Dear all, Andrew Lee discovered some security problems in the golang ecosystem, due to the GOPATH setup which is used within dh-golang. Please see his talk at MiniDebconf for all the details:
https://meetings-archive.debian.net/pub/debian-meetings/2026/MiniDebConf-Hamburg/hamburg2026-85-rescue-forky-we-have-go-back-to-2011-building-go-like-its-2011-is-broken.av1.webm The solution is to convert our build system to use a module-aware build, which upstream go uses as default since a couple of years. Andrew has written a shell script as a proof of concept. The basic idea is to use a go.work file to point the golang compiler to local sources instead of downloading them from online sites -- which will obviously fail on buildds. During the MiniDebconf, I worked with Andrew on this topic. A day later, we've been joined by Helmut Grohne, who helped with some ideas and perl code as well. Since MiniDebconf, I've written more code for the module-aware builds in dh-golang. Some packages already build fine with the new dh-golang helper, other packages still FTBFS. I won't be able to attend Debconf, but maybe some of you will be there. So it might be a good time to let other people take a look at the code so far and maybe hack on it during the Debcamp/Debconf. I've now pushed my code to https://salsa.debian.org/go-team/packages/dh-golang, using a new branch "go111module". If you're able to help with the changes for dh-golang, please feel free to join the effort. For any questions about the code, the idea, or the concept, feel free to reach out to Andrew or me. Regards, Tobias
OpenPGP_signature.asc
Description: OpenPGP digital signature
