Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[staging] go: upgrade bootstrap to 1.18 #241776

Closed
wants to merge 1 commit into from
Closed

[staging] go: upgrade bootstrap to 1.18 #241776

wants to merge 1 commit into from

Conversation

fabianhjr
Copy link
Member

@fabianhjr fabianhjr commented Jul 5, 2023
edited
Loading

Description of changes

Current 1.16/1.17 bootstrapping dates to at least before

3cc18bf48940 (zowoq 2022-10-01 13:01:18 +1000  20)   goBootstrap = buildPackages.callPackage ./bootstrap117.nix { };

Changes vulnix entries from:

/nix/store/mlwdpc0q6bzpaw58hb8pbliwqzphpd7k-go-1.17.13-linux-amd64-bootstrap.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2023-24538    9.8
https://nvd.nist.gov/vuln/detail/CVE-2023-24540    9.8
https://nvd.nist.gov/vuln/detail/CVE-2023-29402    9.8
https://nvd.nist.gov/vuln/detail/CVE-2023-29404    9.8
https://nvd.nist.gov/vuln/detail/CVE-2023-29405    9.8
https://nvd.nist.gov/vuln/detail/CVE-2023-29403    7.8
https://nvd.nist.gov/vuln/detail/CVE-2022-2879     7.5
https://nvd.nist.gov/vuln/detail/CVE-2022-2880     7.5
https://nvd.nist.gov/vuln/detail/CVE-2022-27664    7.5
https://nvd.nist.gov/vuln/detail/CVE-2022-41715    7.5
https://nvd.nist.gov/vuln/detail/CVE-2022-41716    7.5
https://nvd.nist.gov/vuln/detail/CVE-2022-41720    7.5
https://nvd.nist.gov/vuln/detail/CVE-2022-41722    7.5
https://nvd.nist.gov/vuln/detail/CVE-2022-41723    7.5
https://nvd.nist.gov/vuln/detail/CVE-2022-41724    7.5
https://nvd.nist.gov/vuln/detail/CVE-2022-41725    7.5
https://nvd.nist.gov/vuln/detail/CVE-2023-24534    7.5
https://nvd.nist.gov/vuln/detail/CVE-2023-24536    7.5
https://nvd.nist.gov/vuln/detail/CVE-2023-24537    7.5
https://nvd.nist.gov/vuln/detail/CVE-2023-24539    7.3
https://nvd.nist.gov/vuln/detail/CVE-2023-29400    7.3
https://nvd.nist.gov/vuln/detail/CVE-2022-41717    5.3
https://nvd.nist.gov/vuln/detail/CVE-2023-24532    5.3

/nix/store/5cp8vadr1pjn7im6wmbh50av592ljh1s-go-1.18.10-linux-amd64-bootstrap.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2023-24538    9.8
https://nvd.nist.gov/vuln/detail/CVE-2023-24540    9.8
https://nvd.nist.gov/vuln/detail/CVE-2023-29402    9.8
https://nvd.nist.gov/vuln/detail/CVE-2023-29404    9.8
https://nvd.nist.gov/vuln/detail/CVE-2023-29405    9.8
https://nvd.nist.gov/vuln/detail/CVE-2023-29403    7.8
https://nvd.nist.gov/vuln/detail/CVE-2022-41722    7.5
https://nvd.nist.gov/vuln/detail/CVE-2022-41723    7.5
https://nvd.nist.gov/vuln/detail/CVE-2022-41724    7.5
https://nvd.nist.gov/vuln/detail/CVE-2022-41725    7.5
https://nvd.nist.gov/vuln/detail/CVE-2023-24534    7.5
https://nvd.nist.gov/vuln/detail/CVE-2023-24536    7.5
https://nvd.nist.gov/vuln/detail/CVE-2023-24537    7.5
https://nvd.nist.gov/vuln/detail/CVE-2023-24539    7.3
https://nvd.nist.gov/vuln/detail/CVE-2023-29400    7.3
https://nvd.nist.gov/vuln/detail/CVE-2023-24532    5.3

Addresses

7,12d6
< https://nvd.nist.gov/vuln/detail/CVE-2022-2879     7.5
< https://nvd.nist.gov/vuln/detail/CVE-2022-2880     7.5
< https://nvd.nist.gov/vuln/detail/CVE-2022-27664    7.5
< https://nvd.nist.gov/vuln/detail/CVE-2022-41715    7.5
< https://nvd.nist.gov/vuln/detail/CVE-2022-41716    7.5
< https://nvd.nist.gov/vuln/detail/CVE-2022-41720    7.5
22d15
< https://nvd.nist.gov/vuln/detail/CVE-2022-41717    5.3
Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.11 Release Notes (or backporting 23.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@fabianhjr fabianhjr added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Jul 5, 2023
@fabianhjr
Copy link
Member Author

Tested with ipfs/kubo and keybase.

