Re: Automatic versioned buildrequires for Go packages

Thu, 27 Mar 2025 19:16:59 -0700 

* Zdenek Dohnal via golang:

> Once CVE fix comes into golang and new golang version is released,
> presence of the older version in buildrequires of other package will
> indicate the package includes vulnerable code, and it has to be
> rebuilt once the original package includes a fix.

A different way to do this would involve a dependency generator that
looks at “go version -m” output like this:

        dep     golang.org/x/crypto     v0.32.0 
        dep     golang.org/x/exp        v0.0.0-20250103183323-7d7fa50e5329      
        dep     golang.org/x/mod        v0.22.0 
        dep     golang.org/x/net        v0.34.0 
        dep     golang.org/x/oauth2     v0.25.0 
        dep     golang.org/x/sync       v0.10.0 
        dep     golang.org/x/sys        v0.29.0 
        dep     golang.org/x/term       v0.28.0 
        dep     golang.org/x/text       v0.21.0 
        dep     golang.org/x/time       v0.9.0  

And generates the usual Provides: from that:

Provides: bundled(golang.org/x/crypto) = v0.32.0
Provides: bundled(golang.org/x/exp) = v0.0.0-20250103183323-7d7fa50e5329
Provides: bundled(golang.org/x/mod) = v0.22.0
Provides: bundled(golang.org/x/net) = v0.34.0
Provides: bundled(golang.org/x/oauth2) = v0.25.0
Provides: bundled(golang.org/x/sync) = v0.10.0
Provides: bundled(golang.org/x/sys) = v0.29.0
Provides: bundled(golang.org/x/term) = v0.28.0
Provides: bundled(golang.org/x/text) = v0.21.0
Provides: bundled(golang.org/x/time) = v0.9.0

This data might be easier to query.

Thanks,
Florian

-- 
_______________________________________________
golang mailing list -- golang@lists.fedoraproject.org
To unsubscribe send an email to golang-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/golang@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to