On Wed, Sep 18, 2019 at 10:50 AM Michael Orlitzky <mjo@gentoo.org> wrote:

> On 9/16/19 10:17 AM, William Hubbs wrote:
> > +
> > +# @FUNCTION: go-module_pkg_postinst
> > +# @DESCRIPTION:
> > +# Display a warning about security updates for Go programs.
> > +go-module_pkg_postinst() {
> > +     ewarn "${PN} is written in the Go programming language."
> > +     ewarn "Since this language is statically linked, security"
> > +     ewarn "updates will be handled in individual packages and will be"
> > +     ewarn "difficult for us to track as a distribution."
> > +     ewarn "For this reason, please update any go packages asap when
> new"
> > +     ewarn "versions enter the tree or go stable if you are running the"
> > +     ewarn "stable tree."
> > +}
> > +
> > +fi
> >
>
> This word salad is 100% misinformation that gets tangled in itself
> trying to apologize for what we're about to do:
>
>   * Go is not a "statically linked language." There's gccgo, and as Alec
>     pointed out, the official compiler has supported dynamic linking for
>     years now.
>

I'm actually pretty fine with this wording, upstream has said not to
dynamically link in these use cases.


>
>   * Updating DOES NOT HELP AT ALL. That's the whole problem. You're
>     trying to make it sound like we haven't thrown people under a bus,
>     but saying "for this reason, please update..." is just misleading.
>
> Here's what it should say:
>
>   WARNING: due to a lack of manpower/interest, Go packages on Gentoo
>   are statically linked. Contrary to our existing policies and what
>   the website says, Go packages will never receive any security updates
>   on Gentoo. Use at your own risk!


So if the package *maintainer* bumps each package every time it, or a dep
has a security issue; then updating will work fine.
I'm skeptical go maintainers are volunteering for this though.

-A