Causes the following rebuilds

2404 packages updated 
2404 packages updated:
2fa 3mux aaaaxy abbreviate acme-dns acorn act actionlint adb-sync-unstable adbfs-rootless-unstable addlicense adl adreaper adrgen aerc age age-plugin-tpm-unstable agebox agi agola aiac ain air alertmanager alertmanager-bot alertmanager-irc-relay algolia-cli ali alice-lg align aliyun-cli allmark alpnpass alps alterx amass amazon-ecr-credential-helper amazon-ecs-agent amazon-ssm-agent amfora android-tools anew ani-cli antibody apcupsd-exporter apko apptainer apptainer appvm-unstable aptly apx archiver arduino-ci arduino-cli arduino-language-server arduinoOTA argo argo-rollouts argocd argocd-autopilot argocd-vault-plugin arkade arrow-cpp arrow-glib arsenal artifactory_exporter ascii-image-converter asciigraph asmfmt asnmap asouldocs assh assign-lb-ip atlantis atmos atomic-swap auth0-cli authelia authz0 AutomaticComponentToolkit autorestic autospotting-unstable avalanchego aviator aws-assume-role aws-env aws-iam-authenticator aws-lambda-runtime-interface-emulator aws-nuke aws-rotate-key aws-s3-exporter aws-sso-cli aws-sso-creds aws-vault awsls awsrm awsweeper azure-storage-azcopy babelfish badrobot base16-universal-manager bat-extras-prettybat bazel-buildtools bazel-gazelle bazel-kazel bazel-remote bazel-watcher bazelisk bearer bee bee-clef bee-unstable benthos berglas bettercap bind_exporter bingo bird-exporter bird-lg birdwatcher bismuth bit blackbox_exporter bloat-unstable blockbook blocky bluetuith bluewalker bob bodyclose boltbrowser bom bombadillo bombardier bomber-go boohu booster boringssl bosh-cli bosun-unstable boulder bpfmon brev-cli brig brillo brook browserpass browsh browsr btcd buf buf-language-server-unstable buildah buildah-wrapper buildkit buildkit-nix buildkite-agent buildkite-agent-metrics buildkite-cli buildsrht bump bundix bunnyfetch butane butler cabal2nix caddy cadvisor caeml-unstable caffe caffe caffe caffe calico-apiserver calico-app-policy calico-cni-plugin calico-kube-controllers calico-pod2daemon calico-typha calicoctl calyx-vpn cameradar captive-browser-unstable carapace cariddi cassowary catnip cayley cdk-go celeste ceph ceph ceph-client ceph-csi certgraph certigo certmgr certmgr certstrap cf-terraforming cf-vault cfssl cgiserver chain-bench chamber changelogger changetower changie chaos charliecloud charm chart-testing chatgpt chatgpt-retrieval-plugin-unstable cheat check-unstable checkip checkmake checkmate chezmoi chisel chopchop chroma cidrgrep-unstable cilium-cli circleci-cli circumflex cirrus-cli cirrusgo civo clair clash clash-meta clash-verge claws clematis cli53 cliam clickhouse-backup cliphist clipman clipqr cloud-nuke cloud-sql-proxy cloudbrute cloudcompare cloudflare-exporter cloudflared cloudfoundry-cli cloudfox cloudlist cloudmonkey clusterctl cmctl cni cni-plugin-dnsname cni-plugin-flannel cni-plugins cnspec cobra-cli cockroach cod code-generator codeberg-pages codeowners coder codesearch codespelunker cointop colima collectd-exporter compile-daemon confd confd-calico confluencepot conform conftest consul consul-alerts consul-template consul_exporter containerd containerlab containerpilot controller-tools convoy copilot-cli cordless coredns corerad coreth cosign coyim coze crate2nix crc crd2pulumi credential-detector credhub-cli cri-o cri-o-wrapper cri-tools crlfuzz croc crowdsec crun crystal2nix cshatag csvdiff csvq ctlptl ctop ctpv cue cuelsp curlie cw cyclonedx-gomod d2 dae dagger dalfox damon-unstable dapper dapr-cli darkman darktile dart-sass dart-sass-embedded dasel dashing databricks-sql-cli datadog-agent datadog-process-agent datree dave dblab dbmate dbx dcrctl dcrd dcrwallet dcs-unstable dde-api dde-control-center dde-daemon dde-dock dde-file-manager dde-network-core dde-session-ui ddosify deadcode-unstable dec-decode-unstable deck deckmaster deepin-desktop-schemas deepin-pw-check deepin-screen-recorder deepin-system-monitor deepin-wallpapers deepsea deltachat-desktop delve demoit-unstable dep dep2nix-unstable desync devbox devd-unstable devspace dex dgoss dgraph didder direnv dirstalk discordo-unstable diskrsync dismap dismember distribution distrobuilder dive dnscontrol dnscrypt-proxy2 dnsmasq_exporter dnsmon-go-unstable dnsmonster dnsproxy dnstake dnsx do-agent docker docker docker-buildx docker-compose docker-credential-gcr docker-credential-helpers docker-gc-unstable docker-ls docker-machine-kvm docker-machine-kvm2 docker-proxy-unstable docker-slim dockfmt-unstable dockle docopts doctl docui documize-community doggo dolt domain-exporter dontgo403 doppler dorkscout dovecot_exporter driftctl drive drone-cli drone-runner-docker drone-runner-exec-unstable drone-runner-ssh-unstable drone.io drone.io-oss dsq dstask dstp duckling-proxy duf duplicacy dwarf2json-unstable dyff earlybird earthly easeprobe easyjson easyocr ec2-metadata-mock echoip-unstable eclint editorconfig-checker efm-langserver eget ejson ejson2env eks-node-viewer eksctl element elfinfo elvish emacs-lsp-bridge emoji-picker emptty enc endlessh-go ent-go entwine-unstable enumer enumerepo envconsul envoy