From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 4BCD5138334 for ; Wed, 18 Sep 2019 19:28:37 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 09BFFE095E; Wed, 18 Sep 2019 19:28:33 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id A8B8BE094F for ; Wed, 18 Sep 2019 19:28:32 +0000 (UTC) Received: from [10.126.15.130] (unknown [100.42.98.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: zmedico) by smtp.gentoo.org (Postfix) with ESMTPSA id 69BA534B379 for ; Wed, 18 Sep 2019 19:28:31 +0000 (UTC) Subject: Re: [gentoo-dev] [PATCH 1/1] go-module.eclass: introduce new eclass to handle go modules To: gentoo-dev@lists.gentoo.org References: <20190916141719.12922-1-williamh@gentoo.org> <20190916141719.12922-2-williamh@gentoo.org> <397fd9bd-d439-1876-c677-8e4a7ee8c7cf@gentoo.org> From: Zac Medico Openpgp: preference=signencrypt Autocrypt: addr=zmedico@gentoo.org; prefer-encrypt=mutual; keydata= mQINBFs7tmwBEADTzG+IcYtRfTfKryU7sUH7LlV1M+TdaCMfIkY4x6RyHXkaaqYuQ+U9HKn0 +m5FcZsZ1Ojik+We3Tz0F6kDbam6EWzBxmsLb/IHeUEsvsuLzuBQjiD9zzqGocZiPWr+uWJs AdbueS72R7FPXJPDUEPrJ9GdhGFyYARveY9cmdisOwcDOiSFfBjk3/89t4gROn4KUhezVuO9 VS14gVSns1561CJjlB47HkSBu4+FuzrfVygg4xitWAH119Ehw0vJcgkTw4Bqhk01Iw9us80m dFyU8JbJ0CVYe30gYKFFbnXoiT6xLLogKOkv0goPFxaXcMwWM9ei3SjAGVqgN6i8VnO7kquV LwkTe6ntEK0iY+l4qTKuyIOQLpCbWNI0eVwlx5b/pY2pt5TEGWAPMCZGjlidMx0aDcVX4oji 2/xegFAcxALrfOX3kj2FZ9kNAqLZu26AfqtslIqlBEAb5sZwPr351msBIdbaWX2UNw21I478 7eQ7UfohwXQHlXdhc/wop3VDkDzLBnvlK4ozSJI/9T5F/+9yEZvc6DKUWdEfD12o2El5hHan gCUQWDBKqZb1wcekK8KY2tmH8BBQi7k52IWYLJYfJdir/XpGm5SsDpf3zvDcIFXqFHAG7w7b fhriM+6oBOeIO9ew1Xj3swbRhDwdzRUhu7Uqayq1vdvKqGkgcQARAQABtCNaYWNoYXJ5IE1l ZGljbyA8em1lZGljb0BnZW50b28ub3JnPokCVAQTAQgAPgIbAwULCQgHAwUVCgkICwUWAwIB AAIeAQIXgBYhBEdYrNjamv1GpqYECtYQzzch54rNBQJbZpeGBQkEzWcaAAoJENYQzzch54rN iTEQALgfn8NqcY1P3VgE8n/ypYfCa8YhOhZcSlVOnIil9u4F0OPUP9/TFALaW2RRctUm7URP Oe6gMd8mzFauU1q8FKHW8vo6i48Oqb3RmkH4PNbH0EHfM1e3pAq+E6Bi08y7HzYUm5PKr+m3 oLNFvqZuG3RKgmKQTm8E56IpI8rODnVmBkLQEGkdi9hDB1Zkm9dlT+eRGglHAhnpb+AweOzh dvqdfu0SKEoyLjCvRIFltrtNIuKWpjqOVAaMU0hLfDlRVJR0oTThe7P0vhulKZtWS/L7wXJr e7NGIunM09JIAjYAXX5hmY9L0oKnp0WK5PksBKIu8W8TUwzVmTXNAs7qfEQQJ3LvAQo3xifa