FS#61522 - Security issues when upgrading go package
Attached to Project:
Arch Linux
Opened by Joel Sevilleja (jsevilleja) - Thursday, 24 January 2019, 18:47 GMT
Last edited by Eli Schwartz (eschwartz) - Thursday, 24 January 2019, 18:59 GMT
Opened by Joel Sevilleja (jsevilleja) - Thursday, 24 January 2019, 18:47 GMT
Last edited by Eli Schwartz (eschwartz) - Thursday, 24 January 2019, 18:59 GMT
|
Details
Hi,
when some package depends on go for building (example gitea), go includes in the resulting static binary all the libraries referenced. This means that if gitea (or any other go related software) makes use of vulnerable code included in the go package, the vulnerability will be included in gitea, and it will persist when the go package gets upgraded. In order to solve this, Arch Linux maintainers should recompile all packages depending on go when go gets an upgrade. As far as I know, this is the behavior distributions like Gentoo are following. |
This task depends upon
Closed by Eli Schwartz (eschwartz)
Thursday, 24 January 2019, 18:59 GMT
Reason for closing: Not a bug
Additional comments about closing: We already do this and don't need a bug report to tell us how to do procedural, non-package-related workflow issues.
Yes, we are aware of how static libraries work.
Thursday, 24 January 2019, 18:59 GMT
Reason for closing: Not a bug
Additional comments about closing: We already do this and don't need a bug report to tell us how to do procedural, non-package-related workflow issues.
Yes, we are aware of how static libraries work.
This is already being worked on along with an advisory for go.