Package: release.debian.org Severity: normal Control: affects -1 + src:dh-golang User: [email protected] Usertags: transition X-Debbugs-Cc: [email protected], [email protected]
Dear release team, this is a summary of a conversation which I've just had with Helmut Grohne on the phone. We've discussed the several options which are available to resolve the security problems within the golang ecosystem. First of all, I've just uploaded the golang compilers 1.25 and 1.26 to unstable. Both contain the minimal patch which had been suggested by Helmut, in order to support a new environment variable DEB_GOMINCOMPAT. With this variable, we are able to set the golang compiler compatibility version during package builds. Currently, this is a no-op, because the variable DEB_GOMINCOMPAT does not exist yet in any d/rules file. The next step would be to update dh-golang to actually set DEB_GOMINCOMPAT, which this bug report is about. Helmut and I discussed the "baseline" compatibility version which should be used for unstable. While I initially had been in favor to use the same version the available compiler provides (which would be 1.26), I can also see some advantages in downgrading the compatibility to 1.24 in unstable. Most of the problematic settings (regarding security issues) are already resolved in 1.24. From what I can tell, the only security related difference between 1.24 and 1.26 is the setting "tlssha1=1". This flag re-enables SHA-1 signature algorithms in TLS 1.2, which had been dropped in Go 1.25. In order to actually use the new compatibility setting for our packages, we would need to schedule binNMUs for 502 golang packages, which build an executable binary. Fortunately, the majority of golang packages just contain source code and are therefore not affected. During a test rebuild, I've found 10 packages which currently FTBFS in unstable, even without changes to the compiler or dh-golang. Not all of them have RC bugs filed yet, but none of those build failures are related to the proposed changes. Some packages *do* fail due to this change in dh-golang, though. However, their number is really low, just 7 packages. golang-github-anacrolix-missinggo golang-github-d5-tengo golang-github-mendersoftware-mender-artifact golang-github-traefik-yaegi golang-github-xenolf-lego secsipidx snapd From a quick glance at their build logs, it seems that they might just need a small patch to build with a compatibility setting of 1.24. Helmut and I also thought about the new script in dh-golang, which checks for problematic settings in the compiled binaries. The initial approach is not sensible, because it would show an error (and fail the build) if some specific settings are detected. However, for some legacy packages, it might be the only option to use a compatibility version lower than 1.24 -- the build should then still succeed, of course. A better approach (with more visibility) is to integrate such a check into Lintian. It could be of severity info or warning. If the latter, it would also show up on tracker.d.o. Therefore, the required changes to dh-golang are now even smaller. I've attached the proposed patch for dh-golang. Please note that there are also unrelated minor changes in the dh-golang git repository, due to some package maintenance. IMHO, those changes do not harm the intended transition, which is why I've left them in. However, if you prefer a minimal patch, I'll create another one without the unrelated changes. Regards, Tobias
diff -Nru dh-golang-1.64/debian/changelog dh-golang-1.65/debian/changelog --- dh-golang-1.64/debian/changelog 2026-05-08 13:32:49.000000000 +0200 +++ dh-golang-1.65/debian/changelog 2026-05-21 12:57:31.000000000 +0200 @@ -1,3 +1,34 @@ +dh-golang (1.65) unstable; urgency=medium + + [ Guillem Jover ] + * Run wrap-and-sort -ast. + This is the only format that guarantees minimal diff deltas on + modifications, as it avoids modifying unrelated lines even when + shuffling content around fields or renaming fields. + It also matches the new field placement by the dh-make-golang template. + * Add spaces around make assignment operators to distinguish from shell ones. + The make variables have nothing to do with the shell ones (even though + they can be exported and made visible into the subshells), because they + only allow one assignment per line. Use spaces to make this more + obvious, otherwise a variable can end up assigned another variable and + its intended values, such as in: + var-a=var-a-val var-b=var-b-val + * Add myself to Uploaders + + [ Dr. Tobias Quathamer ] + * Export DEB_GOMINCOMPAT. + The default value for DEB_GOMINCOMPAT is 1.24, to ensure that + most of the settings with security implications are used with + sane default values. + However, some packages might fail to build, because