envsubst ergo erigon eris-go errcheck esbuild esbuild etcd etcd ets evans evcc evmdis-unstable exercism exhaustive exoscale-cli expenses exportarr extrude f1viewer f2 faas-cli fac falcoctl fan2go faraday fastly fastly-exporter fdroidcl feed2imap-go felix ferretdb fetchit ffuf fiano filebeat filebrowser filegive-unstable filtron fingerprintx fioctl firectl fishplugin-fzf.fish fishplugin-wakatime-fish fission fits-cloudctl flannel flex-ncat flex-ndax flintlock flow-exporter fluxcd fluxctl fly flyctl fn fontpreview forgejo fq frangipanni freeze frei frigate fritzbox-exporter-unstable frp frugal fscan fscrypt fsql fulcio func fwanalyzer fx fzf fzf-git-sh-unstable fzf-zsh-unstable galene galer GameNetworkingSockets garble gatekeeper gau gauge gci gcsfuse gdal gdal gdal gdlv gdm gdrive gdu geek-life gemget geoipupdate gg-scm gh gh-actions-cache gh-dash gh-eco gh-markdown-preview gh-ost ghorg ghostunnel ghq ghr ghz ginkgo girsh git-annex-remote-rclone git-appraise-unstable git-bug git-bug-migration git-chglog git-codereview git-credential git-credential-gopass git-credential-oauth git-hound git-lfs git-sizer git-subtrac git-team git-town gitaly gitbatch gitea gitea-actions-runner github-backup github-commenter github-release gitjacker gitlab-ci-pipelines-exporter gitlab-container-registry gitlab-elasticsearch-indexer gitlab-pages gitlab-runner gitlab-shell gitlab-workhorse gitleaks gitls gitmux gitsign gitsrht gitty gjo glab glide gllvm glock glooctl glow gmailctl gmnitohtml gmt gnostic gnss-share go go go go-audit go-autoconfig-unstable go-bindata go-bindata-assetfs-unstable go-callvis go-camo go-chromecast go-containerregistry go-containerregistry go-containerregistry go-cqhttp go-cve-search go-dork go-ethereum go-exploitdb go-gir-generator go-graft go-jet go-jira go-jsonnet go-junit-report go-libp2p-daemon go-license-detector go-licenses go-md2man go-migrate go-minimock go-mockery go-mod-graph-chart go-mtpfs go-musicfox go-neb-unstable go-org go-outline-unstable go-protobuf go-rice go-sct-unstable go-shadowsocks2 go-swag go-swagger go-symbols go-task go-thumbnailer go-toml go-tools go2nix go2rtc go2tv go2tv-lite go365 goa goawk gobetween gobgp gobgpd goblob gobuster gocode-gomod gocode-unstable goconst goconvey gocryptfs gocyclo goda godef godns godspeed-unstable godu goeland gof5 goflow goflow2 gofu-unstable gofumpt gogetdoc-unstable gogs gohai-unstable goimapnotify gojq gojsontoyaml gokart golangci-lint golangci-lint-langserver golines golint-unstable gomacro gomapenum gomatrix gomi gomodifytags gomplate gomuks gonic goofys-unstable goose gopacked gopass gopass-hibp gopass-jsonapi gopass-summon-provider gopatch gophernotes gopkgs gopls gops gopsuinfo gore goredo goreleaser goreman goreplay goresym gortr gosec gosh gospider goss gossa gost gostatic gosu gotags gotemplate gotest gotestfmt gotests gotestsum gotestwaf gotify-cli gotify-server gotktrix-unstable gotools gotop gotosocial gotraceui gotrue gotrue gotty gotypist govc govendor govers-unstable goverview govulncheck-unstable gowitness gox gplates gpt2tc gqlgenc grafana grafana-agent grafana-dash-n-grab grafana-loki grafterm granted graphite-exporter grass grit grobi gron grpc-client-cli grpc-gateway grpcui grpcurl grype gsctl gst gtkcord4 gtree guardian-agent gucci guest-agent gum gut gvisor gvproxy gx gx-go-unstable hakrawler haproxy_exporter harmonist hashi-up hasmail-unstable hasura hcl2json hcledit hclfmt hcloud hd-idle headscale heartbeat hecate-unstable helm helm-cm-push helm-dashboard helm-diff helm-docs helm-ls helm-s3 helm-secrets helmfile helmsman hercules-ci-agent hercules-ci-cli hetzner-kube hey hgsrht hilbish hiraeth hishtory hivemind hjson-go hockeypuck holo-build hologram homeassistant-test-environment_canada honeycomb-refinery honeytrap-unstable honk hostctl hostess hound hover htmltest httpdump-unstable httplab httpref httprobe httpx hub-unstable hubble hugo humioctl hut hydron hydroxide hyperledger-fabric hyprspace hysteria iam-policy-json-to-terraform iamy ibus-bamboo iferr-unstable ignite ijq imaginary img imgcat imgcrypt imgproxy immudb impl ineffassign-unstable influx-cli influxdb influxdb influxdb2 influxdb_exporter infra infracost inframap intensity-normalization interactsh interlock invidious-unstable ipfs-cluster ipfs-upload-client ipget ipinfo ipmi_exporter ipp-usb irccat ircdog istioctl itd ivpn ivpn-service ivy jaeles janus-gateway jcli jd-diff-patch jellycli jfrog-cli jid jiq jira-cli-go jitsiexporter jmespath jobber joker jp jqp jsluice-unstable json-plot json2hcl jsonfmt jsonnet-bundler jsonnet-language-server jsubfinder-unstable juicefs juju jump jumppad junos-czerwonk-exporter jwt-hack jwx jx k0sctl k2tf k3d k3s k3s k3s k3s k3sup k6 k8sgpt k9s kaf kafkactl kail kakplugin-fzf-kak kaniko kapacitor kapowbang kapp kappanhang karma karmor katana kaufkauflist kbfs kbst kcli kconf kdigger kepubify keybase keycard-cli keylight-controller-mschneider82 keylight-exporter keysmith kfctl kfilt khoj kicli kics kiln kind kiterunner kitty kluctl kn ko kompose konf konstraint kontemplate kool kopia kops kops kops kpt kratos