Dear all,

Andrew Lee discovered some security problems in the golang ecosystem,
due to the GOPATH setup which is used within dh-golang. Please see his
talk at MiniDebconf for all the details:

https://meetings-archive.debian.net/pub/debian-meetings/2026/MiniDebConf-Hamburg/hamburg2026-85-rescue-forky-we-have-go-back-to-2011-building-go-like-its-2011-is-broken.av1.webm

The solution is to convert our build system to use a module-aware build,
which upstream go uses as default since a couple of years. Andrew has
written a shell script as a proof of concept. The basic idea is to use a
go.work file to point the golang compiler to local sources instead of
downloading them from online sites -- which will obviously fail on buildds.

During the MiniDebconf, I worked with Andrew on this topic. A day later,
we've been joined by Helmut Grohne, who helped with some ideas and perl
code as well.

Since MiniDebconf, I've written more code for the module-aware builds in
dh-golang. Some packages already build fine with the new dh-golang
helper, other packages still FTBFS.

I won't be able to attend Debconf, but maybe some of you will be there.
So it might be a good time to let other people take a look at the code
so far and maybe hack on it during the Debcamp/Debconf.

I've now pushed my code to
https://salsa.debian.org/go-team/packages/dh-golang, using a new branch
"go111module". If you're able to help with the changes for dh-golang,
please feel free to join the effort. For any questions about the code,
the idea, or the concept, feel free to reach out to Andrew or me.

Regards,
Tobias

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply via email to