Hi Fedorians and Gophers, golang 1.18.4 was released a couple days ago. This release has fixes for 9 medium (rated by Red Hat Product Security) CVEs, so I will preform a rebuild in `rawhide` and `f36` to mitigate them[^0]. See https://groups.google.com/g/golang-dev/c/frczlF8OFQ0/m/4lrZh5BHDgAJ for more information about the specific vulnerabilities. [^0]: The golang version is Fedora 35 is EOL upstream, and the maintainers have not yet had a chance to backport the changes. Only packages that provide binaries need to be rebuilt, which will make this rebuild less disruptive. These packages were determined by querying for source packages that BuildRequire `golang` or `go-rpm-macros` and then checking if they provide any binary RPMS that install files in `/usr/bin`, `/usr/sbin`, or `/usr/libexec`. No action will be required from you, unless you'd like your package to receive special treatment regarding merging `rawhide` into `f36`. I plan to handle this rebuild later this week (the week of the 17th). In light of the recent discussion about large updates, I will most likely split this into 4 Bodhi updates per branch (a total of 8; each containing ~100 packages). ## rawhide Here[1] is a list of the affected packages on `rawhide`. [1]: https://git.sr.ht/~gotmax23/fedora-scripts/tree/main/item/rebuilds/golang_1.18.4/rawhide/lists/all-packages.list ## f36 Here[2] is a list of all of the affected packages on `f36`. However, I have further split this list down into two subgroups. [2]: https://git.sr.ht/~gotmax23/fedora-scripts/tree/main/item/rebuilds/golang_1.18.4/f36/lists/all-packages.list ### Mergable from Rawhide For these packages[3], `rawhide` was determined to be mergable back to `f36`, as `f36` is up to date with `rawhide`. [3]: https://git.sr.ht/~gotmax23/fedora-scripts/tree/main/item/rebuilds/golang_1.18.4/f36/lists/mergable.list ### Not mergable These packages were determined to not be mergable[4], as `rawhide` is ahead of (or has otherwise diverged from) `f36`. Therefore, I will create a new rebuild commit and bump the release on `f36`. This will likely cause merge conflicts if you try to merge `rawhide` back into `f36` after this change. Assuming the update would be compatible and comply with the Updates Policy, I can move your package into the other list and merge `rawhide` into `f36`. Please leave a comment on https://pagure.io/GoSIG/go-sig/issue/44 if you would like me to do so. Conversely, if you believe your package is incorrectly in the mergable list, also let me know in the aforementioned ticket. [4]: https://git.sr.ht/~gotmax23/fedora-scripts/tree/main/item/rebuilds/golang_1.18.4/f36/lists/unmergable.list -- Thanks, Maxwell G (@gotmax23) Pronouns: He/Him/His
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
