unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
* [bug#54568] Update to Go 1.17.8, Go 1.16.15
@ 2022-03-25 19:19 Pier-Hugues Pellerin
  2022-03-28  3:14 ` bug#54568: " Leo Famulari
  0 siblings, 1 reply; 2+ messages in thread
From: Pier-Hugues Pellerin @ 2022-03-25 19:19 UTC (permalink / raw)
  To: 54568


[-- Attachment #1.1: Type: text/plain, Size: 663 bytes --]

Hello,

This patch updates Go 1.16 and 1.17 to their latest patch and fixes a
security issue with the regexp/syntax package. I've looked at the current
patch and I haven't found one for Go.

This is my first contribution to guix and this process is new to me.

I've made the changes in a single patch, because it covers the same CVE, if
you prefer I can split them.

Also, I've looked to add support for go 1.18 based on the 1.17 package
definition,  at work I've had a few hiccups when upgrading to this new
version. What would be the way to test that packages depending on go (or
go-build-system) would still build with it ?

Thanks

-- 
ph,
http://heykimo.com

[-- Attachment #1.2: Type: text/html, Size: 1024 bytes --]

[-- Attachment #2: 0001-Update-to-Go-1.17.8-Go-1.16.15.patch --]
[-- Type: text/x-patch, Size: 2754 bytes --]

From 0ce9c28d27d1b4d79116f39669ff7c0ac064c8cc Mon Sep 17 00:00:00 2001
From: Pier-Hugues Pellerin <phpellerin@gmail.com>
Date: Fri, 25 Mar 2022 14:02:19 -0400
Subject: [PATCH] Update to Go 1.17.8, Go 1.16.15

Release notes:

go1.17.8 (released 2022-03-03) includes a security fix to the regexp/syntax package[0], as well as bug fixes to the compiler, runtime, the go command, and the crypto/x509 and net packages. See the Go 1.17.8 milestone[1] on our issue tracker for details.
go1.16.15 (released 2022-03-03) includes a security fix to the regexp/syntax package[0], as well as bug fixes to the compiler, runtime, the go command, and the net package. See the Go 1.16.15 milestone[2] on our issue tracker for details.

[0] CVE-2022-24921 and https://go.dev/issue/51112.
[1] https://github.com/golang/go/issues?q=milestone%3AGo1.17.8+label%3ACherryPickApproved
[2] https://github.com/golang/go/issues?q=milestone%3AGo1.16.15+label%3ACherryPickApproved
---
 gnu/packages/golang.scm | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/golang.scm b/gnu/packages/golang.scm
index a8b845e301..f3cc1bd6b8 100644
--- a/gnu/packages/golang.scm
+++ b/gnu/packages/golang.scm
@@ -33,6 +33,7 @@
 ;;; Copyright © 2021 Chadwain Holness <chadwainholness@gmail.com>
 ;;; Copyright © 2021 Philip McGrath <philip@philipmcgrath.com>
 ;;; Copyright © 2021 Lu Hui <luhux76@gmail.com>
+;;; Copyright © 2022 Pier-Hugues Pellerin <phpellerin@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -466,7 +467,7 @@ (define-public go-1.16
   (package
     (inherit go-1.14)
     (name "go")
-    (version "1.16.14")
+    (version "1.16.15")
     (source
      (origin
        (method git-fetch)
@@ -476,7 +477,7 @@ (define-public go-1.16
        (file-name (git-file-name name version))
        (sha256
         (base32
-         "16pn7avzmlw28sldx6yv38a1afdwj7jz3x7kjvlagysqrsh5lwwl"))))
+         "0vlk0r4600ah9fg5apdd93g7i369k0rkzcgn7cs8h6qq2k6hpxjl"))))
     (arguments
      (substitute-keyword-arguments
          (strip-keyword-arguments '(#:tests?) (package-arguments go-1.14))
@@ -625,7 +626,7 @@ (define-public go-1.17
   (package
     (inherit go-1.16)
     (name "go")
-    (version "1.17.7")
+    (version "1.17.8")
     (source
      (origin
        (method git-fetch)
@@ -635,7 +636,7 @@ (define-public go-1.17
        (file-name (git-file-name name version))
        (sha256
         (base32
-         "0d0xybn7sy4za3f0s2ffb6yfv6pjabnk4jyvz7dn3hjqhd5lks7m"))))
+         "05qfs17wddxmmi349g9ci12w9fjb5vbss6qpjc4qzgqzznqf0ycy"))))
     (outputs '("out" "tests")) ; 'tests' contains distribution tests.
     (arguments
      `(#:modules ((ice-9 match)

base-commit: cabda1197e7925f58a8532534afc1bde6c5eb377
-- 
2.34.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* bug#54568: Update to Go 1.17.8, Go 1.16.15
  2022-03-25 19:19 [bug#54568] Update to Go 1.17.8, Go 1.16.15 Pier-Hugues Pellerin
@ 2022-03-28  3:14 ` Leo Famulari
  0 siblings, 0 replies; 2+ messages in thread
From: Leo Famulari @ 2022-03-28  3:14 UTC (permalink / raw)
  To: Pier-Hugues Pellerin; +Cc: 54568-done

On Fri, Mar 25, 2022 at 03:19:07PM -0400, Pier-Hugues Pellerin wrote:
> This patch updates Go 1.16 and 1.17 to their latest patch and fixes a
> security issue with the regexp/syntax package. I've looked at the current
> patch and I haven't found one for Go.
> 
> This is my first contribution to guix and this process is new to me.
> 
> I've made the changes in a single patch, because it covers the same CVE, if
> you prefer I can split them.

Thanks! I went ahead and split them on your behalf, pushing as commit
fff27ded10fec7efaec11a231324681fb8dd0857:

https://git.savannah.gnu.org/cgit/guix.git/commit/?id=fff27ded10fec7efaec11a231324681fb8dd0857

> Also, I've looked to add support for go 1.18 based on the 1.17 package
> definition,  at work I've had a few hiccups when upgrading to this new
> version. What would be the way to test that packages depending on go (or
> go-build-system) would still build with it ?

I think that one can use the fold-packages procedure to iterate over
packages and select those that use go-build-system. I don't have an
example off-hand. You can get some help with that on the #guix IRC
channel or the <guix-devel@gnu.org> mailing list.




^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2022-03-28  3:15 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-03-25 19:19 [bug#54568] Update to Go 1.17.8, Go 1.16.15 Pier-Hugues Pellerin
2022-03-28  3:14 ` bug#54568: " Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).