Navigation:
Browse pkgsrc
(this page)
lang go
CVSweb ] [ 
Homepage ] [ 
RSS ] [ 
Required by ] [ 
Add to tracker ] 2025-02-07 11:17:49 by Benny Siegert | Files touched by this commit (4) |  |
Log message:
Update go122 to 1.22.12 and go123 to 1.23.6.
This is a security update but it only applies on the ppc64le platform.
These minor releases include 1 security fix following the security policy:
- crypto/elliptic: timing sidechannel for P-256 on ppc64le
Due to the usage of a variable time instruction in the assembly
implementation of an internal function, a small number of bits of secret
scalars are leaked on the ppc64le architecture. Due to the way this
function is used, we do not believe this leakage is enough to allow
recovery of the private key when P-256 is used in any well known
protocols.
This is CVE-2025-22866 and Go issue https://go.dev/issue/71383.
|
| 2025-02-06 01:24:37 by Taylor R Campbell | Files touched by this commit (5) |
Log message:
lang/go: Add cross-build support.
This adds cross-build support for lang/go123 and for the Go-related
infrastructure in pkgsrc. (We could do older versions of Go too with
a little more work.)
Noteworthy changes that are not conditional on USE_CROSS_COMPILE:
1. lang/go/version.mk is rearranged to be more data-driven than
conditional-driven. Making it data-driven makes it easier to
define both GOARCH and GOHOSTARCH from the same tables when
MACHINE_ARCH and NATIVE_MACHINE_ARCH are not the same.
This is a likely source of broken edge cases. I went through the
old conditional logic and hand-checked all the conditions but I
could have made a mistake.
2. go-module.mk and go-package.mk define GOPATH_BIN to be `bin' for
native builds, and `bin/${GO_PLATFORM}' for cross builds -- this
is the subdirectory of GOPATH where the Go toolchain puts binaries
so that packages with custom do-install targets can avoid any need
for USE_CROSS_COMPILE conditionals.
The default do-install targets use pax slightly differently now to
avoid the need for USE_CROSS_COMPILE conditionals. I think the
logic is equivalent for native builds but this is worth reviewing.
3. lang/go123 no longer depends on bash and Perl at runtime. As far
as I can tell, this was just a kludge to pacify check-interpreter
complaints in the copy of the source code that Go ships under
${PREFIX}/go123/src. We don't need to replace the interpreter at
build-time -- most of these scripts are not run at all during the
build, and the handful that remain (make.bash, run.bash) are run
with ${BASH}. Instead, we CHECK_INTERPRETER_SKIP them in the
installed copy of the source code.
Proposed on tech-pkg:
https://mail-index.netbsd.org/tech-pkg/2025/01/19/msg030395.html
|
| 2025-01-19 20:50:03 by Taylor R Campbell | Files touched by this commit (1) |
Log message:
lang/go/version.mk: Use ${TOOLBASE}, not ${PREFIX}, for GO.
This is the command used at compile-time to run the Go toolchain.
Preparation for cross-compiling golang packages. No change for
native builds because in that case TOOLBASE and PREFIX are the same.
|
| 2025-01-19 20:27:37 by Taylor R Campbell | Files touched by this commit (1) |
Log message:
lang/go/bootstrap.mk: Use ${TOOLBASE}, not ${PREFIX}.
Preparation for cross-compiling golang packages. No change for
native builds because in that case TOOLBASE and PREFIX are the same.
|
| 2025-01-17 11:33:09 by Benny Siegert | Files touched by this commit (4) |
Log message: Update go122 to 1.22.11 and go123 to 1.23.5. These minor releases include 2 security fixes following the security policy: - crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs. Thanks to Juho Forsén of Mattermost for reporting this issue. This is CVE-2024-45341 and Go issue https://go.dev/issue/71156. - net/http: sensitive headers incorrectly sent after cross-domain redirect The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2. Thanks to Kyle Seely for reporting this issue. This is CVE-2024-45336 and Go issue https://go.dev/issue/70530. |
| 2024-12-06 12:05:48 by Jonathan Perkin | Files touched by this commit (2) |
Log message: go: Set GOTMPDIR. Go uses TMPDIR for ephemeral objects, but unlike other compilers does not clean up quickly enough, so even with a reasonably large tmpfs limit of 1G some package builds can fail due to too many leftover objects. Use the same directory as GOCACHE and ensure it is created after distfile extraction. Tested in a bulk build on SmartOS and confirmed to fix a number of package builds. No feedback on proposal to tech-pkg@. |
| 2024-12-04 19:51:39 by Benny Siegert | Files touched by this commit (4) |
Log message: Update Go to 1.22.10, 1.23.4 go1.23.4 (released 2024-12-03) includes fixes to the compiler, the runtime, the trace command, and the syscall package. See the Go 1.23.4 milestone on our issue tracker for details. go1.22.10 (released 2024-12-03) includes fixes to the runtime and the syscall package. See the Go 1.22.10 milestone on our issue tracker for details. |
| 2024-11-08 20:46:59 by Benny Siegert | Files touched by this commit (5) | |
Log message: go: update to 1.22.9 and 1.23.2. go1.23.3 (released 2024-11-06) includes fixes to the linker, the runtime, and the net/http, os, and syscall packages. See the Go 1.23.3 milestone on our issue tracker for details. go1.22.9 (released 2024-11-06) includes fixes to the linker. See the Go 1.22.9 milestone on our issue tracker for details. |
New packages: