On Wed, Sep 18, 2019 at 12:28:29PM -0700, Zac Medico wrote:
> On 9/18/19 11:04 AM, Alec Warner wrote:
> > 
> > 
> > On Wed, Sep 18, 2019 at 10:50 AM Michael Orlitzky <mjo@gentoo.org
> > <mailto:mjo@gentoo.org>> wrote:
> > 
> >     On 9/16/19 10:17 AM, William Hubbs wrote:
> >     > +
> >     > +# @FUNCTION: go-module_pkg_postinst
> >     > +# @DESCRIPTION:
> >     > +# Display a warning about security updates for Go programs.
> >     > +go-module_pkg_postinst() {
> >     > +     ewarn "${PN} is written in the Go programming language."
> >     > +     ewarn "Since this language is statically linked, security"
> >     > +     ewarn "updates will be handled in individual packages and
> >     will be"
> >     > +     ewarn "difficult for us to track as a distribution."
> >     > +     ewarn "For this reason, please update any go packages asap
> >     when new"
> >     > +     ewarn "versions enter the tree or go stable if you are
> >     running the"
> >     > +     ewarn "stable tree."
> >     > +}
> >     > +
> >     > +fi
> >     >
> > 
> >     This word salad is 100% misinformation that gets tangled in itself
> >     trying to apologize for what we're about to do:
> > 
> >       * Go is not a "statically linked language." There's gccgo, and as Alec
> >         pointed out, the official compiler has supported dynamic linking for
> >         years now.
> > 
> > 
> > I'm actually pretty fine with this wording, upstream has said not to
> > dynamically link in these use cases.
> >  
> > 
> > 
> >       * Updating DOES NOT HELP AT ALL. That's the whole problem. You're
> >         trying to make it sound like we haven't thrown people under a bus,
> >         but saying "for this reason, please update..." is just misleading.
> > 
> >     Here's what it should say:
> > 
> >       WARNING: due to a lack of manpower/interest, Go packages on Gentoo
> >       are statically linked. Contrary to our existing policies and what
> >       the website says, Go packages will never receive any security updates
> >       on Gentoo. Use at your own risk!
> > 
> > 
> > So if the package *maintainer* bumps each package every time it, or a
> > dep has a security issue; then updating will work fine.
> > I'm skeptical go maintainers are volunteering for this though.
> 
> There's a script here which helps to automate refresh of commit hashes
> in EGO_VENDOR:
> 
>     https://github.com/hsoft/gentoo-ego-vendor-update
> 
> Just now I've used it to refresh vendored dependencies in
> net-misc/drive:
> 
>     https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3993b893d4788beaad945bc82df0f4efd91ce697

I have seen that script, and it really doesn't work for modules. it
would need to parse go.mod and grab the dependencies based on the
information in that file.

William