------------------------------------------------------------------- Mon May 2 08:43:22 UTC 2022 - Martin Liška - Remove remaining use of gold linker when bootstrapping with gccgo. The binutils-gold package will be removed in the future. * History: go1.8.3 2017-06-18 added conditional if gccgo defined BuildRequires: binutils-gold for arches other than s390x * No information available why binutils-gold was used initially * Unrelated to upstream recent hardcoded gold dependency for ARM ------------------------------------------------------------------- Tue Apr 12 17:42:46 UTC 2022 - Jeff Kowalczyk - go1.17.9 (released 2022-04-12) includes security fixes to the crypto/elliptic and encoding/pem packages, as well as bug fixes to the linker and runtime. Refs boo#1190649 go1.17 release tracking CVE-2022-24675 CVE-2022-28327 * boo#1198423 go#51853 CVE-2022-24675 * go#52036 encoding/pem: stack overflow * boo#1198424 go#52075 CVE-2022-28327 * go#52076 crypto/elliptic: generic P-256 panic when scalar has too many leading zeroes * go#51736 plugin: tls handshake panic: unreachable method called. linker bug? * go#51696 runtime: some tests fails on Windows with CGO_ENABLED=0 * go#51458 runtime: finalizer call has wrong frame size * go#50611 internal/poll: deadlock in Read on arm64 when an FD is closed ------------------------------------------------------------------- Thu Apr 7 23:57:47 UTC 2022 - Jeff Kowalczyk - Template gcc-go.patch to substitute gcc_go_version and eliminate multiple similar patches each with hardcoded gcc go binary name. gcc-go.patch inserts gcc-go binary name e.g. go-8 to compensate for current lack of gcc-go update-alternatives usage. * add gcc-go.patch * drop gcc6-go.patch * drop gcc7-go.patch ------------------------------------------------------------------- Thu Apr 7 17:51:56 UTC 2022 - Jeff Kowalczyk - For SLE-12 set gcc_go_version to 8 to bootstrap using gcc8-go. gcc6-go and gcc7-go no longer successfully bootstrap go1.17 or go1.18 on SLE-12 aarch64 ppc64le or s390x. * gcc6-go fails with errors e.g. libnoder.a(_go_.o):(.toc+0x0): undefined reference to `__go_pimt__I4_DiagFrN4_boolee3 ------------------------------------------------------------------- Fri Mar 11 23:37:41 UTC 2022 - Jeff Kowalczyk - Add %define go_label as a configurable Go toolchain directory * go_label can be used to package multiple Go toolchains with the same go_api * go_label should be defined as go_api with an optional suffix e.g. %{go_api} or %{go_api}-foo * Default go_label = go_api makes no changes to package layout ------------------------------------------------------------------- Wed Mar 9 17:03:28 UTC 2022 - Dirk Müller - add dont-force-gold-on-arm64.patch (bsc#1183043) - drop binutils-gold dependency ------------------------------------------------------------------- Thu Mar 3 21:51:40 UTC 2022 - Jeff Kowalczyk - go1.17.8 (released 2022-03-03) includes a security fix to the regexp/syntax package, as well as bug fixes to the compiler, runtime, the go command, and the crypto/x509, and net packages. Refs boo#1190649 go1.17 release tracking CVE-2022-24921 * boo#1196732 go#51112 CVE-2022-24921 * go#51118 regexp: stack overflow (process exit) handling deeply nested regexp * go#51332 cmd/go/internal/modfetch: erroneously resolves a v2+incompatible version when a v2/go.mod file exists * go#51199 cmd/compile: "runtime: bad pointer in frame" in riscv64 with complier optimizations * go#51162 net: use EDNS to increase DNS packet size [freeze exception] * go#50734 runtime/metrics: time histogram sub-bucket ranges are off by a factor of two * go#51000 crypto/x509: invalid RDNSequence: invalid attribute value: unsupported string type: 18 ------------------------------------------------------------------- Fri Feb 18 02:10:17 UTC 2022 - Jeff Kowalczyk - Add missing .bin binary test data to packaging. * Existing test data files added to packaging with mode 644: src/compress/bzip2/testdata/pass-random2.bin src/compress/bzip2/testdata/pass-random1.bin src/debug/dwarf/testdata/line-gcc-win.bin ------------------------------------------------------------------- Thu Feb 10 23:46:55 UTC 2022 - Jeff Kowalczyk - go1.17.7 (released 2022-02-10) includes security fixes to the crypto/elliptic, math/big packages and to the go command, as well