On Mon, 9 Oct 2017 13:58:48 -0700 Ed Marshall <e...@logic.net> wrote:
> On 10/09/2017 04:36 AM, Jakub Cajka wrote:
> > For record these vulnerabilities got assigned CVE-2017-15041 and
> > CVE-2017-15042. Any packages using the affected component
> > "net/smtp" needs to be rebuild with the fixed version of Go, in
> > order to pick up the fix.
>
> Oof. Do we have any tools right now for working out whether direct or
> transitive dependencies of packages we maintain are affected, so we
> know if we need to push a rebuild? (Speaking only for myself, I have
> 31 packages that don't directly import net/smtp, but I can't speak to
> any of the packages they pull in.)
>
> It seems like a standard library CVE almost demands a mass golang
> rebuild, if we want to be safe (in the absence of automated tooling
> to make targeted rebuilds possible). The reality is, maintainers are
> going to miss this message and not rebuild, or not do the necessary
> legwork to know if they need to rebuild.) :(
>
That would be a nice and decent tool.
I personally use a shell function of
```bash
imports() {
go list -f '{{.Name}} {{.ImportPath}} {{range .Imports}}
{{.}}{{end}}' ${@:2}
}
```
so that in a project `imports ./...` will print the imports of the
recursive paths, but that does not extend to every import of even
stdlib. Though that could be possible by some fancier shell work.
vb
pgpI6eiEd77MO.pgp
Description: OpenPGP digital signature
_______________________________________________ golang mailing list -- golang@lists.fedoraproject.org To unsubscribe send an email to golang-le...@lists.fedoraproject.org