krelay krew krunvm kt kthxbye ktop ktunnel kube-bench kube-capacity kube-linter kube-prompt kube-router kube-score kubeaudit kubebuilder kubecfg kubeclarity kubecm kubecolor kubeconform kubectl kubectl kubectl-cnpg kubectl-doctor kubectl-evict-pod kubectl-example kubectl-gadget kubectl-images kubectl-ktop kubectl-tree kubectl-view-secret kubectx kubedb-cli kubedog kubefirst kubelogin kubelogin kubemq-community kubemqctl kubent kubeone kubeprompt kubepug kubergrunt kubernetes kubernetes-helm kubernetes-metrics-server kubernetes-polaris kubescape kubeseal kubesec kubeshark kubespy kubestroyer kubeswitch kubetail kubeval kubevirt kubexit kubo kubo-migrator kubo-migrator kubo-migrator-all-fs-repo-migrations kuma kuma-cp kuma-dp kuma-experimental kuma-prometheus-sd kumactl kustomize kustomize-sops kustomize_3 kuttl kyverno lab labctl lazydocker lazygit ldapnomnom leaps lefthook legit legitify lego lemonade-unstable lenpaste levant lf lib3mf libgen-cli libLAS librarian-puppet-go librclone librespeed-cli libretranslate license-cli license-scanner licenseclassifier lifecycled lightning-loop lightning-pool lightwalletd ligolo-ng lima limesctl linkerd-edge linkerd-stable linuxkit linx-server-unstable listmonk listssrht litefs litestream livedl-unstable livepeer llama lmp lnch-unstable lnd lndconnect lndhub-go lndmon-unstable localtime-unstable loccount log4j-sniffer log4j-vuln-scanner lokalise2-cli ls-lint luarocks-nix-unstable luarocks-nix-unstable luarocks-nix-unstable luarocks-nix-unstable luarocks-nix-unstable lux lwc-unstable lxd machine mackerel-agent maddy madonctl mage magnetico-unstable mailexporter MailHog maker-panel maligned-unstable mangal mani manifest-tool mantra mapcache mapcidr mapnik-unstable MapProxy mapserver marathonctl mark massren matrix-corporal matrix-dendrite matrix-sliding-sync matterbridge matterircd mattermost mautrix-whatsapp mbtileserver mdr mediamtx meek melt meme-image-generator memos merkaartor mermerd mesos-dns metabigor metal-cli metasrht metricbeat mgmt-unstable micro microplane mikrotik-exporter-unstable miller mimir minecraft-server-hibernation minica miniflux minify minikube minio minio minio-certgen minio-client minio-exporter minishift mirrorbits mkcert mlflow mm mmake mmark mmctl mmv-go mnc moar mob mockgen mod modd-unstable modemmanager-exporter mods mod_tile mole molly-brown-unstable mongo-tools monsoon mop moq morph morty-unstable motion mozillavpn mpd-mpris mqtt-benchmark mtail mtr-exporter mubeng muffet mullvad multus-cni murex mustache-go mutagen mutagen-compose mx-takeover mycorrhiza mynewt-newt mynewt-newtmgr mysql-workbench mysqld_exporter naabu nali nap napari nar-serve nasmfmt-unstable nats-server nats-streaming-server nats-top natscli navi navidrome nc4nix-unstable ncdns-unstable nebula neo-cowsay nerdctl netassert netbird netbird netdata netdata-go-plugins netlify-cli netmaker netmaker nex-unstable nextdns nexttrace nfpm nginx-sso nginxlog_exporter nginx_exporter nix-build-uncached nix-prefetch-docker nix-prefetch-git nix-prefetch-scripts nix-store-gcs-proxy nix-update nix-update-source nixops-dns nixos-gsettings-desktop-schemas nkeys nmap-formatter nncp node-problem-detector node_exporter NoiseTorch nomad nomad nomad nomad nomad nomad-autoscaler nomad-driver-podman nomad-pack norouter nosqli notary notation noti notify nova npins nsc nsq ntfy-sh nuclei nut-exporter nvfetcher nvidia-docker nvidia-podman nwg-bar nwg-dock nwg-dock-hyprland nwg-drawer nwg-menu nwg-panel oak oapi-codegen oauth2-proxy oauth2c obfs4 obs-cli obs-teleport ocaml4.14.1-fzf ocaml4.14.1-ligo oci-seccomp-bpf-hook ocm octave octosql odo oh oh-my-posh oil-buku okta-aws-cli okteto olaris-server-unstable ome-zarr oneshot onionshare onionshare-cli onmetal-image ooniprobe-cli opcr-policy open-in-mpv open-policy-agent openai openldap_exporter OpenOrienteering-Mapper openring openrisk openscad openshift opensmtpd-filter-rspamd opensnitch opensoldat-unstable opentelemetry-collector opentelemetry-collector-contrib openvpn_exporter-unstable operator-sdk ops oras orbiton org-stats oshka ossutil ostree-rs-ext osv-detector osv-scanner otel-cli otpauth ots oui out-of-tree ov overmind owncast pachyderm pack packer packet packetbeat packr packwiz-unstable paco pacproxy pagessrht pam_ussh-unstable papeer paperlike-go-unstable paraview parquet-tools passage-unstable passphrase2pgp pathvector payload-dumper-go pbgopy pcp pcstat pdal pdfcpu pebble peco pentestgpt-unstable perkeep perl5.34.1-Tirex perl5.36.0-Tirex peroxide pet pgcenter pgmetrics pgo-client pgweb pg_featureserv pg_flame pg_tileserv phantomsocks-unstable phlare photofield photon-unstable photoprism php-fpm_exporter phrase-cli phylactery pigeon pihole-exporter piknik pingu pinniped pipework pistol pixiecore pkger pkgtop plasma-vault plik plikd pluto pms-unstable pocketbase podgrab-unstable podman podman-tui pomerium pomerium-cli popeye popura portal portunus postfix_exporter postgis postgis postgis postgis postgis postgis postgis postgis postgis postgis postgis postgres_exporter pot powerline-go pprof-unstable pre-commit prefetch-yarn-deps