as bug fixes to the compiler, linker, runtime, the go command, and the debug/macho, debug/pe, and net/http/httptest packages. Refs boo#1190649 go1.17 release tracking CVE-2022-23806 CVE-2022-23772 CVE-2022-23773 * boo#1195838 go#50974 CVE-2022-23806 * go#50978 crypto/elliptic: IsOnCurve returns true for invalid field elements * boo#1195835 go#50699 CVE-2022-23772 * go#50701 math/big: Rat.SetString may consume large amount of RAM and crash * boo#1195834 go#35671 CVE-2022-23773 * go#50687 cmd/go: do not treat branches with semantic-version names as releases * go#50942 cmd/asm: "compile: loop" compiler bug? * go#50867 cmd/compile: incorrect use of CMN on arm64 * go#50812 cmd/go: remove bitbucket VCS probing * go#50781 runtime: incorrect frame information in traceback traversal may hang the process. * go#50722 debug/pe: reading debug_info section of PE files that use the DWARF5 form DW_FORM_line_strp causes error * go#50683 cmd/compile: MOVWreg missing sign-extension following a Copy from a floating-point LoadReg * go#50586 net/http/httptest: add fipsonly compliant certificate in for NewTLSServer(), for dev.boringcrypto branch * go#50297 cmd/link: does not set section type of .init_array correctly * go#50246 runtime: intermittent os/exec.Command.Start() Hang on Darwin in Presence of "plugin" Package ------------------------------------------------------------------- Thu Jan 6 20:38:08 UTC 2022 - Jeff Kowalczyk - go1.17.6 (released 2022-01-06) includes fixes to the compiler, linker, runtime, and the crypto/x509, net/http, and reflect packages. Refs boo#1190649 go1.17 release tracking * go#50165 crypto/x509: error parsing large ASN.1 identifiers * go#50073 runtime: race detector SIGABRT or SIGSEGV on macOS Monterey * go#49961 reflect: segmentation violation while using html/template * go#49921 x/net/http2: http.Server.WriteTimeout does not fire if the http2 stream's window is out of space. * go#49413 cmd/compile: internal compiler error: Op...LECall and OpDereference have mismatched mem * go#48116 runtime: mallocs cause "base outside usable address space" panic when running on iOS 14 ------------------------------------------------------------------- Thu Dec 9 17:31:00 UTC 2021 - Jeff Kowalczyk - go1.17.5 (released 2021-12-09) includes security fixes to the syscall and net/http packages. Refs boo#1190649 go1.17 release tracking CVE-2021-44716 CVE-2021-44717 * boo#1193598 go#50057 CVE-2021-44717 * go#50067 syscall: don’t close fd 0 on ForkExec error * boo#1193597 go#50058 CVE-2021-44716 * go#50065 net/http: limit growth of header canonicalization cache ------------------------------------------------------------------- Fri Dec 3 02:15:02 UTC 2021 - Jeff Kowalczyk - go1.17.4 (released 2021-12-02) includes fixes to the compiler, linker, runtime, and the go/types, net/http, and time packages. Refs boo#1190649 go1.17 release tracking * go#49911 x/net/http2: frequent failures in TestClientConnCloseAtBody * go#49909 x/net/ipv6: TestPacketConnReadWriteMulticast{UDP,ICMP} failing with "i/o timeout" on OpenBSD 6.8 and 7.0 * go#49905 x/net/http2: Client doesn't send body until ExpectContinueTimeout expires * go#49868 syscall: ntdll.dll errors in rtlGetNtVersionNumbers via os.StartProcess * go#49729 runtime: "fatal error: unexpected signal during runtime execution" in cmd/go tests on darwin-amd64-race running macOS 12.0 * go#49662 x/net/http2: TestUnreadFlowControlReturned_Server failures with stream error "NO_ERROR" since 2021-10-05 * go#49624 net/http: Possible HTTP/2 busy loop regression in Go 1.17.3 * go#49568 net/http: server responds with Transfer-Encoding: identity * go#49561 x/net/http2: setting Request.Close doesn't close TCP connections * go#49559 net/http: HTTP/2 response body Close method sometimes returns spurious context cancelation error (1.17.3 regression) * go#49511 cmd/compile: init info of OAS node in a select case is being dropped * go#49479 runtime: "morestack on g0" in x/perf/storage/app on windows/arm64 * go#49407 time: ParseInLocation error * go#49392 cmd/compile: internal compiler error: Expand calls interface data problem * go#49369 runtime: time goes backwards on windows-arm64 (frequent TestGcLastTime failures) * go#49129 cmd/compile: internal compiler error: can't find source for b12->b4: v31 = MOVBload v14 v1 : DX * go#48825 go/types, types2: stack overflow in hasVarSize for invalid type ------------------------------------------------------------------- Thu Nov 4 21:23:39 UTC 2021 - Jeff Kowalczyk - go1.17.3 (released 2021-11-04) includes security fixes to the archive/zip and debug/macho packages, as well as bug fixes to the compiler, linker, runtime, the go command, the misc/wasm directory, and to the net/http and syscall packages. Refs boo#1190649 go1.17 release tracking CVE-2021-41771 CVE-2021-41772 * boo#1192377 go#48990 CVE-2021-41771 * go#48992 debug/macho: invalid dynamic symbol table command can cause panic * boo#1192378 go#48085 CVE-2021-41772 * go#48252 archive/zip: Reader.Open panics on empty string * go#49199 cmd/go: go list all breaks in //go:build-only repos * go#49154 misc/wasm, cmd/link: Go 1.17.2 causes WASM builds to throw command line too long with many environment variables * go#49086 cmd/link: -buildmode=pie -linkshared panic at runtime * go#49077 x/net/http2: backport critical fixes * go#49010 net,runtime: apparent deadlock in (*net.conn).Close and runtime.netpollblock on arm64 platforms * go#48823 x/net/http2: client can hang forever if headers' size exceeds connection's buffer size and server hangs past request time * go#48650 x/net/http2: pool deadlock * go#48479 cmd/compile: 64 bits shifts on arm get wrong results * go#48475 cmd/compile: incorrect arm/arm64 simplification rules * go#48075 syscall: SysProcAttr{ NoInheritHandles: true } broken in 1.17 on Windows ------------------------------------------------------------------- Fri Oct 8 00:41:43 UTC 2021 - Jeff Kowalczyk - go1.17.2 (released 2021-10-07) includes a security fix to the linker and misc/wasm directory, as well as bug fixes to the compiler, the runtime, the go command, and to the time and text/template packages. Refs boo#1190649 go1.17 release tracking CVE-2021-38297 * boo#1191468 go#48797 CVE-2021-38297 * go#48800 security: fix CVE-2021-38297 misc/wasm, cmd/link: do not let command line args overwrite global data * go#48561 cmd/compile: unsafe.Add bug when adding uint8 value to a pointer * go#48444 text/template: should t.init() be executed before t.muTmpl.Lock() in AddParseTree() method? * go#48177 time: output does not respect comma as millisecond separator * go#47859 time: timer reset sometimes ignored, causing delayed ticks * go#47756 cmd/go: mod tidy -go=1.17 should move indirect dependencies to the second require part ------------------------------------------------------------------- Fri Sep 10 02:44:03 UTC 2021 - Jeff Kowalczyk - go1.17.1 (released 2021-09-09) includes a security fix to the archive/zip package, as well as bug fixes to the compiler, linker, the go command, and to the crypto/rand, embed, go/types, html/template, and net/http packages. Refs boo#1190649 go1.17 release tracking CVE-2021-39293 * boo#1190589 go#47801 CVE-2021-39293 * go#47986 archive/zip: overflow in preallocation check can cause OOM panic * go#48156 cmd/go: get panics with "can't find reason for requirement on" * go#48102 cmd/compile: panic during export method expression * go#48082 go/types: panic in error reporting for invalid use of "init" * go#47857 cmd/go: module dependencies not updated with go get -u in 1.17 * go#47854 go/types: incorrect type reported for comma-err C functions (manifests itself in IDEs) * go#47814 crypto/rand: getentropy is not available on iOS * go#47782 cmd/link: wrong dynamic linker path when cross-compiling to OpenBSD * go#47754 embed: 1.17 rejects types with underlying type []byte * go#47692 x/net/http2: server sends RST_STREAM w/ PROTOCOL_ERROR to clients it incorrectly believes have violated max advertised num streams ------------------------------------------------------------------- Tue Aug 17 22:34:51 UTC 2021 - Jeff Kowalczyk - go1.17 (released 2021-08-16) is a major release of Go. go1.17.x minor releases will be provided through August 2022. https://github.com/golang/go/wiki/Go-Release-Cycle Most changes are in the implementation of the toolchain, runtime, and libraries. As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before. Refs boo#1190649 go1.17 release tracking * See release notes https://golang.org/doc/go1.17. Excerpts relevant to OBS environment and for SUSE/openSUSE