From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id EAA27138334 for ; Wed, 18 Sep 2019 18:04:47 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 64EAEE096E; Wed, 18 Sep 2019 18:04:44 +0000 (UTC) Received: from mail-io1-xd43.google.com (mail-io1-xd43.google.com [IPv6:2607:f8b0:4864:20::d43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 23C79E0952 for ; Wed, 18 Sep 2019 18:04:44 +0000 (UTC) Received: by mail-io1-xd43.google.com with SMTP id h144so1314948iof.7 for ; Wed, 18 Sep 2019 11:04:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gentoo-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=rk6HI4fT780SpoyI+OX6b+VbVztqc+4h0oUG2B0rPro=; b=VBkmXCMMZUAy4ap4rH0w8wYxmN8pOrrpnunD3nXmDJu0BnVMxE45eNyEtH2uTde0On o/jsOuPs5OSD2fzvgMw/rJFpiP1LBhzPujA40BgKUW4TudVReZ5NU1bjUFKPd9UkNmUE Nu/3IVMYKQLc+mXqer3COdCG9Lge7iUDemvreEeh0vmyoiuTZ5xW8vJGNQ88VnNLTuHq a7Bl6j67+nQjc0ZPGWa1NHA1RVLZU3xAvY0BXfwMK3bDYXxRx1GFyIqRlQ4ceagLOnTs n4UPVSCXZ2ABRUtSU3EoFdt9XCPhXHk+oWptwu7wPlEC98KCNlQ59cVoipvjmJIeSbc9 K98w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=rk6HI4fT780SpoyI+OX6b+VbVztqc+4h0oUG2B0rPro=; b=E/xWLTUBi2lSt8ky6V1AiQAFyyZ7C1/7X4+IvFtGUdk6n5kZ+lfXMRbJLvZFagBU6y epXhGE3edGhFaHDNk/99Ww637CYaynekp69DOl8e0KzVtpZ4zJ2jfxLPDRa8jLwUrb6Z 8f5dIuKWhV6V6IQ20nabxVhtMr/HTtYt3YuVN4gi9la8/K10eMl+pIQYSLC4v77AaQR6 xDLLb7w4zRZep6Jd5bhVxodSkyTXjc/7GbHXMHBPfVZPbJQ0IslXwgZIpiOhapudUuxr dKQ9jWNYrsqwps/lvYtlU7NlGJE4m4WRvGE9WQQ1Hs/So8/O9jZa+pEQkolRwCeU9Na7 VZmQ== X-Gm-Message-State: APjAAAUvlcQNkCAJwOx5DvdCM/nHWom0UU6ioPwLV+gkTcyrLfEDARWU jW+Lhmzgtpkun1ZdH9+4KQLoTQalkObDA/quP0KMlkyX X-Google-Smtp-Source: APXvYqwL8iNHkjfR1u9LG+iI7IO5igbdCS5lWAjG8yvpmKJEyN1R2TG8pXXz2ZAm1EY4ykOMhoBp0JgRneELlSORzV4= X-Received: by 2002:a6b:c382:: with SMTP id t124mr6740968iof.105.1568829883166; Wed, 18 Sep 2019 11:04:43 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 References: <20190916141719.12922-1-williamh@gentoo.org> <20190916141719.12922-2-williamh@gentoo.org> <397fd9bd-d439-1876-c677-8e4a7ee8c7cf@gentoo.org> In-Reply-To: <397fd9bd-d439-1876-c677-8e4a7ee8c7cf@gentoo.org> From: Alec Warner Date: Wed, 18 Sep 2019 11:04:31 -0700 Message-ID: Subject: Re: [gentoo-dev] [PATCH 1/1] go-module.eclass: introduce new eclass to handle go modules To: Gentoo Dev Content-Type: multipart/alternative; boundary="000000000000e64d7c0592d7ab92" X-Archives-Salt: 9b7626ff-9b61-496c-b92d-eadf67a1d82a X-Archives-Hash: 7d7d08f456a22f74c1c7f8118122a14d --000000000000e64d7c0592d7ab92 Content-Type: text/plain; charset="UTF-8" On Wed, Sep 18, 2019 at 10:50 AM Michael Orlitzky wrote: > On 9/16/19 10:17 AM, William Hubbs wrote: > > + > > +# @FUNCTION: go-module_pkg_postinst > > +# @DESCRIPTION: > > +# Display a warning about security updates for Go programs. > > +go-module_pkg_postinst() { > > + ewarn "${PN} is written in the Go programming language." > > + ewarn "Since this language is statically linked, security" > > + ewarn "updates will be handled in individual packages and will be" > > + ewarn "difficult for us to track as a distribution." > > + ewarn "For this reason, please update any go packages asap when > new" > > + ewarn "versions enter the tree or go stable if you are running the" > > + ewarn "stable tree." > > +} > > + > > +fi > > > > This word salad is 100% misinformation that gets tangled in itself > trying to apologize for what we're about to do: > > * Go is not a "statically linked language." There's gccgo, and as Alec > pointed out, the official compiler has supported dynamic linking for > years now. > I'm actually pretty fine with this wording, upstream has said not to dynamically link in these use cases. > > * Updating DOES NOT HELP AT ALL. That's the whole problem. You're > trying to make it sound like we haven't thrown people under a bus, > but saying "for this reason, please update..." is just misleading. > > Here's what it should say: > > WARNING: due to a lack of manpower/interest, Go packages on Gentoo > are statically linked. Contrary to our existing policies and what > the website says, Go packages will never receive any security updates > on Gentoo. Use at your own risk! So if the package *maintainer* bumps each package every time it, or a dep has a security issue; then updating will work fine. I'm skeptical go maintainers are volunteering for this though. -A --000000000000e64d7c0592d7ab92 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Wed, Sep 18, 2019 at 10:50 AM Mich= ael Orlitzky <mjo@gentoo.org> w= rote:
On 9/16/19= 10:17 AM, William Hubbs wrote:
> +
> +# @FUNCTION: go-module_pkg_postinst
> +# @DESCRIPTION:
> +# Display a warning about security updates for Go programs.
> +go-module_pkg_postinst() {
> +=C2=A0 =C2=A0 =C2=A0ewarn "${PN} is written in the Go programmin= g language."
> +=C2=A0 =C2=A0 =C2=A0ewarn "Since this language is statically lin= ked, security"
> +=C2=A0 =C2=A0 =C2=A0ewarn "updates will be handled in individual= packages and will be"
> +=C2=A0 =C2=A0 =C2=A0ewarn "difficult for us to track as a distri= bution."
> +=C2=A0 =C2=A0 =C2=A0ewarn "For this reason, please update any go= packages asap when new"
> +=C2=A0 =C2=A0 =C2=A0ewarn "versions enter the tree or go stable = if you are running the"
> +=C2=A0 =C2=A0 =C2=A0ewarn "stable tree."
> +}
> +
> +fi
>

This word salad is 100% misinformation that gets tangled in itself
trying to apologize for what we're about to do:

=C2=A0 * Go is not a "statically linked language." There's gc= cgo, and as Alec
=C2=A0 =C2=A0 pointed out, the official compiler has supported dynamic link= ing for
=C2=A0 =C2=A0 years now.

I'm actual= ly pretty fine with this wording, upstream has said not to dynamically link= in these use cases.
=C2=A0

=C2=A0 * Updating DOES NOT HELP AT ALL. That's the whole problem. You&#= 39;re
=C2=A0 =C2=A0 trying to make it sound like we haven't thrown people und= er a bus,
=C2=A0 =C2=A0 but saying "for this reason, please update..." is j= ust misleading.

Here's what it should say:

=C2=A0 WARNING: due to a lack of manpower/interest, Go packages on Gentoo =C2=A0 are statically linked. Contrary to our existing policies and what =C2=A0 the website says, Go packages will never receive any security update= s
=C2=A0 on Gentoo. Use at your own risk!

So = if the package *maintainer* bumps each package every time it, or a dep has = a security issue; then updating will work fine.
I'm skeptical= go maintainers are volunteering for this though.

= -A

--000000000000e64d7c0592d7ab92--