On Thu, Mar 20, 2025 at 4:22 PM Zdenek Dohnal via golang < golang@lists.fedoraproject.org> wrote:
> Hi all, > > I maintain two components written in Go, so time to time the components > get CVE reports where vulnerable code comes from another component via > static linking during build. > > I was trying to figure out how to make this better, and together with > Jason (in CC) got an idea about automatic versioned buildrequires for Go > packages and versions would be taken from the package versions present > in buildroot. > > I've checked Go Fedora guidelines and saw there is > %go_generate_buildrequires macro, which looked promising, but > unfortunately it does not generate BuildRequires on golang and none of > the BuildRequires are versioned :( . > > Do you think it is possible to have such feature? > > e.g. BuildRequires: golang-src >= 1.24.1-1, or BuildRequires: > golang(github.com/golang/go) >= 1.24.1-1 > > would tell us the package is built with this golang version, and if a > golang new version comes later into repos, the package will still work > with new golang due '>='. > > Once CVE fix comes into golang and new golang version is released, > presence of the older version in buildrequires of other package will > indicate the package includes vulnerable code, and it has to be rebuilt > once the original package includes a fix. > > I have tried to come up at least with PoC for getting golang version > from buildroot and add the versioned buildrequires, but no luck so far. > > I'm not really sure if I understand the problem, but hope these two things help: First, this is not exactly what you want to do, but we have a script in the rpms/golang package to generate the provides, maybe you can draw inspiration from it: https://src.fedoraproject.org/rpms/golang/blob/rawhide/f/bundled-deps.sh Second, regarding the %go_generate_buildrequires macro, have you tried using go2rpm (again, I checked your golang packages, and it seems you generated them years ago with an old version of go2rpm), in the most recent versions it uses go_generate_buildrequires by default. Just in case there are some issues in the way you are invoking the macro. > > Thank you in advance! > > > Zdenek > > -- > Zdenek Dohnal > Senior Software Engineer > Red Hat, BRQ-TPBC > > -- > _______________________________________________ > golang mailing list -- golang@lists.fedoraproject.org > To unsubscribe send an email to golang-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/golang@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ golang mailing list -- golang@lists.fedoraproject.org To unsubscribe send an email to golang-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/golang@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
