Hi Fedorians and Gophers,
golang 1.18.4 was released a couple days ago. This release has fixes for 9 medium (rated by Red Hat Product Security) CVEs, so I will preform a rebuild in `rawhide` and `f36` to mitigate them[^0]. See https://groups.google.com/g/golang-dev/c/frczlF8OFQ0/m/4lrZh5BHDgAJ for more information about the specific vulnerabilities.
[^0]: The golang version is Fedora 35 is EOL upstream, and the maintainers have not yet had a chance to backport the changes.
Only packages that provide binaries need to be rebuilt, which will make this rebuild less disruptive. These packages were determined by querying for source packages that BuildRequire `golang` or `go-rpm-macros` and then checking if they provide any binary RPMS that install files in `/usr/bin`, `/usr/sbin`, or `/usr/libexec`.
No action will be required from you, unless you'd like your package to receive special treatment regarding merging `rawhide` into `f36`. I plan to handle this rebuild later this week (the week of the 17th).
In light of the recent discussion about large updates, I will most likely split this into 4 Bodhi updates per branch (a total of 8; each containing ~100 packages).
## rawhide Here[1] is a list of the affected packages on `rawhide`.
[1]: https://git.sr.ht/~gotmax23/fedora-scripts/tree/main/item/rebuilds/golang_1....
## f36
Here[2] is a list of all of the affected packages on `f36`. However, I have further split this list down into two subgroups.
[2]: https://git.sr.ht/~gotmax23/fedora-scripts/tree/main/item/rebuilds/golang_1....
### Mergable from Rawhide For these packages[3], `rawhide` was determined to be mergable back to `f36`, as `f36` is up to date with `rawhide`.
[3]: https://git.sr.ht/~gotmax23/fedora-scripts/tree/main/item/rebuilds/golang_1....
### Not mergable These packages were determined to not be mergable[4], as `rawhide` is ahead of (or has otherwise diverged from) `f36`. Therefore, I will create a new rebuild commit and bump the release on `f36`. This will likely cause merge conflicts if you try to merge `rawhide` back into `f36` after this change. Assuming the update would be compatible and comply with the Updates Policy, I can move your package into the other list and merge `rawhide` into `f36`. Please leave a comment on https://pagure.io/GoSIG/go-sig/issue/44 if you would like me to do so. Conversely, if you believe your package is incorrectly in the mergable list, also let me know in the aforementioned ticket.
[4]: https://git.sr.ht/~gotmax23/fedora-scripts/tree/main/item/rebuilds/golang_1....
Hi Maxwell,
Fedora release engineering is running a mass rebuild of rawhide on 20.6., if your changes are merged in rawhide/main branches by then, they will be included.
On Mon, Jul 18, 2022 at 4:57 AM Maxwell G via devel < devel@lists.fedoraproject.org> wrote:
Hi Fedorians and Gophers,
golang 1.18.4 was released a couple days ago. This release has fixes for 9 medium (rated by Red Hat Product Security) CVEs, so I will preform a rebuild in `rawhide` and `f36` to mitigate them[^0]. See https://groups.google.com/g/golang-dev/c/frczlF8OFQ0/m/4lrZh5BHDgAJ for more information about the specific vulnerabilities.
[^0]: The golang version is Fedora 35 is EOL upstream, and the maintainers have not yet had a chance to backport the changes.
Only packages that provide binaries need to be rebuilt, which will make this rebuild less disruptive. These packages were determined by querying for source packages that BuildRequire `golang` or `go-rpm-macros` and then checking if they provide any binary RPMS that install files in `/usr/bin`, `/usr/sbin`, or `/usr/libexec`.
No action will be required from you, unless you'd like your package to receive special treatment regarding merging `rawhide` into `f36`. I plan to handle this rebuild later this week (the week of the 17th).
In light of the recent discussion about large updates, I will most likely split this into 4 Bodhi updates per branch (a total of 8; each containing ~100 packages).
## rawhide Here[1] is a list of the affected packages on `rawhide`.
## f36
Here[2] is a list of all of the affected packages on `f36`. However, I have further split this list down into two subgroups.
### Mergable from Rawhide For these packages[3], `rawhide` was determined to be mergable back to `f36`, as `f36` is up to date with `rawhide`.
### Not mergable These packages were determined to not be mergable[4], as `rawhide` is ahead of (or has otherwise diverged from) `f36`. Therefore, I will create a new rebuild commit and bump the release on `f36`. This will likely cause merge conflicts if you try to merge `rawhide` back into `f36` after this change. Assuming the update would be compatible and comply with the Updates Policy, I can move your package into the other list and merge `rawhide` into `f36`. Please leave a comment on https://pagure.io/GoSIG/go-sig/issue/44 if you would like me to do so. Conversely, if you believe your package is incorrectly in the mergable list, also let me know in the aforementioned ticket.
-- Thanks,
Maxwell G (@gotmax23) Pronouns: He/Him/His _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Hi Tomáš,
Jul 18, 2022 1:42:30 AM Tomas Hrcka thrcka@redhat.com:
Fedora release engineering is running a mass rebuild of rawhide on 20.6., if your changes are merged in rawhide/main branches by then, they will be included.
Indeed. The distro-wide mass rebuild has been in the back of my mind, but I'm not sure why I didn't think about it more when planning this.
I will still do the "Rebuild for golang..." changelog bump on rawhide for the f36 mergable packages[^1], but I won't actually submit the builds to avoid duplicating work and disrupting the F37 Mass Rebuild.
[^1]: If you all couldn't already tell, I really don't like dealing with changelog/release related merge conflicts, so I try to avoid them when making mass changes :). -- Thanks,
Maxwell G (@gotmax23) Pronouns: He/Him/His
On 22/07/17 09:57PM, Maxwell G wrote:
golang 1.18.4 was released a couple days ago. This release has fixes for 9 medium (rated by Red Hat Product Security) CVEs, so I will preform a rebuild in `rawhide` and `f36` to mitigate them[^0]. See https://groups.google.com/g/golang-dev/c/frczlF8OFQ0/m/4lrZh5BHDgAJ for more information about the specific vulnerabilities.
I am planning to handle the rebuild today, as I'd like to have it done before the F37 Mass Rebuild. As discussed, this will not affect rawhide, only f36.
golang@lists.fedoraproject.org
-
Maxwell G -
Tomas Hrcka