pretender prism pritunl-client process-compose process-exporter prom2json prometheus prometheus-json-exporter prometheus-nats-exporter prometheus-nextcloud-exporter prometheus-packet-sd prometheus-xmpp-alerts prometheus_varnish_exporter promql-cli promscale promtail prosody-filer-unstable proto-contrib protoc-gen-connect-go protoc-gen-doc protoc-gen-entgrpc protoc-gen-go protoc-gen-go-grpc protoc-gen-go-vtproto protoc-gen-twirp protoc-gen-twirp_php protoc-gen-twirp_swagger-unstable protoc-gen-twirp_typescript-unstable protoc-gen-validate protolint protolock protonmail-bridge protoscope-unstable prototool prow-unstable proxify pscale pufferpanel pulsarctl pulumi pulumi-aws-native pulumi-azure-native pulumi-command pulumi-language-go pulumi-language-nodejs pulumi-language-python pulumi-random pulumictl pup-unstable pushgateway pv-migrate pwdsafety python3.10-accelerate python3.10-anthropic python3.10-apache-beam python3.10-aplpy python3.10-argos-translate-files python3.10-argostranslate python3.10-arviz python3.10-autofaiss python3.10-awswrangler python3.10-bambi python3.10-baselines python3.10-batchgenerators python3.10-boxx python3.10-bpycv python3.10-bsuite python3.10-cartopy python3.10-casa-formats-io python3.10-cleanlab python3.10-clifford python3.10-ctranslate2 python3.10-dalle-mini python3.10-dask python3.10-dask-awkward python3.10-dask-gateway python3.10-dask-gateway-server python3.10-dask-glm python3.10-dask-image python3.10-dask-jobqueue python3.10-dask-ml python3.10-dask-mpi python3.10-databricks-sql-connector python3.10-datafusion python3.10-datasets python3.10-datashader python3.10-db-dtypes python3.10-devito python3.10-diagrams python3.10-distrax python3.10-distributed python3.10-django-bootstrap4 python3.10-dm-sonnet python3.10-dremel3dpy python3.10-easyocr python3.10-edward python3.10-elegy python3.10-embedding-reader python3.10-env-canada python3.10-evaluate python3.10-fastai python3.10-faster-whisper python3.10-fiona python3.10-flax python3.10-folium python3.10-geopandas python3.10-glymur python3.10-google-cloud-bigquery python3.10-gpt python3.10-handout python3.10-ibis-framework python3.10-imagecorruptions python3.10-imageio python3.10-imgaug python3.10-intake python3.10-intake-parquet python3.10-intensity-normalization python3.10-ipwhl python3.10-jupyter-repo2docker python3.10-k-diffusion python3.10-langchain python3.10-libretranslate python3.10-lime python3.10-manifest-ml python3.10-mask-rcnn python3.10-mlflow python3.10-mmcv python3.10-mmengine python3.10-moviepy python3.10-mung-unstable python3.10-muscima-unstable python3.10-n3fit python3.10-napari python3.10-napari-console python3.10-napari-svg python3.10-nats-py python3.10-nbdev python3.10-numpyro python3.10-ome-zarr python3.10-omrdatasettools python3.10-optuna python3.10-osmnx python3.10-pandas-stubs python3.10-peft python3.10-pims python3.10-plotnine python3.10-pot python3.10-psd-tools python3.10-pulumi python3.10-pulumi-aws python3.10-pulumi-aws-native python3.10-pulumi-azure-native python3.10-pulumi-command python3.10-pulumi-random python3.10-pyarrow python3.10-pyFFTW python3.10-pyfzf python3.10-pygmt python3.10-pymc python3.10-python-mapnik-unstable python3.10-pyvista python3.10-qiskit python3.10-qiskit-machine-learning python3.10-rasterio python3.10-recordlinkage python3.10-rlax python3.10-scikit-image python3.10-scikit-tda python3.10-sentence-transformers python3.10-sfepy python3.10-shap python3.10-skrl python3.10-slicedimage python3.10-spacy python3.10-spacy-loggers python3.10-spacy-transformers python3.10-sparse python3.10-spectral-cube python3.10-sphinx-intl python3.10-stanza python3.10-streamz python3.10-stumpy python3.10-stytra python3.10-sunpy python3.10-tensorflow python3.10-tensorflow python3.10-tensorflow python3.10-tensorflow-datasets python3.10-tensorflow-gpu python3.10-tensorflow_probability python3.10-test-tube python3.10-textacy python3.10-textnets python3.10-tflearn python3.10-tifffile python3.10-tokenizers python3.10-transformers python3.10-translatehtml python3.10-treex python3.10-trfl python3.10-umap-learn python3.10-vqgan-jax-unstable python3.10-wandb python3.10-whisper python3.10-wktutils python3.10-worldengine python3.10-zcs python3.11-anthropic python3.11-apache-beam python3.11-aplpy python3.11-autofaiss python3.11-awswrangler python3.11-batchgenerators python3.11-bsuite python3.11-cartopy python3.11-casa-formats-io python3.11-dask python3.11-dask-gateway python3.11-dask-gateway-server python3.11-dask-image python3.11-dask-jobqueue python3.11-dask-mpi python3.11-databricks-sql-connector python3.11-datafusion python3.11-datasets python3.11-db-dtypes python3.11-devito python3.11-diagrams python3.11-distributed python3.11-django-bootstrap4 python3.11-dremel3dpy python3.11-embedding-reader python3.11-env-canada python3.11-evaluate python3.11-fiona python3.11-folium python3.11-geopandas python3.11-glymur python3.11-google-cloud-bigquery python3.11-handout python3.11-ibis-framework python3.11-imagecorruptions python3.11-imageio python3.11-imgaug python3.11-intake python3.11-intake-parquet