From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id D5E99138334 for ; Wed, 18 Sep 2019 17:50:07 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 52DF2E0933; Wed, 18 Sep 2019 17:50:04 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 051BAE0883 for ; Wed, 18 Sep 2019 17:50:03 +0000 (UTC) Received: from [192.168.1.100] (c-98-218-46-55.hsd1.md.comcast.net [98.218.46.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mjo) by smtp.gentoo.org (Postfix) with ESMTPSA id 3810134B352 for ; Wed, 18 Sep 2019 17:50:01 +0000 (UTC) Subject: Re: [gentoo-dev] [PATCH 1/1] go-module.eclass: introduce new eclass to handle go modules To: gentoo-dev@lists.gentoo.org References: <20190916141719.12922-1-williamh@gentoo.org> <20190916141719.12922-2-williamh@gentoo.org> From: Michael Orlitzky Message-ID: <397fd9bd-d439-1876-c677-8e4a7ee8c7cf@gentoo.org> Date: Wed, 18 Sep 2019 13:49:55 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 In-Reply-To: <20190916141719.12922-2-williamh@gentoo.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Archives-Salt: 63ba2b66-7b96-457a-ac27-3967f7b09d0a X-Archives-Hash: 02875838f5b2b5c8a55e0ff558a1f43e On 9/16/19 10:17 AM, William Hubbs wrote: > + > +# @FUNCTION: go-module_pkg_postinst > +# @DESCRIPTION: > +# Display a warning about security updates for Go programs. > +go-module_pkg_postinst() { > + ewarn "${PN} is written in the Go programming language." > + ewarn "Since this language is statically linked, security" > + ewarn "updates will be handled in individual packages and will be" > + ewarn "difficult for us to track as a distribution." > + ewarn "For this reason, please update any go packages asap when new" > + ewarn "versions enter the tree or go stable if you are running the" > + ewarn "stable tree." > +} > + > +fi > This word salad is 100% misinformation that gets tangled in itself trying to apologize for what we're about to do: * Go is not a "statically linked language." There's gccgo, and as Alec pointed out, the official compiler has supported dynamic linking for years now. * Updating DOES NOT HELP AT ALL. That's the whole problem. You're trying to make it sound like we haven't thrown people under a bus, but saying "for this reason, please update..." is just misleading. Here's what it should say: WARNING: due to a lack of manpower/interest, Go packages on Gentoo are statically linked. Contrary to our existing policies and what the website says, Go packages will never receive any security updates on Gentoo. Use at your own risk!