they rely + on older behaviour. Package maintainers can therefore + downgrade the compatibility settings. + Also, if the package has a go.mod file with a version higher + than 1.24, that version is used instead. + Thanks to Helmut Grohne <[email protected]> + + -- Dr. Tobias Quathamer <[email protected]> Thu, 21 May 2026 12:57:31 +0200 + dh-golang (1.64) unstable; urgency=medium * Include go.mod and go.sum for submodules as well diff -Nru dh-golang-1.64/debian/control dh-golang-1.65/debian/control --- dh-golang-1.64/debian/control 2026-05-08 13:32:49.000000000 +0200 +++ dh-golang-1.65/debian/control 2026-05-16 13:22:40.000000000 +0200 @@ -1,12 +1,15 @@ Source: dh-golang Section: golang Maintainer: Debian Go Packaging Team <[email protected]> -Uploaders: Michael Stapelberg <[email protected]>, - Martina Ferrari <[email protected]>, - Anthony Fok <[email protected]>, - Dr. Tobias Quathamer <[email protected]>, -Build-Depends: debhelper-compat (= 13), - libmodule-install-perl, +Uploaders: + Michael Stapelberg <[email protected]>, + Martina Ferrari <[email protected]>, + Anthony Fok <[email protected]>, + Dr. Tobias Quathamer <[email protected]>, + Guillem Jover <[email protected]>, +Build-Depends: + debhelper-compat (= 13), + libmodule-install-perl, Standards-Version: 4.7.4 Vcs-Browser: https://salsa.debian.org/go-team/packages/dh-golang Vcs-Git: https://salsa.debian.org/go-team/packages/dh-golang.git @@ -14,11 +17,13 @@ Package: dh-golang Architecture: all Multi-Arch: foreign -Depends: debhelper, - libdpkg-perl (>= 1.22.15~), - ${misc:Depends}, - ${perl:Depends}, -Provides: dh-sequence-golang +Depends: + debhelper, + libdpkg-perl (>= 1.22.15~), + ${misc:Depends}, + ${perl:Depends}, +Provides: + dh-sequence-golang, Description: debhelper add-on for packaging software written in Go (golang) dh-golang provides a debhelper sequence addon named 'golang', a buildsystem module named 'golang' and a command called dh_golang. diff -Nru dh-golang-1.64/debian/copyright dh-golang-1.65/debian/copyright --- dh-golang-1.64/debian/copyright 2026-05-08 13:32:49.000000000 +0200 +++ dh-golang-1.65/debian/copyright 2026-05-16 13:22:40.000000000 +0200 @@ -1,11 +1,15 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ -Files: * -Copyright: 2013-2017 Michael Stapelberg +Files: + * +Copyright: + 2013-2017 Michael Stapelberg License: GPL-2+ -Files: debian/* -Copyright: 2013-2017 Michael Stapelberg <[email protected]> +Files: + debian/* +Copyright: + 2013-2017 Michael Stapelberg <[email protected]> License: GPL-2+ License: GPL-2+ diff -Nru dh-golang-1.64/debian/rules dh-golang-1.65/debian/rules --- dh-golang-1.64/debian/rules 2026-05-08 13:32:49.000000000 +0200 +++ dh-golang-1.65/debian/rules 2026-05-16 13:22:40.000000000 +0200 @@ -1,7 +1,7 @@ #!/usr/bin/make -f # Uncomment this to turn on verbose mode. -#export DH_VERBOSE=1 +#export DH_VERBOSE = 1 %: dh $@ diff -Nru dh-golang-1.64/lib/Debian/Debhelper/Buildsystem/golang.pm dh-golang-1.65/lib/Debian/Debhelper/Buildsystem/golang.pm --- dh-golang-1.64/lib/Debian/Debhelper/Buildsystem/golang.pm 2026-05-08 13:32:49.000000000 +0200 +++ dh-golang-1.65/lib/Debian/Debhelper/Buildsystem/golang.pm 2026-05-21 12:55:29.000000000 +0200 @@ -267,6 +267,7 @@ use Debian::Debhelper::Dh_Lib; use Dpkg::BuildFlags; use Dpkg::Control::Info; +use Dpkg::Version qw(version_compare); use File::Copy qw(cp); # in core since 5.002 use File::Path qw(make_path); # in core since 5.001 use File::Find; # in core since 5 @@ -341,6 +342,7 @@ $this->_set_go_test_timeout(); $this->_set_cgo_flags(); $this->_set_gocross(); + $this->_set_deb_gomincompat(); } sub _set_gopath { @@ -466,6 +468,50 @@ } } +sub _set_deb_gomincompat { + my $this = shift; + + if ($ENV{DEB_GOMINCOMPAT}) { + verbose_print( + "Forcing version $ENV{DEB_GOMINCOMPAT} as DEB_GOMINCOMPAT."); + return; + } + + # Enable at least rsa1024min and tlsmlkem. + my $gover = "1.24"; + if (open(my $gomod, "<", $this->get_sourcepath("go.mod"))) { + my $gomodver; + while (<$gomod>) { + next unless (/^go\s+([0-9]+\.[0-9]+)/); + $gomodver = $1; + last; + } + close($gomod); + if ($gomodver) { + if (version_compare($gover, $gomodver) < 0) { + $gover = $gomodver; + verbose_print( + "Forcing version $gomodver from go.mod as DEB_GOMINCOMPAT." + ); + } else { + verbose_print( +"Forcing $gover instead of $gomodver from go.mod via DEB_GOMINCOMPAT." + ); + } + } else { + verbose_print( +"No version detected for go.mod, forcing $gover as DEB_GOMINCOMPAT." + ); + } + } else { + verbose_print( + "Could not read go.mod, forcing $gover as DEB_GOMINCOMPAT."); + } + + $ENV{DEB_GOMINCOMPAT} = $gover; + return; +} + sub _go1_has_minor { my ($_go1_minor) = (qx(go version) =~ /go version go1\.([0-9]+)/); if (!defined $_go1_minor) {
OpenPGP_signature.asc
Description: OpenPGP digital signature