l2n0ixdoozltU8afxJohz8OKrWOAzE8kqWa+H+t1XZtQAy7yZA3x51vyp4hquyAMYrZbU8hC 0x/l6KM/qGI7RPohw5VxgneQCAbpu/G+3DLVH5QjPR+tKPtpFkEpxrbTNUhaOUqFipX92382 w2CCxDrNrBYbnFYKmVthZqVxrUuDfi4VIgeBkGzDKPwqjSkbdZ0/I5GAmjZh0aJWrRnzCum/ hZHHHcU+wOdXBwwGBhRf9SIaxCfaxw0PB+CZXsswvuaANah2b32EFTPcFCCgFvoGMNSSHFuo JR3PAo6qvwGhYdmTI/Na57P1FF+g3VojnAnK2eIEuQINBFs7tmwBEACfZb/EePObKC8tuVFl IMQaTRzm7q5THbwQvbdKdw/31cdYJaZZ7BFgnSBq2CBYDPxcm+TxvvjgNTam8kZGdEpCm3/v P1YdJSoiYbisJubV7JiAOoAmGtaDOVX5thpv28HL17wqK2d5jgqMTLFeT3hyaro5cjGAQlhT NOyfwVkdFMFLjOhGzq7aki4UZ9ieS/IedoyZvOblf79d5PV1xI0mf2w5yoHcfZRv7nwI9XMz nqlgC9/RQP7O+WfCl2pl9gyd0hc3uqUWl0ke9xHvVxlEdORH/f+OzeybYj9r80GkC6MeqiG8 qzuWO0IZZ5Gvzwkq0KgRAefr9Z/4vmyOiVhJrvk1gLp6VEdB54fUO3MG/PcnYiasRJOUwRQQ 1+q25w5i9ooZRk0LQ6oNnWbeVj+Pwn0mzL0/GjkdPsYclxzOLSlRAwkisepVl62L2m+XwXsZ j9DS3vIHEbbfCmKayBuGCXQEpJMmEnGqFLnOzv29cOutm3BnGXcWAg5aJjiV5PKEmr/4g9/E J8lphGnNCRQ2DvUzO1tlHpmT+JvDBwAgo5rfq5wjjeiS578kAgPoitOBzp/z5YM5FXX+shEd i5/ratErb9ysUfr3Z45YV3yM6MHgCpEg8+5k6fM6ey4tRnxXAYdJ4XzaSyML9fsnEg9aVaCP iRl+fuLSuF1QJf7LwwARAQABiQI8BBgBCAAmAhsMFiEER1is2Nqa/UampgQK1hDPNyHnis0F Al0KotoFCQPRFW4ACgkQ1hDPNyHnis1CCg//ZOK07qtPUdRqMgD83BrXfzF+eLvzfkCuMqdO TWexli5pCwVrYLdystEbH60I1+ocBEbjMKqGoGt4HbEW3wq6zmHdKr5AIK4M3bGdlEI3cuPY QDdU8gFlwGpm79QnPAqXMiXeO2hlm2hYAhQ7Ir+q/lc3jxDQisuGtoIZZQ43MwPX95gy1kPz uGUmrT9Jl5m9ujHnLrQpCgUKLkRibGijx/A2p5MmtONMlKjtNXsSaRofabcfKD/RB0RCSft+ fYYgQ8PiYikpWi3+Z6PTH8Ivb7j7Hk0ZrB2toN51YE1wOKUN3i53K9fdTtI72lzvVrR15eRZ vahOB0tHAS8e2ZYQOXccqVcvc9YO8ZP5lfn/x2Vo+EgKK55FlIZrowI3deZYZDN6lz9rvhid 257TZrmUeJFdVA/MqK3ICBO0KkwAsMsl07ILOXq7rZBeDDNWTq/uIzl3fDRRhq+njdUejkqS F//EmOh8+iKhmdE0CJkzzYgHC4W+CDLo4gM3TznXi827zVAdsnk9ldmyBfHq/kkpfuGpx9L8 BeCLbkv/7I3sbT4POdsYeYC2ULhqCtGsY2Vtzf3ygb+BsUxAEG3IM62GcMydBzL12gkk73WQ XxuUVSEUB4CchrAprWtYYZ1OIKNnh7tT5IrBjhNujBjAyRYz+1CHTiM3MoXH68TkIaBB+065 Ag0EWzvRagEQANK1C/HvZgnFVa+3tFmS4OVnCRO611C7WXubm5Y2xj/Lh2LOWv5TeTtTp5FR S3961b429TbJNv0q9N4mDi6XOGpZvWLkfiDw/VT9I+48B2eVXKx5N2H48S7t1Knwut6vuTEx 14MGiZToCs2Tu1fEUnaBv2Hg60ysVfplDAQadixzboLHM1DxLYn1W/cAUrhXAW5uNQlyE0Ze kiB10JxbnAurdpRSu4X81IrGJDK/oNAgAcWRieVX5J1N5LStPrloFKf+Dtl2z49WibXVTjwF Ir/BZYprkTTgNzeM3VRPnyRz7IA1pMkVX0r4C0O38mqHyDCpkM/TKsOpNMDqYcllD8Fa/Zyg