September 2022 - golang - Fedora Mailing-Lists

Thread to send your Golang package reviews which are waiting

by Robert-André Mauchin

Thread to send your Golang package reviews which are waiting... reply to this thread so we can sync up our efforts. Best regards Robert-André

3 weeks

5
6
0 / 0

[golist] PR #30: Don't skip testdata

by Matyáš Kroupa

krouma opened a new pull-request against the project: `golist` that you are following: `` Don't skip testdata `` To reply, visit the link below or just reply to this email https://pagure.io/golist/pull-request/30

1 month

3
3
0 / 0

[go-rpm-macros] PR #34: Add BUILDTAGS to %gobuildflags

by Brian C. Lane

bcl opened a new pull-request against the project: `go-rpm-macros` that you are following: `` Add BUILDTAGS to %gobuildflags `` To reply, visit the link below or just reply to this email https://pagure.io/go-rpm-macros/pull-request/34

1 month

7
19
0 / 0

[golist] PR #29: Deduplicate CollectProjectDeps

by Matyáš Kroupa

krouma opened a new pull-request against the project: `golist` that you are following: `` Deduplicate CollectProjectDeps `` To reply, visit the link below or just reply to this email https://pagure.io/golist/pull-request/29

1 month

2
1
0 / 0

Hashicorp Consul Packages

by Mark E. Fuller

In my continuing work on building terraform[0], I have a what appears to be a version conflict between two hashicorp consul packages: ... Error: Transaction test error: file /usr/share/gocode/src/github.com/hashicorp/consul/.goipath conflicts between attempted installs of golang-github-hashicorp-consul-sdk-devel-0.7.0-5.fc37.noarch and golang-github-hashicorp-consul-api-devel-1.9.1-7.fc38.noarch file /usr/share/gocode/src/github.com/hashicorp/consul/CHANGELOG.md conflicts between attempted installs of golang-github-hashicorp-consul-sdk-devel-0.7.0-5.fc37.noarch and golang-github-hashicorp-consul-api-devel-1.9.1-7.fc38.noarch file /usr/share/gocode/src/github.com/hashicorp/consul/go.mod conflicts between attempted installs of golang-github-hashicorp-consul-sdk-devel-0.7.0-5.fc37.noarch and golang-github-hashicorp-consul-api-devel-1.9.1-7.fc38.noarch ... Both of these packages (see [1] and [2]) are derived from the same repo, github.com/hashicorp/consul. My question is, why are there two packages pointing to the same repo? (Yes, I realize it is two different modules within it, but could they be merged?) Second, is there a way I can address this conflict on my end or are modifications to one or both of the consul packages required to resolve the issue? [0] https://download.copr.fedorainfracloud.org/results/fuller/terraform/fedor... [1] https://src.fedoraproject.org/rpms/golang-github-hashicorp-consul-sdk/blo... [2] https://src.fedoraproject.org/rpms/golang-github-hashicorp-consul-api/blo... -- Mark E. Fuller, Ph.D. fuller(a)fedoraproject.org fuller(a)mefuller.dev @fuller:fedora.im @fuller:one.ems.host https://www.stossrohr.net PGP Fingerprint: 73F1 A30C BDF4 DB4B C75F FD0F D599 E76C FFCA BF60

