Hi Florian!
Thank you for the idea!
I knew about 'go version', which would give me go version as whole, but
not about the possibility to use this to see versions of used modules -
great to know!
On 3/21/25 10:53, Florian Weimer wrote:
A different way to do this would involve a dependency generator that
looks at “go version -m” output like this:
dep golang.org/x/crypto v0.32.0
dep golang.org/x/exp v0.0.0-20250103183323-7d7fa50e5329
dep golang.org/x/mod v0.22.0
dep golang.org/x/net v0.34.0
dep golang.org/x/oauth2 v0.25.0
dep golang.org/x/sync v0.10.0
dep golang.org/x/sys v0.29.0
dep golang.org/x/term v0.28.0
dep golang.org/x/text v0.21.0
dep golang.org/x/time v0.9.0
How did you get such output from 'go version -m'? Or is it a theoretical
output? Because if I call this on my ipp-usb binary, I get this output:
$ go version -m /usr/sbin/ipp-usb
/usr/sbin/ipp-usb: go1.23.7
path github.com/OpenPrinting/ipp-usb
build -buildmode=pie
build -compiler=gc
build -ldflags=" -X
github.com/OpenPrinting/ipp-usb/version.tag=0.9.30 -X
github.com/OpenPrinting/ipp-usb/version=0.9.30 -B
0x457d8742863cca388e12a3c37376a7e5c1b4eebe -compressdwarf=false
-linkmode=external -extldflags '-Wl,-z,relro -Wl,--as-needed
-Wl,-z,pack-relative-relocs -Wl,-z,now
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1
-specs=/usr/lib/rpm/redhat/redhat-package-notes '"
build -tags=rpm_crashtraceback
build
DefaultGODEBUG=asynctimerchan=1,gotypesalias=0,httplaxcontentlength=1,httpmuxgo121=1,httpservecontentkeepheaders=1,netedns0=0,panicnil=1,tls10server=1,tls3des=1,tlskyber=0,tlsrsakex=1,tlsunsafeekm=1,winreadlinkvolume=0,winsymlink=0,x509keypairleaf=0,x509negativeserial=1
build CGO_ENABLED=1
build CGO_CFLAGS=
build CGO_CPPFLAGS=
build CGO_CXXFLAGS=
build CGO_LDFLAGS=
build GOARCH=amd64
build GOOS=linux
build GOAMD64=v1
I can see go version it was built with, but not goipp go module, which
is dependency of ipp-usb and is statically linked to the ipp-usb.
And generates the usual Provides: from that:
Provides: bundled(golang.org/x/crypto) = v0.32.0
Provides: bundled(golang.org/x/exp) = v0.0.0-20250103183323-7d7fa50e5329
Provides: bundled(golang.org/x/mod) = v0.22.0
Provides: bundled(golang.org/x/net) = v0.34.0
Provides: bundled(golang.org/x/oauth2) = v0.25.0
Provides: bundled(golang.org/x/sync) = v0.10.0
Provides: bundled(golang.org/x/sys) = v0.29.0
Provides: bundled(golang.org/x/term) = v0.28.0
Provides: bundled(golang.org/x/text) = v0.21.0
Provides: bundled(golang.org/x/time) = v0.9.0
This data might be easier to query.
This would be great if we always rebase the package to the version with
CVE fix, however it won't cover cases if the CVE fix is backported :(
I have tried to define BuildRequires and set the version for it by
getting data by rpm, but this would have to happen later in RPM build
process to get the correct version present in buildroot.
Zdenek
Thanks,
Florian
--
Zdenek Dohnal
Senior Software Engineer
Red Hat, BRQ-TPBC
--
_______________________________________________
golang mailing list -- golang@lists.fedoraproject.org
To unsubscribe send an email to golang-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/golang@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue