Re: [go-nuts] [security] Go 1.8.4 and Go 1.9.1 are released
On Fri, 06 Oct 2017 11:21:10 -0700 Richwrote: Rich writes: > curl https://storage.googleapis.com/golang/go1.9.1.darwin-amd64.tar.gz | tar zxvf - > That will overwrite the existing /usr/local/go directory. To check: You are not alone in making this mistake. I made the *same* mistake when installing a new release on a 32bit freebsd machine and broke go (and wasted Ian's time by filing a bug report). You have to /replace/ the installation, not /overwrite/ it. I forgot since I rarely build go program on this machine. There is a reason why on MacOS, Windows, Linux, *BSD etc. use installers instead of just "tar x" or "unzip" as it allows the installer to run a script to do the right thing (such as checking there is enough space, doing some simple test to check everything went ok, restore the old release if it didn't etc). In spirit "go update" to "go get" what "pkg update" is to "pkg install" or "brew update" is to "brew install". > On Wednesday, October 4, 2017 at 9:41:00 PM UTC-4, Bakul Shah wrote: > > > > Would it make sense for Go to update itself? Something > > like "go update " that fetches a platform > > specific release, does some basic sanity tests and > > if all goes well, overwrites $GOROOT. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [go-nuts] [security] Go 1.8.4 and Go 1.9.1 are released
On linux / mac I just become root, cd to /usr/local then run this one liner: Mac: curl https://storage.googleapis.com/golang/go1.9.1.darwin-amd64.tar.gz | tar zxvf - Linux64: curl https://storage.googleapis.com/golang/go1.9.1.linux-amd64.tar.gz | tar zxvf - That will overwrite the existing /usr/local/go directory. To check: ~] $ go version go version go1.9.1 darwin/amd64 On Wednesday, October 4, 2017 at 9:41:00 PM UTC-4, Bakul Shah wrote: > > Would it make sense for Go to update itself? Something > like "go update " that fetches a platform > specific release, does some basic sanity tests and > if all goes well, overwrites $GOROOT. > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [go-nuts] [security] Go 1.8.4 and Go 1.9.1 are released
God no, My system is managed by a *package manager* and I want it to stay that way On Thu, Oct 5, 2017, 03:40 Bakul Shahwrote: > Would it make sense for Go to update itself? Something > like "go update " that fetches a platform > specific release, does some basic sanity tests and > if all goes well, overwrites $GOROOT. > > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [go-nuts] [security] Go 1.8.4 and Go 1.9.1 are released
Would it make sense for Go to update itself? Something like "go update " that fetches a platform specific release, does some basic sanity tests and if all goes well, overwrites $GOROOT. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[go-nuts] [security] Go 1.8.4 and Go 1.9.1 are released
Hi gophers, Two security-related issues were recently reported. To address this issue, we have just released Go 1.8.4 and Go 1.9.1. We recommend that all users update to one of these releases (if you're not sure which, choose Go 1.9.1). The issues addressed by these releases are: By nesting a git checkout inside another version control repository, it was possible for an attacker to trick the “go get” command into executing arbitrary code. The go command now refuses to use version control checkouts found inside other version control systems, with an exception for git submodules (git inside git). The issue is tracked as https://golang.org/issue/22125 (Go 1.8.4) and https://golang.org/issue/22131 (Go 1.9.1). Fixes are linked from the issues. Thanks to Simon Rawet for the report. In the smtp package, PlainAuth is documented as sending credentials only over authenticated, encrypted TLS connections, but it was changed in Go 1.1 to also send credentials on non-TLS connections when the remote server advertises that PLAIN authentication is supported. The change was meant to allow use of PLAIN authentication on localhost, but it has the effect of allowing a man-in-the-middle attacker to harvest credentials. PlainAuth now requires either TLS or a localhost connection before sending credentials, regardless of what the remote server claims. This issue is tracked as https://golang.org/issue/22134 (Go 1.8.4) and https://golang.org/issue/22133 (Go 1.9.1). Fixes are linked from the issues. Thanks to Stevie Johnstone for the report. Downloads are available at https://golang.org/dl for all supported platforms. Cheers, Chris (on behalf of the Go team) -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.