Re: [go-nuts] [security] Go 1.8.4 and Go 1.9.1 are released

2017-10-06 Thread Bakul Shah 
On Fri, 06 Oct 2017 11:21:10 -0700 Rich  wrote:
Rich writes:
> curl https://storage.googleapis.com/golang/go1.9.1.darwin-amd64.tar.gz |
tar zxvf -
> That will overwrite the existing /usr/local/go directory.  To check:

You are not alone in making this mistake.  I made the *same*
mistake when installing a new release on a 32bit freebsd
machine and broke go (and wasted Ian's time by filing a bug
report).  You have to /replace/ the installation, not
/overwrite/ it. I forgot since I rarely build go program on
this machine.

There is a reason why on MacOS, Windows, Linux, *BSD etc. use
installers instead of just "tar x" or "unzip" as it allows the
installer to run a script to do the right thing (such as
checking there is enough space, doing some simple test to
check everything went ok, restore the old release if it didn't
etc). In spirit "go update" to "go get" what "pkg update" is
to "pkg install" or "brew update" is to "brew install".

> On Wednesday, October 4, 2017 at 9:41:00 PM UTC-4, Bakul Shah wrote:
> >
> > Would it make sense for Go to update itself? Something 
> > like "go update " that fetches a platform 
> > specific release, does some basic sanity tests and 
> > if all goes well, overwrites $GOROOT. 

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [go-nuts] [security] Go 1.8.4 and Go 1.9.1 are released

2017-10-06 Thread Rich 
On linux / mac I just become root, cd to /usr/local then run this one liner:

Mac:
  curl https://storage.googleapis.com/golang/go1.9.1.darwin-amd64.tar.gz | 
tar zxvf -

Linux64:
  curl https://storage.googleapis.com/golang/go1.9.1.linux-amd64.tar.gz | 
tar zxvf -

That will overwrite the existing /usr/local/go directory.  To check:

~] $ go version
go version go1.9.1 darwin/amd64

On Wednesday, October 4, 2017 at 9:41:00 PM UTC-4, Bakul Shah wrote:
>
> Would it make sense for Go to update itself? Something 
> like "go update " that fetches a platform 
> specific release, does some basic sanity tests and 
> if all goes well, overwrites $GOROOT. 
>

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [go-nuts] [security] Go 1.8.4 and Go 1.9.1 are released

2017-10-04 Thread Reto Brunner 
God no,
My system is managed by a *package manager* and I want it to stay that way

On Thu, Oct 5, 2017, 03:40 Bakul Shah  wrote:

> Would it make sense for Go to update itself? Something
> like "go update " that fetches a platform
> specific release, does some basic sanity tests and
> if all goes well, overwrites $GOROOT.
>
> --
> You received this message because you are subscribed to the Google Groups
> "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to golang-nuts+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [go-nuts] [security] Go 1.8.4 and Go 1.9.1 are released

2017-10-04 Thread Bakul Shah 
Would it make sense for Go to update itself? Something
like "go update " that fetches a platform
specific release, does some basic sanity tests and
if all goes well, overwrites $GOROOT.

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[go-nuts] [security] Go 1.8.4 and Go 1.9.1 are released

2017-10-04 Thread Chris Broadfoot 
Hi gophers,

Two security-related issues were recently reported.
To address this issue, we have just released Go 1.8.4 and Go 1.9.1.

We recommend that all users update to one of these releases (if you're not
sure which, choose Go 1.9.1).

The issues addressed by these releases are:

By nesting a git checkout inside another version control repository, it was
possible for an attacker to trick the “go get” command into executing
arbitrary code. The go command now refuses to use version control checkouts
found inside other version control systems, with an exception for git
submodules (git inside git).
The issue is tracked as https://golang.org/issue/22125 (Go 1.8.4) and
https://golang.org/issue/22131 (Go 1.9.1). Fixes are linked from the issues.
Thanks to Simon Rawet for the report.

In the smtp package, PlainAuth is documented as sending credentials only
over authenticated, encrypted TLS connections, but it was changed in Go 1.1
to also send credentials on non-TLS connections when the remote server
advertises that PLAIN authentication is supported. The change was meant to
allow use of PLAIN authentication on localhost, but it has the effect of
allowing a man-in-the-middle attacker to harvest credentials. PlainAuth now
requires either TLS or a localhost connection before sending credentials,
regardless of what the remote server claims.
This issue is tracked as https://golang.org/issue/22134 (Go 1.8.4) and
https://golang.org/issue/22133 (Go 1.9.1). Fixes are linked from the issues.
Thanks to Stevie Johnstone for the report.

Downloads are available at https://golang.org/dl for all supported
platforms.

Cheers,
Chris (on behalf of the Go team)

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.