On 04/11/2025 19.38, Kevin Fenzi wrote:
One question that comes to mind: There's often CVE's fixed in newer
golang (needing you to rebuild things with it) right, or am I
misremembering?
In the compat world those would just not get fixed?
Or would you mass rebuild with the newer version (leaving the older one
default)?
kevin
TL;DR: Yes, they would have upgrades, but we might only have 2~3 compat
packages at a given time, and I, personally, think it adds more complexity.
---
Hm, that's a great question. CVEs are fixed on affected and supported
versions (quite obviously :D). So if something appears today in 1.25.3,
they will release 1.25.4 to fix it, and if it applies, it will be fixed
in a new 1.24 release (1.24.10 in this hypothetical example).
I don't think we want to maintain EOL Go releases for obvious reasons.
In the past I tried to do it (because of the misalignment of Go releases
with Fedora releases; a given Go release reaches EOL around 2 months
before a Fedora release reaches EOL), but the easiest solution was to
just ask for an exception and upgrade Go to the nearest release, the one
in the next Fedora release. I've been doing this for a few years now [0].
So if we follow the compat route, yes, they will have upgrades because
we won't keep the compat of unsupported versions. But, to be honest,
this is where I don't like the compat idea. We might be creating and
decommissioning dist-git repositories really often. Go releases last for
12 months approximately. Every 6 months there is a new one, and upstream
projects tend to go to the highest release number as soon as possible
because it's easier to just point to the latest release instead of a
minor release (this is my anecdotal view; I have no numbers). Although I
know other people share this opinion.
[0]
https://pagure.io/fesco/issues?status=Closed&search_pattern=in+Fedora&author=alexsaezm&close_status=
--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
