Fedora has issued an advisory on October 11: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AHH5B4WHCPTVEM6APRVXRWLFOR325CCD/ The issues are fixed upstream in 1.8.4. Mageia 6 is also affected. Mageia 5 may be as well.
Whiteboard: (none) => MGA6TOO
golang-1.9.1-1.mga7 uploaded for Cauldron by Joseph.
CC: (none) => joequantVersion: Cauldron => 6Whiteboard: MGA6TOO => (none)
Fedora advisory for 1.8.4 from October 17: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3SFCC7E7XZUSJKXFRXRASC4BKMRRGE2R/
mga5 has 1.6.4 so no update will be provided. Users should move to mga6 now as it's really stable enough. version 1.8.4 uploaded for mga6.
Status: NEW => ASSIGNED
Bruno, 1.8.4 never built. There's a 1.8.5 out now, maybe it fixes the tests.
Bruno, David. I've just compiled 1.8.5 in mock for mga6 and it looks OK. Would it be OK if I pushed the changes to svn and ask my mentor, Shlomi, to submit? Cheers, Stig (kekePower)
CC: (none) => smelror
Go for it.
MGA6 Golang 1.8.5 commited to svn r1193302. David, want to submit it? Cheers, Stig
Tests still fail: http://pkgsubmit.mageia.org/uploads/failure/6/core/updates_testing/20180114234631.luigiwalser.duvel.10391/log/golang-1.8.5-1.mga6/build.0.20180114234707.log
That's really strange. Here is the build log from the run I did in mock. https://github.com/kekePower/mageia-mock-build-logs/blob/master/golang/2018/01/14-234338/mock/build.log?raw=true Are you sure everything is OK with the BS?
Both x86_64 and i586 runs all the tests fine in mock on my system, so I don't know what else needs to be done to get it to complete on the BS. Cheers, Stig
Looks like this kind of issue: https://groups.google.com/forum/#!topic/golang-codereviews/auMQx53mxGg
CC: (none) => tmb
Thanks Thomas. I've rebased the patch you pointed me to. Let's see if it the BS likes it and completes the last test. SVN commit r1193564. Cheers, Stig
Well, that patch didn't work at all :* Have to go look for something else. Cheers, Stig
CC: (none) => guillomovitch, marja11
golang 1.9.1 pushed to updates_testing for MGA6. A lot of failures in the 1.8.x series made us decide to go for 1.9.x. Version 1.9.2 is the latest release, but this also failed and since Cauldron has 1.9.1, I thought it'd be a good thing to have the same version. Thanks a million to my mentor, Shlomi, and to Jani on #mga-mentoring for their guidance and help. Their expertise and kindness helped me get through this. QA, You can test this version of golang by building docker. Cheers, Stig
Assignee: bruno => smelror
CVE: (none) => CVE-2017-15041 CVE-2017-15042QA Contact: security => (none)
Assignee: smelror => qa-bugs
QA Contact: (none) => security
Advisory: ======================== Updated golang packages fix security vulnerabilities: An arbitrary command execution flaw was found in the way Go's "go get" command handled the checkout of source code repositories. A remote attacker capable of hosting malicious repositories could potentially use this flaw to cause arbitrary command execution on the client side (CVE-2017-15041). It was found that smtp.PlainAuth authentication scheme in Go did not verify the TLS requirement properly. A remote man-in-the-middle attacker could potentially use this flaw to sniff SMTP credentials sent by a Go application (CVE-2017-15042). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15041 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15042 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AHH5B4WHCPTVEM6APRVXRWLFOR325CCD/ ======================== Updated packages in core/updates_testing: ======================== golang-1.9.1-1.mga6 golang-docs-1.9.1-1.mga6 golang-misc-1.9.1-1.mga6 golang-tests-1.9.1-1.mga6 golang-src-1.9.1-1.mga6 golang-bin-1.9.1-1.mga6 golang-shared-1.9.1-1.mga6 from golang-1.9.1-1.mga6.src.rpm
Starting on this for Mageia 6 :: x86_64. We have seen golang before, and have also followed the build docker advice. This time however I have been unable to follow through on the local-build instructions kindly provided by David Walser on an unrelated bug. My own notes record: "Install magarepo and bm" but bm does not seem to exist and does not seem to be provided by any other package. Has there been a name change? docker SOURCES and SPECS have been retrieved but as I am not a packager I cannot get any further without bm or whatever it is called now.