5 months, 4 weeks

2
2
0 / 0

CVE Tracking Bugs

by Maxwell G

Hi Fedorians, I think the security tracking bug filing process needs to be amended. The current process is quite frustrating for me and other contributors. This is especially bad for Go CVEs, which there are lot of. Red Hat Product Security creates a single tracking bug for Fedora{, EPEL} _and_ all Red Hat products and CCs a bunch of Fedora maintainers. They then create separate bugs for each package that they deem affected. The affected packages are oftened determined in a manner that appears overzealous and arbitrary. After the bugs are created, we get spammed with a bunch of notifications about private bugs, RH product errata, and various other things that are completely irrelevant to Fedora. These messages flood my Bugzilla mailbox and obscure actual issues that I need to address. I do not really care whether a Go CVE has been mitigated in Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8" or "Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8" or "Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8." --- Some particularly egregious examples: I maintain an Ansible kubernetes collection, and they reported it as vulnerable to some CVE with a specific Openshift component. The collection not vulnerable. They provided no actionable information, and the description was unclear. When I asked why it was reported, they said that the package "used OpenShift." A couple Go CVEs ago[^1], they created bugs against hundreds of Go libraries. They arbitrarily chose branches and packages. The bugs were not actionable by packagers of individual go libraries. Only applications that provide binaries need to be rebuilt. They were reported shortly before the F34 EOL, so we got a huge amount of emails after the bugs were automatically closed. In fact, a Go packager reported that these messages from the _security_ team DOSed their mail server. To their credit, they have fixed this issue after one of the other Go SIG people talked to them. Now, these bugs are only filed against the golang component. [^1]: Really, it was a couple Go releases ago. There are multiple CVEs reported with each Go release these days. Another time, their automation posted the exact same comment over 200 times. --- First and foremost, there needs to be a clear way for packagers to report problems with this process to prodsec. I don't think Fedora packagers should be CCed on these global trackers. We could create a separate "Security Response" component under the "Fedora" Bugzilla product to create tracker bugs for CVEs that affect multiple Fedora components, or we could ask prodsec to only CC Fedora maintainers on the child, package-level bugs. I guess I could acomplish what I'm proposing by filtering out mails with "X-Bugzilla-Product: Security Response" headers and not have gone on this rant, but I still think this needs to be addressed. Does anyone know how to reach prodsec about this? -- Best, Maxwell G (@gotmax23) Pronouns: He/Him/His

5 months, 4 weeks

3
2
0 / 0

Working on building Terraform - couple questions

by Mark E. Fuller

Hi all, I'm working on a COPR to try to get Terraform built so that I can get it into Fedora and I have just a few minor issues outstanding that I could use some feedback/help on: 1) https://download.copr.fedorainfracloud.org/results/fuller/terraform/fedor... ... cannot find package "github.com/hashicorp/aws-sdk-go-base/tools" in any of: /usr/lib/golang/src/github.com/hashicorp/aws-sdk-go-base/tools (from $GOROOT) /builddir/build/BUILD/aws-sdk-go-base-0.4.0/_build/src/github.com/hashicorp/aws-sdk-go-base/tools (from $GOPATH) /usr/share/gocode/src/github.com/hashicorp/aws-sdk-go-base/tools ... Can anyone suggest why I would get the error that this package cannot find one of its own internal modules? 2) https://download.copr.fedorainfracloud.org/results/fuller/terraform/fedor... ... No matching package to install: 'golang(github.com/tencentyun/qcloud-cos-sts-sdk/go)' ... Here I have already built golang(github.com/tencentyun/qcloud-cos-sts-sdk) in my COPR, but the module references above ($TL/go) isn't found. Any thoughts? 3) And finally, I've disabled tests in a few places - doing so with e.g. "-d folder" works fine, but e.g. "-d internal/folder" for a subfolder doesn't seem to work right? Is there a syntax issue I'm missing, or did I just misread something and both examples I gave here are correct? Thanks all, fuller -- Mark E. Fuller, Ph.D. fuller(a)fedoraproject.org fuller(a)mefuller.dev @fuller:fedora.im @fuller:one.ems.host https://www.stossrohr.net PGP Fingerprint: 73F1 A30C BDF4 DB4B C75F FD0F D599 E76C FFCA BF60