follow: * The compiler now implements a new way of passing function arguments and results using registers instead of the stack. Benchmarks for a representative set of Go packages and programs show performance improvements of about 5%, and a typical reduction in binary size of about 2%. This is currently enabled for Linux, macOS, and Windows on the 64-bit x86 architecture (the linux/amd64, darwin/amd64, and windows/amd64 ports). This change does not affect the functionality of any safe Go code and is designed to have no impact on most assembly code. * When the linker uses external linking mode, which is the default when linking a program that uses cgo, and the linker is invoked with a -I option, the option will now be passed to the external linker as a -Wl,--dynamic-linker option. * The runtime/cgo package now provides a new facility that allows to turn any Go values to a safe representation that can be used to pass values between C and Go safely. See runtime/cgo.Handle for more information. * ARM64 Go programs now maintain stack frame pointers on the 64-bit ARM architecture on all operating systems. Previously, stack frame pointers were only enabled on Linux, macOS, and iOS. * Pruned module graphs in go 1.17 modules: If a module specifies go 1.17 or higher, the module graph includes only the immediate dependencies of other go 1.17 modules, not their full transitive dependencies. To convert the go.mod file for an existing module to Go 1.17 without changing the selected versions of its dependencies, run: go mod tidy -go=1.17 By default, go mod tidy verifies that the selected versions of dependencies relevant to the main module are the same versions that would be used by the prior Go release (Go 1.16 for a module that specifies go 1.17), and preserves the go.sum entries needed by that release even for dependencies that are not normally needed by other commands. The -compat flag allows that version to be overridden to support older (or only newer) versions, up to the version specified by the go directive in the go.mod file. To tidy a go 1.17 module for Go 1.17 only, without saving checksums for (or checking for consistency with) Go 1.16: go mod tidy -compat=1.17 Note that even if the main module is tidied with -compat=1.17, users who require the module from a go 1.16 or earlier module will still be able to use it, provided that the packages use only compatible language and library features. The go mod graph subcommand also supports the -go flag, which causes it to report the graph as seen by the indicated Go version, showing dependencies that may otherwise be pruned out. * Module deprecation comments: Module authors may deprecate a module by adding a // Deprecated: comment to go.mod, then tagging a new version. go get now prints a warning if a module needed to build packages named on the command line is deprecated. go list -m -u prints deprecations for all dependencies (use -f or -json to show the full message). The go command considers different major versions to be distinct modules, so this mechanism may be used, for example, to provide users with migration instructions for a new major version. * go get -insecure flag is deprecated and has been removed. To permit the use of insecure schemes when fetching dependencies, please use the GOINSECURE environment variable. The -insecure flag also bypassed module sum validation, use GOPRIVATE or GONOSUMDB if you need that functionality. See go help environment for details. * go get prints a deprecation warning when installing commands outside the main module (without the -d flag). go install cmd@version should be used instead to install a command at a specific version, using a suffix like @latest or @v1.2.3. In Go 1.18, the -d flag will always be enabled, and go get will only be used to change dependencies in go.mod. * go.mod files missing go directives: If the main module's go.mod file does not contain a go directive and the go command cannot update the go.mod file, the go command now assumes go 1.11 instead of the current release. (go mod init has added go directives automatically since Go 1.12.) If a module dependency lacks an explicit go.mod file, or its go.mod file does not contain a go directive, the go command now assumes go 1.16 for that dependency