Hi Florian!
Thank you for the idea!
I knew about 'go version', which would give me go version as whole, but not about the possibility to use this to see versions of used modules - great to know!
On 3/21/25 10:53, Florian Weimer wrote:
A different way to do this would involve a dependency generator that looks at “go version -m” output like this:
dep golang.org/x/crypto v0.32.0 dep golang.org/x/exp v0.0.0-20250103183323-7d7fa50e5329 dep golang.org/x/mod v0.22.0 dep golang.org/x/net v0.34.0 dep golang.org/x/oauth2 v0.25.0 dep golang.org/x/sync v0.10.0 dep golang.org/x/sys v0.29.0 dep golang.org/x/term v0.28.0 dep golang.org/x/text v0.21.0 dep golang.org/x/time v0.9.0
How did you get such output from 'go version -m'? Or is it a theoretical output? Because if I call this on my ipp-usb binary, I get this output:
$ go version -m /usr/sbin/ipp-usb /usr/sbin/ipp-usb: go1.23.7 path github.com/OpenPrinting/ipp-usb build -buildmode=pie build -compiler=gc build -ldflags=" -X github.com/OpenPrinting/ipp-usb/version.tag=0.9.30 -X github.com/OpenPrinting/ipp-usb/version=0.9.30 -B 0x457d8742863cca388e12a3c37376a7e5c1b4eebe -compressdwarf=false -linkmode=external -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,pack-relative-relocs -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -specs=/usr/lib/rpm/redhat/redhat-package-notes '" build -tags=rpm_crashtraceback build DefaultGODEBUG=asynctimerchan=1,gotypesalias=0,httplaxcontentlength=1,httpmuxgo121=1,httpservecontentkeepheaders=1,netedns0=0,panicnil=1,tls10server=1,tls3des=1,tlskyber=0,tlsrsakex=1,tlsunsafeekm=1,winreadlinkvolume=0,winsymlink=0,x509keypairleaf=0,x509negativeserial=1 build CGO_ENABLED=1 build CGO_CFLAGS= build CGO_CPPFLAGS= build CGO_CXXFLAGS= build CGO_LDFLAGS= build GOARCH=amd64 build GOOS=linux build GOAMD64=v1
I can see go version it was built with, but not goipp go module, which is dependency of ipp-usb and is statically linked to the ipp-usb.
And generates the usual Provides: from that:
Provides: bundled(golang.org/x/crypto) = v0.32.0 Provides: bundled(golang.org/x/exp) = v0.0.0-20250103183323-7d7fa50e5329 Provides: bundled(golang.org/x/mod) = v0.22.0 Provides: bundled(golang.org/x/net) = v0.34.0 Provides: bundled(golang.org/x/oauth2) = v0.25.0 Provides: bundled(golang.org/x/sync) = v0.10.0 Provides: bundled(golang.org/x/sys) = v0.29.0 Provides: bundled(golang.org/x/term) = v0.28.0 Provides: bundled(golang.org/x/text) = v0.21.0 Provides: bundled(golang.org/x/time) = v0.9.0
This data might be easier to query.
This would be great if we always rebase the package to the version with CVE fix, however it won't cover cases if the CVE fix is backported :(
I have tried to define BuildRequires and set the version for it by getting data by rpm, but this would have to happen later in RPM build process to get the correct version present in buildroot.
Zdenek
Thanks, Florian