S08RLymWvRXWn7Sz7MlZE9CCQ2aG+N20esYH3nwrYsdUdj87/nSwqYKhTWwBBIWtrrCHw56O ZMTXznX3OkLOBB0gXH92G5dKv4azBeAZzR6c+qvP6PxgVuAlvlnFbzgW5m4CrkTsEwSh/s2Y d9sJPctzkPkif6tDWk0qKy9lRwTKyOK0xqwZGcJBLdqInU05DLJlrf2QJKBS2SE1tEparQvT 8/+EBpzGk0omSxGmDxLW6EY1CTXV+LfbRYz42Y71f7aVNNqfF/CbJYLupe9DadjvceRM/ZFG WO6SzWoO7ed5uT2i8M33tC2EnK/BL1oZ5Wr7Kv5XED10JI+5ABEBAAGJBNIEGAEIACYCGwIW IQRHWKzY2pr9RqamBArWEM83IeeKzQUCXQqi2wUJA9D6cAKgwdQgBBkBCAB9FiEE8OgXaltW zqgSupCu0HX7jBBKPSAFAls70WpfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEYwRTgxNzZBNUI1NkNFQTgxMkJBOTBBRUQwNzVGQjhD MTA0QTNEMjAACgkQ0HX7jBBKPSAkQw/+I/z0S3uMfcCL3DVtDX1PQKE4Pg7foiOKxJMZNiyh 4gBSCRr9cWa5BICB5OPlNzvf83LRXmOxyOa1UqFRsWQsZ60e4DSAcmnER6ePTN50AhDfpOhT SCJrtCyTtykkklGB7d91pSBvhpRxTl9ODaWQ92wypbYHX92OUrPpPZypfzKia8HKIF1FJZUm VGaCphBMnJBrrMsRFZyScIb1PagP3L1UmVVbeRwtPZCYHpr/er8zSAJQGXyoYdlgMa/7Sy7h J6mlDkEA6709c1XykZ2pMyyKtD4TbQrlCmvOY+DmRUbjHyobVSlGkL+En0TvnBrH2jhauocf g2aG+cv89+zaMrs8kuL/FGq87rnAYY77glbSRqKWGO8uhFgmLQHqKvkmG0rjiRy1yquftDKA 71kHmvb+LUvJmsD4tYotyl3vHGutq6cWJ2hzrczPlBp29YZw524zoM4pLhuwuCvnZX7jXdSR 228Gu7/iED2zULwOlzoNPSnTAVInsQEoTh2W71UKcn37tfodUyirtoyPtlaonVLUmn+bq4nD MEN7FxOiSPytM8HNsij7cR9oZYyTjtWhCBxx57kHWO/GYvGEhsR34tRz16SMNDQURM3t04G4 giDn5noh0DJywswd815JM/SMwcdkEpum1DCJpD+GJ4xtKto3p+OjO1riPDyZQGg4lOAJENYQ zzch54rNIqAP/2SA8lGZYHz5XzWrFkszK0T/xScQPbaPa23WQ6Xdw3JyVCcRfWqlZtEtP0K3 w2AA33jFJ1JRio7le+WSS+YMAlW6q6vlcKrQoe1eeQoN8NsILCyp5fXfKeASHzbWt1ClWZm4 Q+rU5L3cL+BTmg+C83ywnhrw/839zejduDDwLQiEm4x3xQ0tpy65TgYOl1AhVJBlmgDRavjE oVGiaQIpxrHANrAJMMS9RpXhHQk4g9JetZFjupvzKzvbNxfm1NmFNCH92IQCd1Az415Hg8yw iVVLlCb92u4AeO2WQMMmQLwk0UQfpM6f3NMCbhW/y5P7Ie2zxm96LktNRVY6IO7PbWRE8ih9 uTyzd4T7V+3sDEB4OfJ1btMcfFbeEx4aJ6xGM7AykEns3I8oj5jufBuupz6Z5cvR4OV+Qz1B DsOVrLRS4saTCEXdoi2D1LL8dwBHvLP5tuHP9bDYXvIM/8v7c4wOq8WZvBGbOz3oEYFwuUS/ Hs6hli8QgovhO8KS3zyBo7q0dNzwQZ/G8/vKrmZS02/Yvv8yaqhH75pOfuZe6QQSIzn6M7gy Dcw47b5d/SDAgXU/ztlXUys+4lLoz6gBCTheaQF3OEBF2LlyTWHVPeY7nKe/B1k6ZPnL2SgU 1si1MD81KA9EcfcjOZQHgkHkzNRKN28CgTxp1cc1hWvZaGCC Message-ID: <3d5adfdf-ed54-8245-18f9-4922db627e98@gentoo.org> Date: Wed, 18 Sep 2019 12:28:29 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="IZ8m3iMN8pnnoSXnfl6Sl79SMr7fp4qmW" X-Archives-Salt: 