On Wed, Apr 13, 2022, at 21:48, Maxwell G wrote:
> On Wednesday, April 13, 2022 4:37:27 PM IDT Mikel Olasagasti wrote:
> > FWIU, in order to fix this CVE, a new version of golang-x-crypto and
> > rebuilding all dependent packages is required.
>
> If the CVE only affects golang.org/x/crypto/ssh, couldn't we just rebuild
> packages that depend on `golang(golang.org/x/crypto/ssh)`?
> `golang-x-crypto-devel` has a lot of dependent packages (over 600), so it
> would be beneficial to avoid having to rebuild all of them.
Hi,
If I'm correct, we are looking for:
* packages that depend on golang.org/x/crypto/ssh
* packages that contain at least a non-devel package (ie: a compiled part)
If my understand of repoquery is correct, this would be the command to get them:
sudo dnf repoquery -q --repo=rawhide{,-source} --whatrequires
"golang(golang.org/x/crypto/ssh)" --recursive | grep src$ | pkgname | sort |
uniq
Which create a 326 packages long list.
We have halfed them (if my query is correct) :-).
> Also, keep in a mind that there are several go-sig packages that FTBFS, which
> might cause issues during the rebuild. As a new member of the SIG, fixing
> some of these is probably a good place to start. Here[1] is a list of all the
> current open go-sig FTBFS bugs.
>
> [1]:
> https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&email1=go-sig%40lists.fedoraproject.org&emailassigned_to1=1&emailcc1=1&emailtype1=equals&list_id=12552935&query_format=advanced&short_desc=FTBFS&short_desc_type=allwordssubstr
This feels like a major issue to automate the process.
Fale
--
Fabio Alessandro Locati
fale.io
_______________________________________________
golang mailing list -- golang@lists.fedoraproject.org
To unsubscribe send an email to golang-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/golang@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
