On Thu, Mar 20, 2025 at 4:22 PM Zdenek Dohnal via golang < golang@lists.fedoraproject.org> wrote:
Hi all,
I maintain two components written in Go, so time to time the components get CVE reports where vulnerable code comes from another component via static linking during build.
I was trying to figure out how to make this better, and together with Jason (in CC) got an idea about automatic versioned buildrequires for Go packages and versions would be taken from the package versions present in buildroot.
I've checked Go Fedora guidelines and saw there is %go_generate_buildrequires macro, which looked promising, but unfortunately it does not generate BuildRequires on golang and none of the BuildRequires are versioned :( .
Do you think it is possible to have such feature?
e.g. BuildRequires: golang-src >= 1.24.1-1, or BuildRequires: golang(github.com/golang/go) >= 1.24.1-1
would tell us the package is built with this golang version, and if a golang new version comes later into repos, the package will still work with new golang due '>='.
Once CVE fix comes into golang and new golang version is released, presence of the older version in buildrequires of other package will indicate the package includes vulnerable code, and it has to be rebuilt once the original package includes a fix.
I have tried to come up at least with PoC for getting golang version from buildroot and add the versioned buildrequires, but no luck so far.
I'm not really sure if I understand the problem, but hope these two things help:
First, this is not exactly what you want to do, but we have a script in the rpms/golang package to generate the provides, maybe you can draw inspiration from it: https://src.fedoraproject.org/rpms/golang/blob/rawhide/f/bundled-deps.sh
Second, regarding the %go_generate_buildrequires macro, have you tried using go2rpm (again, I checked your golang packages, and it seems you generated them years ago with an old version of go2rpm), in the most recent versions it uses go_generate_buildrequires by default. Just in case there are some issues in the way you are invoking the macro.
Thank you in advance!
Zdenek
-- Zdenek Dohnal Senior Software Engineer Red Hat, BRQ-TPBC
-- _______________________________________________ golang mailing list -- golang@lists.fedoraproject.org To unsubscribe send an email to golang-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/golang@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue