Hi Florian!

Thank you for the idea!

I knew about 'go version', which would give me go version as whole, but not about the possibility to use this to see versions of used modules - great to know!

On 3/21/25 10:53, Florian Weimer wrote:
A different way to do this would involve a dependency generator that
looks at “go version -m” output like this:

        dep     golang.org/x/crypto     v0.32.0 
        dep     golang.org/x/exp        v0.0.0-20250103183323-7d7fa50e5329      
        dep     golang.org/x/mod        v0.22.0 
        dep     golang.org/x/net        v0.34.0 
        dep     golang.org/x/oauth2     v0.25.0 
        dep     golang.org/x/sync       v0.10.0 
        dep     golang.org/x/sys        v0.29.0 
        dep     golang.org/x/term       v0.28.0 
        dep     golang.org/x/text       v0.21.0 
        dep     golang.org/x/time       v0.9.0

How did you get such output from 'go version -m'? Or is it a theoretical output? Because if I call this on my ipp-usb binary, I get this output:

$ go version -m /usr/sbin/ipp-usb
/usr/sbin/ipp-usb: go1.23.7
    path    github.com/OpenPrinting/ipp-usb
    build    -buildmode=pie
    build    -compiler=gc
    build    -ldflags=" -X github.com/OpenPrinting/ipp-usb/version.tag=0.9.30 -X github.com/OpenPrinting/ipp-usb/version=0.9.30 -B 0x457d8742863cca388e12a3c37376a7e5c1b4eebe -compressdwarf=false -linkmode=external -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,pack-relative-relocs -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -Wl,--build-id=sha1 -specs=/usr/lib/rpm/redhat/redhat-package-notes  '"
    build    -tags=rpm_crashtraceback
    build DefaultGODEBUG=asynctimerchan=1,gotypesalias=0,httplaxcontentlength=1,httpmuxgo121=1,httpservecontentkeepheaders=1,netedns0=0,panicnil=1,tls10server=1,tls3des=1,tlskyber=0,tlsrsakex=1,tlsunsafeekm=1,winreadlinkvolume=0,winsymlink=0,x509keypairleaf=0,x509negativeserial=1
    build    CGO_ENABLED=1
    build    CGO_CFLAGS=
    build    CGO_CPPFLAGS=
    build    CGO_CXXFLAGS=
    build    CGO_LDFLAGS=
    build    GOARCH=amd64
    build    GOOS=linux
    build    GOAMD64=v1

I can see go version it was built with, but not goipp go module, which is dependency of ipp-usb and is statically linked to the ipp-usb.


And generates the usual Provides: from that:

Provides: bundled(golang.org/x/crypto) = v0.32.0
Provides: bundled(golang.org/x/exp) = v0.0.0-20250103183323-7d7fa50e5329
Provides: bundled(golang.org/x/mod) = v0.22.0
Provides: bundled(golang.org/x/net) = v0.34.0
Provides: bundled(golang.org/x/oauth2) = v0.25.0
Provides: bundled(golang.org/x/sync) = v0.10.0
Provides: bundled(golang.org/x/sys) = v0.29.0
Provides: bundled(golang.org/x/term) = v0.28.0
Provides: bundled(golang.org/x/text) = v0.21.0
Provides: bundled(golang.org/x/time) = v0.9.0

This data might be easier to query.

This would be great if we always rebase the package to the version with CVE fix, however it won't cover cases if the CVE fix is backported :(

I have tried to define BuildRequires and set the version for it by getting data by rpm, but this would have to happen later in RPM build process to get the correct version present in buildroot.


Zdenek


Thanks,
Florian

--
Zdenek Dohnal
Senior Software Engineer
Red Hat, BRQ-TPBC

--
_______________________________________________
golang mailing list -- golang@lists.fedoraproject.org
To unsubscribe send an email to golang-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/golang@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to