <[email protected]> 
> > wrote:
> > > What is your recommendation?  Add 'export DEB_GOMINCOMPAT:=1.24' to
> > > debian/rules?  Or something related to GO111MODULES?
> 
> Hi Simon,
> 
> please avoid to set DEB_GOMINCOMPAT manually in d/rules, unless
> absolutely needed for critical security fixes. That variable is intended
> as a temporary workaround to fix some security issues in the golang
> ecosystem, and is probably minimal enough to be backported for stable.
> 
> I've met Andrew at the MiniDebConf in Hamburg, and we've also been
> joined by Helmut Grohne. Together, we tried to find a way to implement
> module-aware builds for golang, but that task is not trivial. Therefore,
> Helmut had the idea of implementing a minimal patch for the golang
> compiler to force it to use different compatibility settings than it
> would choose normally in our builds. That is what you've discovered with
> DEB_GOMINCOMPAT. The idea was to set this variable from the dh-golang
> helper, so that a rebuild of all affected packages would be possible
> (without doing source uploads for > 500 packages).
> 
> Please note that this patch to the golang compiler (supporting
> DEB_GOMINCOMPAT) is intended to be short-lived. I plan to remove the
> patch before the release of forky, so please do not rely on that behavior.
> 
> I've implemented support for the variable in the dh-golang helper script
> and filed a transition bug. For more context, please see
> https://bugs.debian.org/1137232. Unfortunately, that bug is stalled
> right now.
> 
> However, I've been working in parallel on implementing the module-aware
> build in dh-golang, based on the ideas in Andrews proof-of-concept
> script. I think that is nearly done, but not quite.

  This seems like a great (and impactful) project to work on during
DebCamp/DebConf. I've not fully read up on what's already been done,
but could we maybe come up with a plan of action? I'll be around in
person, and would be happy to help out.

  Getting Debian's packaging of Golang packages to use modern
techniques would be a huge win for forky. :)

Mathias

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to