instead of the current release. (Dependencies developed in GOPATH mode may lack a go.mod file, and the vendor/modules.txt has to date never recorded the go versions indicated by dependencies' go.mod files.) * vendor contents: If the main module specifies go 1.17 or higher, go mod vendor now annotates vendor/modules.txt with the go version indicated by each vendored module in its own go.mod file. The annotated version is used when building the module's packages from vendored source code. If the main module specifies go 1.17 or higher, go mod vendor now omits go.mod and go.sum files for vendored dependencies, which can otherwise interfere with the ability of the go command to identify the correct module root when invoked within the vendor tree. * Password prompts: The go command by default now suppresses SSH password prompts and Git Credential Manager prompts when fetching Git repositories using SSH, as it already did previously for other Git password prompts. Users authenticating to private Git repos with password-protected SSH may configure an ssh-agent to enable the go command to use password-protected SSH keys. * go mod download: When go mod download is invoked without arguments, it will no longer save sums for downloaded module content to go.sum. It may still make changes to go.mod and go.sum needed to load the build list. This is the same as the behavior in Go 1.15. To save sums for all modules, use: go mod download all * The go command now understands //go:build lines and prefers them over // +build lines. The new syntax uses boolean expressions, just like Go, and should be less error-prone. As of this release, the new syntax is fully supported, and all Go files should be updated to have both forms with the same meaning. To aid in migration, gofmt now automatically synchronizes the two forms. For more details on the syntax and migration plan, see https://golang.org/design/draft-gobuild. * go run now accepts arguments with version suffixes (for example, go run example.com/cmd@v1.0.0). This causes go run to build and run packages in module-aware mode, ignoring the go.mod file in the current directory or any parent directory, if there is one. This is useful for running executables without installing them or without changing dependencies of the current module. * The format of stack traces from the runtime (printed when an uncaught panic occurs, or when runtime.Stack is called) is improved. * TLS strict ALPN: When Config.NextProtos is set, servers now enforce that there is an overlap between the configured protocols and the ALPN protocols advertised by the client, if any. If there is no mutually supported protocol, the connection is closed with the no_application_protocol alert, as required by RFC 7301. This helps mitigate the ALPACA cross-protocol attack. As an exception, when the value "h2" is included in the server's Config.NextProtos, HTTP/1.1 clients will be allowed to connect as if they didn't support ALPN. See issue go#46310 for more information. * crypto/ed25519: The crypto/ed25519 package has been rewritten, and all operations are now approximately twice as fast on amd64 and arm64. The observable behavior has not otherwise changed. * crypto/elliptic: CurveParams methods now automatically invoke faster and safer dedicated implementations for known curves (P-224, P-256, and P-521) when available. Note that this is a best-effort approach and applications should avoid using the generic, not constant-time CurveParams methods and instead use dedicated Curve implementations such as P256. The P521 curve implementation has been rewritten using code generated by the fiat-crypto project, which is based on a formally-verified model of the arithmetic operations. It is now constant-time and three times faster on amd64 and arm64. The observable behavior has not otherwise changed. * crypto/tls: The new Conn.HandshakeContext method allows the user to control cancellation of an in-progress TLS handshake. The provided context is accessible from various callbacks through the new ClientHelloInfo.Context and CertificateRequestInfo.Context methods. Canceling the context after the handshake has finished has no effect. Cipher suite ordering is now handled entirely by the crypto/tls package. Currently, cipher suites are