python3.11-intensity-normalization python3.11-ipwhl python3.11-jupyter-repo2docker python3.11-lime python3.11-mlflow python3.11-moviepy python3.11-mung-unstable python3.11-muscima-unstable python3.11-napari-console python3.11-napari-svg python3.11-nats-py python3.11-nbdev python3.11-ome-zarr python3.11-omrdatasettools python3.11-osmnx python3.11-pims python3.11-plotnine python3.11-psd-tools python3.11-pulumi python3.11-pulumi-aws python3.11-pyarrow python3.11-pyFFTW python3.11-pyfzf python3.11-pygmt python3.11-python-mapnik-unstable python3.11-pyvista python3.11-rasterio python3.11-recordlinkage python3.11-scikit-image python3.11-slicedimage python3.11-spectral-cube python3.11-sphinx-intl python3.11-streamz python3.11-sunpy python3.11-tifffile python3.11-tokenizers python3.11-transformers python3.11-wktutils python3.11-worldengine pytrainer q qbec qc qemu qgis qgis qmapshack qmk qovery-cli qrcp qsyncthingtray quarto quarto quicktemplate quorum qv2ray-unstable r53-ddns rabbitmq_exporter rabtap radioboat rain rakkess ran rancher rare ratt-unstable rclone rdap redis_exporter redli redpanda-rpk reflex refmt reftools-unstable reg regclient regclient regclient regclient rekor-cli rekor-server relic remote-touchpad renderizer reporter reposurgeon repro-get reproxy resgate restic restic-rest-server restique-unstable reviewdog revive rhoas richgo rime-cli riseup-vpn rke rke2 rmapi rmfakecloud robustirc-bridge rootlesskit round routedns roxctl rqlite rtl_433-exporter rtx ruler run runc runitor runme rymdport s5 s5cmd sachet safe saga samba saml2aws sammler sampler sbctl scaleway-cli scalr-cli scc scilla scip scmpuff scorecard scrcpy script_exporter sd-local sdlookup-unstable seaweedfs secrets-extractor secretscanner sem semver senpai sensu-go-agent sensu-go-backend sensu-go-cli senv seqkit serf sftpgo shadowfox shadowsocks-v2ray-plugin shell2http shellhub-agent shelly_exporter shellz shfmt shhgit shiori shopify-themekit shopware-cli sift signaldctl simplehttp2server simplotask sing-box sing-geoip sing-geosite singularity-ce singularity-ce sipexer sish skaffold skate skeema skopeo skydns-unstable slack-term sleep-on-lan slides slsa-verifier smartctl_exporter smokeping_prober smug snet-unstable snis_launcher-unstable snmp_exporter snowcat snowcrash-unstable snowflake soft-serve soju sonobuoy sops spacevim sparkleshare speedtest-exporter speedtest-go speedtest_exporter spicedb spicetify-cli spicy spire spire spire spruce-unstable sptlrx spyre sq sqlc sqlcmd sqls sql_exporter src-cli srtrelay ssb ssh-chat ssh-key-confirmer ssh-to-age ssh-to-pgp sshchecker sshed sshocker sshportal sshs ssm-session-manager-plugin ssmsh starboard starboard-octant-plugin starcharts starlark-unstable startdde statik statsd_exporter stayrtr stc steampipe step-ca step-cli step-kms-plugin stern storrent-unstable streamlit stripe-cli stuffbin styx subfinder subjs Subtitlr summon sumo sunpaper supabase-cli superd surfboard_exporter svu sway-launcher-desktop swaynag-battery swego swiftpm2nix sx-go syft symfony-cli syncthing syncthing-discovery syncthing-relay syncthing-tray SystemdJournal2Gelf-unstable systemd_exporter systrayhelper-unstable sysz t-rex tailer tailscale tailscale-systray tailspin talosctl tanka tar2ext4 taro tarsum tartube tartube tasktimer tbls tcat tcping-go-unstable tdfgo-unstable tea teensy-loader-cli tegola tektoncd-cli telegraf teleport teleport telepresence2 teler teller tempo temporal temporal-cli temporalite tendermint tensorflow termdbms-unstable terminal-parrot termshark terracognita terraform terraform-backend-git terraform-docs terraform-inventory terraform-ls terraform-lsp terraform-plugin-test terraform-provider-aci terraform-provider-acme terraform-provider-age terraform-provider-aiven terraform-provider-akamai terraform-provider-alicloud terraform-provider-ansible terraform-provider-archive terraform-provider-argocd terraform-provider-auth0 terraform-provider-avi terraform-provider-aviatrix terraform-provider-aws terraform-provider-azuread terraform-provider-azurerm terraform-provider-azurestack terraform-provider-baiducloud terraform-provider-bigip terraform-provider-bitbucket terraform-provider-brightbox terraform-provider-buildkite terraform-provider-checkly terraform-provider-ciscoasa terraform-provider-cloudamqp terraform-provider-cloudflare terraform-provider-cloudfoundry terraform-provider-cloudinit terraform-provider-cloudscale terraform-provider-constellix terraform-provider-consul terraform-provider-ct terraform-provider-datadog terraform-provider-dhall terraform-provider-digitalocean terraform-provider-dme terraform-provider-dns terraform-provider-dnsimple terraform-provider-docker terraform-provider-elasticsearch terraform-provider-equinix terraform-provider-exoscale terraform-provider-external terraform-provider-fastly terraform-provider-flexibleengine terraform-provider-fly terraform-provider-fortios terraform-provider-gandi terraform-provider-github terraform-provider-gitlab terraform-provider-google terraform-provider-google-beta terraform-provider-googleworkspace terraform-provider-grafana terraform-provider-gridscale terraform-provider-hcloud terraform-provider-helm terraform-provider-heroku terraform-provider-hetznerdns terraform-provider-htpasswd terraform-provider-http terraform-provider-huaweicloud terraform-provider-huaweicloudstack terraform-provider-hydra terraform-provider-ibm terraform-provider-icinga2 terraform-provider-infoblox terraform-provider-jetstream terraform-provider-kafka terraform-provider-kafka-connect terraform-provider-keycloak terraform-provider-kubectl terraform-provider-kubernetes terraform-provider-launchdarkly terraform-provider-libvirt terraform-provider-linode terraform-provider-linuxbox terraform-provider-local terraform-provider-lxd terraform-provider-mailgun terraform-provider-matchbox terraform-provider-metal terraform-provider-minio terraform-provider-mongodbatlas terraform-provider-namecheap terraform-provider-netlify terraform-provider-newrelic terraform-provider-nomad terraform-provider-ns1 terraform-provider-null terraform-provider-nutanix terraform-provider-oci terraform-provider-okta terraform-provider-oktaasa terraform-provider-opennebula terraform-provider-openstack terraform-provider-opentelekomcloud terraform-provider-opsgenie terraform-provider-ovh terraform-provider-pagerduty terraform-provider-pass terraform-provider-postgresql terraform-provider-powerdns terraform-provider-rabbitmq terraform-provider-rancher2 terraform-provider-random terraform-provider-remote terraform-provider-rundeck terraform-provider-scaleway terraform-provider-secret terraform-provider-selectel terraform-provider-sentry terraform-provider-shell terraform-provider-signalfx terraform-provider-skytap terraform-provider-snowflake terraform-provider-sops terraform-provider-spotinst terraform-provider-stackpath terraform-provider-statuscake terraform-provider-sumologic terraform-provider-tailscale terraform-provider-talos terraform-provider-tencentcloud terraform-provider-tfe terraform-provider-thunder terraform-provider-time terraform-provider-tls terraform-provider-triton terraform-provider-turbot terraform-provider-ucloud terraform-provider-utils terraform-provider-vault terraform-provider-vcd terraform-provider-venafi terraform-provider-vpsadmin terraform-provider-vra7 terraform-provider-vsphere terraform-provider-vultr terraform-provider-wavefront terraform-provider-yandex terraformer terragrunt terrascan tewisay-unstable textql-unstable tf-summarize tf2pulumi tfautomv tfk8s tflint tflint-ruleset-aws tfplugindocs tfsec tfswitch tfupdate tgpt tgswitch thanos thefuck the_platinum_searcher threatest ticker tidb tile38 tilt timer timescaledb-parallel-copy timescaledb-tune timew-sync-server tinygo tlsx tml tmsu tmuxplugin-extrakto-unstable tmuxplugin-fuzzback-unstable tmuxplugin-tmux-fzf-unstable todoist todosrht toolbox topfew topicctl torq toxiproxy tracee traefik traefik-certs-dumper traitor tran transifex-cli trayscale trdl-client trezor-suite trezord-go trickster trillian trivy trufflehog tsukae-unstable ttchat tts tty-share tubekit tubekit tun2socks turbo turbogit tut twitch-cli txtpbfmt-unstable tz ua-unstable uchess udig udocker udpx ultrablue-server-unstable-fosdem2023 ultralist umoci unconvert-unstable uncover undocker unflac unfurl uni unifiedpush-common-proxies unipicker unpackerr unparam-unstable unpoller up upbound update-nix-fetchgit update-python-libraries upower-notify-unstable upterm urlhunter uroboros usql utahfs v2ray-core v2ray-domain-list-community v2ray-exporter v2ray-geoip v2raya vale vals vault vault-medusa vcluster vegeta velero vencord vencord vendir verifpal versus vexctl vgrep vhs VictoriaMetrics viddy vikunja-api vimplugin-direnv.vim vimplugin-fzf vimplugin-fzf-hoogle.vim vimplugin-fzf-lua vimplugin-fzf.vim vimplugin-openscad.nvim vimplugin-telescope-zoxide vimplugin-vim-fzf-coauthorship vimplugin-vim-go vimplugin-vim-hexokinase vimplugin-vim-zettel vimplugin-YouCompleteMe vimplugin-zoxide.vim visidata vitess vmagent vndr-unstable vouch-proxy vpv vscode-extension-foxundermoon-shell-format vscode-extension-hashicorp-terraform vscode-extension-rust-analyzer vsh vt-cli vultr vultr-cli waf-tester wails waitron-unstable wakapi wakatime wal-g wallutils wally-cli wander wayback waypoint wazero weave-gitops webanalyze webcat-unstable webcord webdav webhook websocketd webwormhole-unstable wego werf wesher wgcf wgo whisper whisper-ctranslate2 windmill wire wireguard-go wireproxy wishlist witness woodpecker-agent woodpecker-cli woodpecker-pipeline-transform woodpecker-server wormhole-william wp4nix wprecon wrap writefreely wtf wuzz wyoming-faster-whisper xc xcaddy XD xdg-ninja xe-guest-utilities xmloscopy xmonad-log xray xteve xurls yai yajsv yaml2json yamlfmt yarn2nix yarr yascreen yatas ycmd-unstable ydict yeetgif yggdrasil yj ymuse yor yq-go ytarchive-unstable ytcast ytfzf ytt yubihsm-connector yubikey-agent yubikey-touch-detector zabbix-agent2 zabbix-agent2 zabbixctl-unstable zarf zdns zed zed zfs-prune-snapshots zfsbackup-unstable zfs_exporter zfxtop zgrab2-unstable zincsearch zk zkar zlint zoekt-unstable zoxide zrepl zsh-forgit zsh-history

@ofborg ofborg bot requested a review from qbit July 5, 2023 23:39
@mweinelt mweinelt added the 12.approvals: 1 This PR was reviewed and approved by one reputable person label Jul 7, 2023
@zowoq
Copy link
Contributor

zowoq commented Jul 9, 2023

@ofborg build go_1_18.tests go_1_19.tests go_1_20.tests

@SuperSandro2000
Copy link
Member

SuperSandro2000 commented Jul 9, 2023
edited
Loading

darwin is failing, as almost all the time when targeting staging, due to a missing lvm in cache which times out when building from source on ofborg.

@vcunat
Copy link
Member

vcunat commented Jul 10, 2023

Are you sure about the "security" label? The bootstrap compiler should only be used during... bootstrapping, so the main security impact should be dropping CVEs from outputs of tools like vulnix?

@qbit
Copy link
Contributor

qbit commented Jul 10, 2023

This has strong "checking a box" feels for me. I looked at a couple of the 9.8'ers and I am pretty sure they aren't applicable to any of the code in the Go tree..

Is there more information about where it's impacted? Perhaps govulncheck can be used to look?

Govulncheck reports known vulnerabilities that affect Go code. It uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application.

@zowoq
Copy link
Contributor

zowoq commented Jul 10, 2023

Yeah, agree there isn't any benefit from this but didn't really have any technical reasons to reject it.

@kirillrdy
Copy link
Member

I also wanted to change bootstrap version but I stopped after reading golang/go#44505

it contains reasoning for not adopting 1.18 as bootstrap for 1.20

also current master still uses 1.17 as bootstrap
https://github.com/golang/go/blob/master/src/make.bash#L77

that being said, I don't object this PR

@fabianhjr
Copy link
Member Author

This has strong "checking a box" feels for me. I looked at a couple of the 9.8'ers and I am pretty sure they aren't applicable to any of the code in the Go tree..

Honestly yeah a bit of anxiety from having those listed in my vulnix --system result pushed me to propose this PR more so than an exploitable vulnerability. UnU

As for why 1.18 that is the minimum version still supported on Nix and recently EOLed so that major version wont be updating often. (Different from 1.19/1.20 still receiving patch releases)

I also wanted to change bootstrap version but I stopped after reading golang/go#44505

I would say that is no longer applicable since 1.18 is EOL (and would hope most issues were fixed) + self bootstrapping of go upstream has stronger assurance requirements (trusting trust) than nix binary bootstrapping not part of stdenv (trusted binary to compile the upstream compiler that is not further used to keep bootstrapping)

@fabianhjr fabianhjr removed the 1.severity: security Issues which raise a security issue, or PRs that fix one label Jul 11, 2023
@qbit
Copy link
Contributor

qbit commented Jul 11, 2023

Here is the result of a recent (wink wink, nudge nudge #242640) govulncheck run:

qbit@europa[0]:~/src/xin(main); ./result/bin/govulncheck -mode=binary $(which go)
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Using [email protected] with vulnerability data from https://vuln.go.dev (last modified 2023-07-06 20:13:13 +0000 UTC).

Scanning your binary for known vulnerabilities...

qbit@europa[0]:~/src/xin(main);

As for why 1.18 that is the minimum version still supported on Nix and recently EOLed so that major version wont be updating often. (Different from 1.19/1.20 still receiving patch releases)

Others can correct me if I am wrong - but the bootstrap stuff is outside of the EOL constraints because you always need to be able to bootstrap (that's why 1.4 release will never go away).

I am not terribly opposed to this going in - biggest concern I have is that it will cause build churn for no real benefit. Other than that, I build stable versions of Go using tip pretty frequently (for weird OSs) without issue. Shrug :D

@zowoq
Copy link
Contributor

zowoq commented Sep 15, 2023

We're now using 1.21 to bootstrap go_1_21 and I'll be changing the default go to 1.21 in the next couple of weeks.

Both go_1_18, go_1_19 are EOL and could be removed.

Closing this as the churn isn't really worth it but thanks anyway for the PR.

@zowoq zowoq closed this Sep 15, 2023
@fabianhjr fabianhjr deleted the go-upgrade-bootstrap branch September 15, 2023 04:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SuperSandro2000 SuperSandro2000 SuperSandro2000 approved these changes

@kalbasit kalbasit Awaiting requested review from kalbasit

@Mic92 Mic92 Awaiting requested review from Mic92

@zowoq zowoq Awaiting requested review from zowoq

@qbit qbit Awaiting requested review from qbit

Assignees
No one assigned
Labels
6.topic: golang 10.rebuild-darwin: 501+ 10.rebuild-darwin: 1001-2500 10.rebuild-linux: 501+ 10.rebuild-linux: 1001-2500 12.approvals: 1 This PR was reviewed and approved by one reputable person
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@fabianhjr @zowoq @SuperSandro2000 @vcunat @qbit @kirillrdy @mweinelt