83b43c56-ef76-4141-9888-c2f31157e5a0 X-Archives-Hash: e83565b78e2c071b4fdfaeeabb2770fc This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --IZ8m3iMN8pnnoSXnfl6Sl79SMr7fp4qmW Content-Type: multipart/mixed; boundary="XbBirenywst2WFfF9p3YjDIPdpjhZeOkC"; protected-headers="v1" From: Zac Medico To: gentoo-dev@lists.gentoo.org Message-ID: <3d5adfdf-ed54-8245-18f9-4922db627e98@gentoo.org> Subject: Re: [gentoo-dev] [PATCH 1/1] go-module.eclass: introduce new eclass to handle go modules References: <20190916141719.12922-1-williamh@gentoo.org> <20190916141719.12922-2-williamh@gentoo.org> <397fd9bd-d439-1876-c677-8e4a7ee8c7cf@gentoo.org> In-Reply-To: --XbBirenywst2WFfF9p3YjDIPdpjhZeOkC Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 9/18/19 11:04 AM, Alec Warner wrote: >=20 >=20 > On Wed, Sep 18, 2019 at 10:50 AM Michael Orlitzky > wrote: >=20 > On 9/16/19 10:17 AM, William Hubbs wrote: > > + > > +# @FUNCTION: go-module_pkg_postinst > > +# @DESCRIPTION: > > +# Display a warning about security updates for Go programs. > > +go-module_pkg_postinst() { > > +=C2=A0 =C2=A0 =C2=A0ewarn "${PN} is written in the Go programmin= g language." > > +=C2=A0 =C2=A0 =C2=A0ewarn "Since this language is statically lin= ked, security" > > +=C2=A0 =C2=A0 =C2=A0ewarn "updates will be handled in individual= packages and > will be" > > +=C2=A0 =C2=A0 =C2=A0ewarn "difficult for us to track as a distri= bution." > > +=C2=A0 =C2=A0 =C2=A0ewarn "For this reason, please update any go= packages asap > when new" > > +=C2=A0 =C2=A0 =C2=A0ewarn "versions enter the tree or go stable = if you are > running the" > > +=C2=A0 =C2=A0 =C2=A0ewarn "stable tree." > > +} > > + > > +fi > > >=20 > This word salad is 100% misinformation that gets tangled in itself > trying to apologize for what we're about to do: >=20 > =C2=A0 * Go is not a "statically linked language." There's gccgo, a= nd as Alec > =C2=A0 =C2=A0 pointed out, the official compiler has supported dyna= mic linking for > =C2=A0 =C2=A0 years now. >=20 >=20 > I'm actually pretty fine with this wording, upstream has said not to > dynamically link in these use cases. > =C2=A0 >=20 >=20 > =C2=A0 * Updating DOES NOT HELP AT ALL. That's the whole problem. Y= ou're > =C2=A0 =C2=A0 trying to make it sound like we haven't thrown people= under a bus, > =C2=A0 =C2=A0 but saying "for this reason, please update..." is jus= t misleading. >=20 > Here's what it should say: >=20 > =C2=A0 WARNING: due to a lack of manpower/interest, Go packages on = Gentoo > =C2=A0 are statically linked. Contrary to our existing policies and= what > =C2=A0 the website says, Go packages will never receive any securit= y updates > =C2=A0 on Gentoo. Use at your own risk! >=20 >=20 > So if the package *maintainer* bumps each package every time it, or a > dep has a security issue; then updating will work fine. > I'm skeptical go maintainers are volunteering for this though. There's a script here which helps to automate refresh of commit hashes in EGO_VENDOR: https://github.com/hsoft/gentoo-ego-vendor-update Just now I've used it to refresh vendored dependencies in net-misc/drive: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3D3993b893d4788b= eaad945bc82df0f4efd91ce697 --=20 Thanks, Zac --XbBirenywst2WFfF9p3YjDIPdpjhZeOkC-- --IZ8m3iMN8pnnoSXnfl6Sl79SMr7fp4qmW Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQKTBAEBCgB9FiEE8OgXaltWzqgSupCu0HX7jBBKPSAFAl2ChV1fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEYw RTgxNzZBNUI1NkNFQTgxMkJBOTBBRUQwNzVGQjhDMTA0QTNEMjAACgkQ0HX7jBBK PSDOaQ//ajrJND/59p1KHW+tRfOHMUHR0PjhHzytHDzaDdoVO6S/Jy2mgTFI5AYM RSgyCv1pKJnp1TqMhsRXdzKlhGQUhxOKFeq5tULJgK1L6UaDv05tJvs87qWNvtCu jc+q27afIXqSG8+K/z+QUnxzzHLtcYdZ+kjvtI7eQndXdLG7WHyF/MXRpKe6bP7X Tw3MIMfGir1PWpKffK6kxs0e4cf3uc7l4xsFCJwAg3+8xv5G8IJvkgAJOk0Mq9tj 5dhJDwmoCERfGPULFGU+unOJJ1nNxjN76BKjuonaJ3ihoNGQkGUxLWiywaQeU3Bt lSrWSg8Uz3yBAOrf2+4tHfyC7jJtPfUVvb73RffRYNpRe5VhCtx95a4hFRW7uOjQ OFfbFClvBga1oPze3KFfj9PGS3ivlJm8gNAEARpZ8Z7BLxWm14TgCaJmtaaJ+tFP W27BF90x7CNECqzhAal2C2k2hqM9zR8SOxAfcytCKHG3QyxnDllsjAPJ0GBdEhDY ootOl7prSUON7gKDcHudpXQRB1ftuoVyCOw9J0jjJhZ3ydZSUjsxVxzk3e7XhZpP SJ2+q0z8RP358aueBep4li3+Snu1ShItSsftquiNreYdCSO3VMYaIOF4UIdFShDU /rxjJQsJ3bf+2tnd6CCcSrA69jwibYZNXZwnBdF23A9lbztVuQM= =Jr/g -----END PGP SIGNATURE----- --IZ8m3iMN8pnnoSXnfl6Sl79SMr7fp4qmW--