sorted based on their security, performance, and hardware support taking into account both the local and peer's hardware. The order of the Config.CipherSuites field is now ignored, as well as the Config.PreferServerCipherSuites field. Note that Config.CipherSuites still allows applications to choose what TLS 1.0–1.2 cipher suites to enable. The 3DES cipher suites have been moved to InsecureCipherSuites due to fundamental block size-related weakness. They are still enabled by default but only as a last resort, thanks to the cipher suite ordering change above. Beginning in the next release, Go 1.18, the Config.MinVersion for crypto/tls clients will default to TLS 1.2, disabling TLS 1.0 and TLS 1.1 by default. Applications will be able to override the change by explicitly setting Config.MinVersion. This will not affect crypto/tls servers. * crypto/x509: CreateCertificate now returns an error if the provided private key doesn't match the parent's public key, if any. The resulting certificate would have failed to verify. * crypto/x509: The temporary GODEBUG=x509ignoreCN=0 flag has been removed. * crypto/x509: ParseCertificate has been rewritten, and now consumes ~70% fewer resources. The observable behavior has not otherwise changed, except for error messages. * crypto/x509: Beginning in the next release, Go 1.18, crypto/x509 will reject certificates signed with the SHA-1 hash function. This doesn't apply to self-signed root certificates. Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015. * go/build: The new Context.ToolTags field holds the build tags appropriate to the current Go toolchain configuration. * net/http package now uses the new (*tls.Conn).HandshakeContext with the Request context when performing TLS handshakes in the client or server. * syscall: On Unix-like systems, the process group of a child process is now set with signals blocked. This avoids sending a SIGTTOU to the child when the parent is in a background process group. * time: The new Time.IsDST method can be used to check whether the time is in Daylight Savings Time in its configured location. * time: The new Time.UnixMilli and Time.UnixMicro methods return the number of milliseconds and microseconds elapsed since January 1, 1970 UTC respectively. * time: The new UnixMilli and UnixMicro functions return the local Time corresponding to the given Unix time. ------------------------------------------------------------------- Thu Aug 12 20:48:30 UTC 2021 - Jeff Kowalczyk - Add bash scripts used by go tool commands to provide a more complete cross-compiling go toolchain install. * Fixes "go tool dist list" error "all.bash does not exist" * Added to packaging: /usr/lib64/go/1.17/lib/time/update.bash (already packaged) /usr/lib64/go/1.17/src/all.bash /usr/lib64/go/1.17/src/bootstrap.bash /usr/lib64/go/1.17/src/buildall.bash /usr/lib64/go/1.17/src/clean.bash /usr/lib64/go/1.17/src/cmp.bash /usr/lib64/go/1.17/src/make.bash /usr/lib64/go/1.17/src/race.bash /usr/lib64/go/1.17/src/run.bash /usr/share/go/1.17/src/all.bash /usr/share/go/1.17/src/bootstrap.bash /usr/share/go/1.17/src/buildall.bash /usr/share/go/1.17/src/clean.bash /usr/share/go/1.17/src/cmd/compile/internal/ssa/gen/cover.bash /usr/share/go/1.17/src/cmd/vendor/golang.org/x/sys/windows/mkerrors.bash /usr/share/go/1.17/src/cmd/vendor/golang.org/x/sys/windows/mkknownfolderids.bash /usr/share/go/1.17/src/cmp.bash /usr/share/go/1.17/src/internal/trace/mkcanned.bash /usr/share/go/1.17/src/make.bash /usr/share/go/1.17/src/race.bash /usr/share/go/1.17/src/run.bash ------------------------------------------------------------------- Mon Aug 2 21:31:24 UTC 2021 - Jeff Kowalczyk - go1.17rc2 (released 2021-08-02) is a release candidate version of go1.17 cut from the master branch at the revision tagged go1.17rc2. ------------------------------------------------------------------- Tue Jul 13 22:47:16 UTC 2021 - Jeff Kowalczyk - go1.17rc1 (released 2021-07-13) is a release candidate version of go1.17 cut from the master branch at the revision tagged go1.17rc1. ------------------------------------------------------------------- Thu Jun 10 17:43:40 UTC 2021 - Jeff Kowalczyk - go1.17beta1 (released 2021-06-10) is a beta version of go1.17 cut from the master branch at the revision tagged go1.17beta1.