* Zdenek Dohnal via golang: > Once CVE fix comes into golang and new golang version is released, > presence of the older version in buildrequires of other package will > indicate the package includes vulnerable code, and it has to be > rebuilt once the original package includes a fix.
A different way to do this would involve a dependency generator that looks at “go version -m” output like this: dep golang.org/x/crypto v0.32.0 dep golang.org/x/exp v0.0.0-20250103183323-7d7fa50e5329 dep golang.org/x/mod v0.22.0 dep golang.org/x/net v0.34.0 dep golang.org/x/oauth2 v0.25.0 dep golang.org/x/sync v0.10.0 dep golang.org/x/sys v0.29.0 dep golang.org/x/term v0.28.0 dep golang.org/x/text v0.21.0 dep golang.org/x/time v0.9.0 And generates the usual Provides: from that: Provides: bundled(golang.org/x/crypto) = v0.32.0 Provides: bundled(golang.org/x/exp) = v0.0.0-20250103183323-7d7fa50e5329 Provides: bundled(golang.org/x/mod) = v0.22.0 Provides: bundled(golang.org/x/net) = v0.34.0 Provides: bundled(golang.org/x/oauth2) = v0.25.0 Provides: bundled(golang.org/x/sync) = v0.10.0 Provides: bundled(golang.org/x/sys) = v0.29.0 Provides: bundled(golang.org/x/term) = v0.28.0 Provides: bundled(golang.org/x/text) = v0.21.0 Provides: bundled(golang.org/x/time) = v0.9.0 This data might be easier to query. Thanks, Florian -- _______________________________________________ golang mailing list -- golang@lists.fedoraproject.org To unsubscribe send an email to golang-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/golang@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue