./lang/go, The Go programming language

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 1.9.1, Package name: go-1.9.1, Maintainer: bsiegert

The Go programming language is an open source project to make
programmers more productive.

Go is expressive, concise, clean, and efficient. Its concurrency
mechanisms make it easy to write programs that get the most out of
multicore and networked machines, while its novel type system enables
flexible and modular program construction. Go compiles quickly to
machine code yet has the convenience of garbage collection and the power
of run-time reflection. It's a fast, statically typed, compiled language
that feels like a dynamically typed, interpreted language.


Required to run:
[lang/perl5] [shells/bash]

Required to build:
[pkgtools/cwrappers] [lang/go14]

Master sites:

SHA1: 87cf0af3820834faeb6e63b035a1abae1f5b60b3
RMD160: eaff2b7bdd386e6e36175a0fb5f9fb019c7fd3b8
Filesize: 15993.848 KB

Version history: (Expand)


CVS history: (Expand)


   2017-10-06 20:38:25 by Benny Siegert | Files touched by this commit (2) | Package updated
Log message:
Update Go to 1.9.1 (security fix).

Two security-related issues were recently reported.
To address this issue, we have just released Go 1.8.4 and Go 1.9.1.

We recommend that all users update to one of these releases (if you're not sure
which, choose Go 1.9.1).

The issues addressed by these releases are:

By nesting a git checkout inside another version control repository, it was
possible for an attacker to trick the "go get" command into executing \ 
arbitrary
code. The go command now refuses to use version control checkouts found inside
other version control systems, with an exception for git submodules (git inside
git).
The issue is tracked as https://golang.org/issue/22125 (Go 1.8.4) and
https://golang.org/issue/22131 (Go 1.9.1). Fixes are linked from the issues.
Thanks to Simon Rawet for the report.

In the smtp package, PlainAuth is documented as sending credentials only over
authenticated, encrypted TLS connections, but it was changed in Go 1.1 to also
send credentials on non-TLS connections when the remote server advertises that
PLAIN authentication is supported. The change was meant to allow use of PLAIN
authentication on localhost, but it has the effect of allowing a
man-in-the-middle attacker to harvest credentials. PlainAuth now requires
either TLS or a localhost connection before sending credentials, regardless of
what the remote server claims.
This issue is tracked as https://golang.org/issue/22134 (Go 1.8.4) and
https://golang.org/issue/22133 (Go 1.9.1). Fixes are linked from the issues.
Thanks to Stevie Johnstone for the report.
   2017-10-04 12:03:53 by Jonathan Perkin | Files touched by this commit (2)
Log message:
go*: Disable SSP checks for similar reasons as RELRO.
   2017-09-03 18:49:52 by Matthias Scheler | Files touched by this commit (1)
Log message:
Use bsdtar instead of GNU Tar to extract the distribution archive
as suggested by wizd(8) in private e-mail
   2017-09-03 15:40:19 by Matthias Scheler | Files touched by this commit (1)
Log message:
Use GNU Tar to extract the distribution archive because at least
NetBSD (8.99.2)'s "/bin/tar" fails to handle the extented headers
and extracts files into the wrong directory. This in turn least
to package list problems during the installation phase.
   2017-09-03 09:12:08 by Benny Siegert | Files touched by this commit (8) | Package updated
Log message:
Update Go to 1.9.

The latest Go release, version 1.9, arrives six months after Go 1.8 and
is the tenth release in the Go 1.x series. There are two changes to the
language: adding support for type aliases and defining when
implementations may fuse floating point operations. Most of the changes
are in the implementation of the toolchain, runtime, and libraries. As
always, the release maintains the Go 1 promise of compatibility. We
expect almost all Go programs to continue to compile and run as before.

The release adds transparent monotonic time support, parallelizes
compilation of functions within a package, better supports test helper
functions, includes a new bit manipulation package, and has a new
concurrent map type.

There are some instabilities on FreeBSD that are known but not
understood. These can lead to program crashes in rare cases. See issue
15658. Any help in solving this FreeBSD-specific issue would be
appreciated.

Go stopped running NetBSD builders during the Go 1.9 development cycle
due to NetBSD kernel crashes, up to and including NetBSD 7.1. As Go 1.9
is being released, NetBSD 7.1.1 is being released with a fix. However,
at this time we have no NetBSD builders passing our test suite. Any help
investigating the various NetBSD issues would be appreciated.
   2017-07-22 21:32:41 by Thomas Klausner | Files touched by this commit (10)
Log message:
Sprinkle CHECK_RELRO_SKIP on go packages.

go14 has no relro support AFAICT.

go-1.8.3 has if you use -buildmode=pie, but it claims it's not supported
on Linux.

Disable relro checking for go packages until bsiegert has time to
look at this.
   2017-05-25 11:24:21 by Benny Siegert | Files touched by this commit (3) | Package updated
Log message:
Update Go to 1.8.3, a non-security release.

This release includes fixes to the compiler, runtime, documentation, and the
database/sql package.
    https://golang.org/doc/devel/release.html#go1.8.minor

It also includes the security fix to the crypto/elliptic package from Go 1.8.2.
   2017-05-25 11:06:43 by Benny Siegert | Files touched by this commit (3) | Package updated
Log message:
SECURITY: Update Go to 1.8.2, fixing CVE-2017-8932,
carry bug in x86-64 P-256.

A security-related issue was recently reported in Go's crypto/elliptic package.
To address this issue, we have just released Go 1.7.6 and Go 1.8.2.

The Go team would like to thank Vlad Krasnov and Filippo Valsorda at Cloudflare
for reporting the issue and providing a fix.

The issue affects Go's P-256 implementation on the 64-bit x86 architecture.

This is CVE-2017-8932 and was addressed by this change:
https://golang.org/cl/41070, tracked in this issue:
https://golang.org/issue/20040