* [bug#54568] Update to Go 1.17.8, Go 1.16.15
@ 2022-03-25 19:19 Pier-Hugues Pellerin
2022-03-28 3:14 ` bug#54568: " Leo Famulari
0 siblings, 1 reply; 2+ messages in thread
From: Pier-Hugues Pellerin @ 2022-03-25 19:19 UTC (permalink / raw)
To: 54568
[-- Attachment #1.1: Type: text/plain, Size: 663 bytes --]
Hello,
This patch updates Go 1.16 and 1.17 to their latest patch and fixes a
security issue with the regexp/syntax package. I've looked at the current
patch and I haven't found one for Go.
This is my first contribution to guix and this process is new to me.
I've made the changes in a single patch, because it covers the same CVE, if
you prefer I can split them.
Also, I've looked to add support for go 1.18 based on the 1.17 package
definition, at work I've had a few hiccups when upgrading to this new
version. What would be the way to test that packages depending on go (or
go-build-system) would still build with it ?
Thanks
--
ph,
http://heykimo.com
[-- Attachment #1.2: Type: text/html, Size: 1024 bytes --]
[-- Attachment #2: 0001-Update-to-Go-1.17.8-Go-1.16.15.patch --]
[-- Type: text/x-patch, Size: 2754 bytes --]
From 0ce9c28d27d1b4d79116f39669ff7c0ac064c8cc Mon Sep 17 00:00:00 2001
From: Pier-Hugues Pellerin <phpellerin@gmail.com>
Date: Fri, 25 Mar 2022 14:02:19 -0400
Subject: [PATCH] Update to Go 1.17.8, Go 1.16.15
Release notes:
go1.17.8 (released 2022-03-03) includes a security fix to the regexp/syntax package[0], as well as bug fixes to the compiler, runtime, the go command, and the crypto/x509 and net packages. See the Go 1.17.8 milestone[1] on our issue tracker for details.
go1.16.15 (released 2022-03-03) includes a security fix to the regexp/syntax package[0], as well as bug fixes to the compiler, runtime, the go command, and the net package. See the Go 1.16.15 milestone[2] on our issue tracker for details.
[0] CVE-2022-24921 and https://go.dev/issue/51112.
[1] https://github.com/golang/go/issues?q=milestone%3AGo1.17.8+label%3ACherryPickApproved
[2] https://github.com/golang/go/issues?q=milestone%3AGo1.16.15+label%3ACherryPickApproved
---
gnu/packages/golang.scm | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/gnu/packages/golang.scm b/gnu/packages/golang.scm
index a8b845e301..f3cc1bd6b8 100644
--- a/gnu/packages/golang.scm
+++ b/gnu/packages/golang.scm
@@ -33,6 +33,7 @@
;;; Copyright © 2021 Chadwain Holness <chadwainholness@gmail.com>
;;; Copyright © 2021 Philip McGrath <philip@philipmcgrath.com>
;;; Copyright © 2021 Lu Hui <luhux76@gmail.com>
+;;; Copyright © 2022 Pier-Hugues Pellerin <phpellerin@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -466,7 +467,7 @@ (define-public go-1.16
(package
(inherit go-1.14)
(name "go")
- (version "1.16.14")
+ (version "1.16.15")
(source
(origin
(method git-fetch)
@@ -476,7 +477,7 @@ (define-public go-1.16
(file-name (git-file-name name version))
(sha256
(base32
- "16pn7avzmlw28sldx6yv38a1afdwj7jz3x7kjvlagysqrsh5lwwl"))))
+ "0vlk0r4600ah9fg5apdd93g7i369k0rkzcgn7cs8h6qq2k6hpxjl"))))
(arguments
(substitute-keyword-arguments
(strip-keyword-arguments '(#:tests?) (package-arguments go-1.14))
@@ -625,7 +626,7 @@ (define-public go-1.17
(package
(inherit go-1.16)
(name "go")
- (version "1.17.7")
+ (version "1.17.8")
(source
(origin
(method git-fetch)
@@ -635,7 +636,7 @@ (define-public go-1.17
(file-name (git-file-name name version))
(sha256
(base32
- "0d0xybn7sy4za3f0s2ffb6yfv6pjabnk4jyvz7dn3hjqhd5lks7m"))))
+ "05qfs17wddxmmi349g9ci12w9fjb5vbss6qpjc4qzgqzznqf0ycy"))))
(outputs '("out" "tests")) ; 'tests' contains distribution tests.
(arguments
`(#:modules ((ice-9 match)
base-commit: cabda1197e7925f58a8532534afc1bde6c5eb377
--
2.34.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* bug#54568: Update to Go 1.17.8, Go 1.16.15
2022-03-25 19:19 [bug#54568] Update to Go 1.17.8, Go 1.16.15 Pier-Hugues Pellerin
@ 2022-03-28 3:14 ` Leo Famulari
0 siblings, 0 replies; 2+ messages in thread
From: Leo Famulari @ 2022-03-28 3:14 UTC (permalink / raw)
To: Pier-Hugues Pellerin; +Cc: 54568-done
On Fri, Mar 25, 2022 at 03:19:07PM -0400, Pier-Hugues Pellerin wrote:
> This patch updates Go 1.16 and 1.17 to their latest patch and fixes a
> security issue with the regexp/syntax package. I've looked at the current
> patch and I haven't found one for Go.
>
> This is my first contribution to guix and this process is new to me.
>
> I've made the changes in a single patch, because it covers the same CVE, if
> you prefer I can split them.
Thanks! I went ahead and split them on your behalf, pushing as commit
fff27ded10fec7efaec11a231324681fb8dd0857:
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=fff27ded10fec7efaec11a231324681fb8dd0857
> Also, I've looked to add support for go 1.18 based on the 1.17 package
> definition, at work I've had a few hiccups when upgrading to this new
> version. What would be the way to test that packages depending on go (or
> go-build-system) would still build with it ?
I think that one can use the fold-packages procedure to iterate over
packages and select those that use go-build-system. I don't have an
example off-hand. You can get some help with that on the #guix IRC
channel or the <guix-devel@gnu.org> mailing list.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-03-28 3:15 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-25 19:19 [bug#54568] Update to Go 1.17.8, Go 1.16.15 Pier-Hugues Pellerin
2022-03-28 3:14 ` bug#54568: " Leo Famulari
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).