6 months

3
2
0 / 0

[Fedocal] Reminder meeting : Go SIG

by jcajka＠fedoraproject.org

Dear all, You are kindly invited to the meeting: Go SIG on 2022-09-26 from 20:00:00 to 21:00:00 Europe/Prague At fedora-golang(a)libera.chat The meeting will be about: Fedora's Go SIG meeting More information available at: [https://pagure.io/GoSIG/go-sig/](https://pagure.io/GoSIG/go-sig/) Source: https://calendar.fedoraproject.org//meeting/10012/

6 months

1
0
0 / 0

Re: Non-responsive maintainer check for olem

by Maxwell G

On Fri Sep 2, 2022, Maxwell G via devel wrote: > > Sep 2, 2022 5:36:41 AM Fabio Valentini <decathorpe(a)gmail.com>: > > > Does anybody know whether olem still wants to maintain their Fedora > > packages? > I'm fairly sure that they no longer wish to maintain Fedora packages. I > reached out to them about moby-engine and containerd at the end of May, > and they said they no longer have time to maintain them. I have been > maintaining those packages myself for a while. > > Side note: I have asked for co-maintainers for those packages a couple > times, but so far, I have not found any. Perhaps one of the CoreOS people > would be interested? It seems those packages are used a lot there based > on the bug reports we've gotten. It looks like the nonresponsive maintainer process is going to proceed. I've done some analysis of the Go packages that will be orphaned so the Go SIG can figured out how to handle this. This was done by hand, so please excuse any errors. The following packages are dependencies of golang-github-docker{,-cli} and/or containerd: 1. golang-github-hanwen-fuse 2. golang-github-fvbommel-sortorder 3. golang-github-containerd-nri 4. golang-github-moby-locker 5. golang-github-moby-term 6. golang-github-tonistiigi-rosetta 7. golang-github-google-containerregistry 8. golang-github-containerd-stargz-snapshotter (FTBFS) 9. golang-github-kyokomi-emoji is a dependency of hugo olem also maintained open-policy-agent and some of its dependencies: - open-policy-agent - golang-github-yashtewari-glob-intersection (open-policy-agent is the only dependent) - golang-uber-automaxprocs (dependency of both open-policy-agent and clash) This maintainer also maintained golang-github-jsonnet-bundler and golang-github-containerd-cni. These packages are leaves. I sent a separate message to the golang list about retiring these. I suppose we could just wait for it to happen automatically. Many of these libraries are out of date, but only one of them FTBFS (according to Koschei), which I'd consider pretty good. Updating these packages will likely require packaging a bunch of new dependencies. I think eclipseo has been doing some work on the docker side of things, though. Thanks for that! I have been keeping containerd and moby-engine up to date. moby-engine could use a cleanup. Currently, docker-proxy (github.com/moby/libnetwork), docker-init (bundled tini-static), dockerd (github.com/moby/moby), and the docker cli (github.com/docker/cli) are all part of the moby-engine package. This makes the specfile rather cumbersome. Ideally, it should be split up. I just haven't had the time to do so. docker cli should be straightforward. github.com/moby/libnetwork will soon be merged into github.com/moby/moby, so docker-proxy doesn't make sense to split out right now. For docker-init, we should investigate whether we could configure docker to look for the existing tini-static binary or at least create a symlink. It expects the binary to be installed to %{_libexecdir}/docker/docker-init. I am really not a fan of the bundled tini-static. -- Best, Maxwell G (@gotmax23) Pronouns: He/Him/His

6 months

2
1
0 / 0

[go-rpm-macros] Issue #50: arched devel packages

by Mikel Olasagasti

mikelo2 reported a new issue against the project: `go-rpm-macros` that you are following: `` Currently there is no option to ship arched devel packages. The ask is to have a macro, `%go_arched_devel` for example, to allow certain packages's devel package, `golang-x-crypto` for example, to be arched rather than noarch, so package depending on them can benefit from extra performance. The rest of the devel packages that don't declare the macro would be still noarch. `` To reply, visit the link below or just reply to this email https://pagure.io/go-rpm-macros/issue/50

6 months

3
4
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

golang September 2022