CC: (none) => tarazed25
Panic over; found the source name at ibiblio.org and found that specifying the full string worked. # urpmi bm-3.2-1.mga6
Situation before updates: $ bm -ls creating package list processing package docker-%{dist_version}-%mkrel 4 building source package Wrote: /home/lcl/qa/docker/before/docker/SRPMS/docker-17.03.1-4.mga6.src.rpm succeeded! $ sudo urpmi SRPMS/docker*.rpm please use --buildrequires or --install-src, defaulting to --buildrequires The following packages can't be installed because they depend on packages that are older than the installed ones: glibc-static-devel-2.22-26.mga6 docker-17.03.1-4.mga6 Continue installation anyway? (Y/n) To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release (distrib1)") golang-net-devel 0.1.git84a4> 8.mga6 x86_64 lib64gpg-error-devel 1.24 1.mga6 x86_64 (medium "Core Updates (distrib3)") lib64btrfs-devel 4.14 2.mga6 x86_64 lib64gcrypt-devel 1.7.8 1.1.mga6 x86_64 systemd-devel 230 12.2.mga6 x86_64 2.6MB of additional disk space will be used. 636KB of packages will be retrieved. Proceed with the installation of the 5 packages? (Y/n) $MIRRORLIST: media/core/release/golang-net-devel-0.1.git84a4013f96e0-8.mga6.x86_64.rpm $MIRRORLIST: media/core/release/lib64gpg-error-devel-1.24-1.mga6.x86_64.rpm $MIRRORLIST: media/core/updates/lib64btrfs-devel-4.14-2.mga6.x86_64.rpm $MIRRORLIST: media/core/updates/systemd-devel-230-12.2.mga6.x86_64.rpm $MIRRORLIST: media/core/updates/lib64gcrypt-devel-1.7.8-1.1.mga6.x86_64.rpm installing lib64gcrypt-devel-1.7.8-1.1.mga6.x86_64.rpm systemd-devel-230-12.2.mga6.x86_64.rpm golang-net-devel-0.1.git84a4013f96e0-8.mga6.x86_64.rpm lib64btrfs-devel-4.14-2.mga6.x86_64.rpm lib64gpg-error-devel-1.24-1.mga6.x86_64.rpm from /var/cache/urpmi/rpms Preparing... ############################################# 1/5: lib64gpg-error-devel ############################################# 2/5: lib64gcrypt-devel ############################################# 3/5: systemd-devel ############################################# 4/5: lib64btrfs-devel ############################################# 5/5: golang-net-devel ############################################# While some packages may have been installed, there were failures. The following packages can't be installed because they depend on packages that are older than the installed ones: glibc-static-devel-2.22-26.mga6 docker-17.03.1-4.mga6 Continue installation anyway? [lcl@vega docker]$ bm -l creating package list processing package docker-%{dist_version}-%mkrel 4 building source and binary packages error: Failed build dependencies: device-mapper-devel is needed by docker-17.03.1-4.mga6.x86_64 glibc-static-devel is needed by docker-17.03.1-4.mga6.x86_64 go-md2man is needed by docker-17.03.1-4.mga6.x86_64 libsqlite3-devel is needed by docker-17.03.1-4.mga6.x86_64 error: failed!
Len, What I usually do to get a package built is sudo urpmi --buildrequires SPEC/file.spec and if it fails, try again. I guess it also works directly with src.rpm files as well. AFAICS, it looks like the mirror used may be out of sync. Cheers, Stig
Here's my test. $ sudo urpmi --buildrequires SPECS/docker.spec To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release") golang-net-devel 0.1.git84a4> 8.mga6 x86_64 lib64devmapper-devel 1.02.137 1.mga6 x86_64 (medium "Core Updates") glibc-static-devel 2.22 26.mga6 x86_64 lib64btrfs-devel 4.14 2.mga6 x86_64 (medium "Core Updates Testing") golang 1.9.1 1.mga6 x86_64 golang-bin 1.9.1 1.mga6 x86_64 golang-src 1.9.1 1.mga6 noarch 321MB of additional disk space will be used. 59MB of packages will be retrieved. Proceed with the installation of the 7 packages? (Y/n) Preparing... ############################################# 1/7: golang-src ############################################# 2/7: golang-bin ############################################# 3/7: golang ############################################# 4/7: golang-net-devel ############################################# 5/7: lib64btrfs-devel ############################################# 6/7: lib64devmapper-devel ############################################# 7/7: glibc-static-devel ############################################# And bm -l proceeded without issues. Cheers, Stig
Len, it looks like either something is messed up with your media configuration (which ones are enabled) or you have some packages from updates_testing installed that you shouldn't. Try double-checking that updates_testing is *not* enabled but core/release and core/updates are, and then running urpmq --not-available to find package versions that don't match what you should have installed.
I had already checked updates testing and have now checked it again - not enabled - but earlier I had updated glibc so that is probably where the problem is. My mind is still extremely fuzzy after two weeks of a nasty 'flu so I am not at all sure how that happened. That is a handy command, but whoa, so many! $ urpmq --not-available reports several glibc components so I guess I should downgrade them and reboot. Back in a wee while.
Yes, either downgrade them *or* make sure you install glibc, glibc-devel, and glibc-static-devel from updates_testing all together before testing this (you probably had only the first two so it couldn't install the third).
CC: guillomovitch => (none)
Hmm. Not possible to downgrade, neither to remove and reinstall. Was going to say short of reinstalling mga6 the only other solution is to try on another system which has not been botched but your reinstall glibc sounds better. # rpm -qa | grep glibc lib64glibc_lsb-2.4.7-12.mga6 glibc-devel-2.22-27.mga6 glibc-2.22-27.mga6 No static-devel.
Yeah just install glibc-static-devel from updates_testing and you should be good.
Installed glibc-static-devel from Updates testing then went back to the beginning and ran Stig's buildrequires command. That went fine, so did 'bm -ls'. $ bm -l proceeded without incident. .................. Executing(%clean): /bin/sh -e /home/lcl/qa/docker/before/docker/BUILDROOT/rpm-tmp.giYOhq + umask 022 + cd /home/lcl/qa/docker/before/docker/BUILD + cd moby-17.03.1-ce + /usr/bin/rm -rf /home/lcl/qa/docker/before/docker/BUILDROOT/docker-17.03.1-4.mga6.x86_64 + exit 0 succeeded! Thanks lads for your help. So that is done for before the golang update. Have created a parallel branch for the after update scenario. Updated all the golang components and ran the local build in the after branch. That went very smoothly and 'bm -l' ended with: + umask 022 + cd /home/lcl/qa/docker/after/docker/BUILD + cd moby-17.03.1-ce + /usr/bin/rm -rf /home/lcl/qa/docker/after/docker/BUILDROOT/docker-17.03.1-4.mga6.x86_64 + exit 0 succeeded! Worth an OK but I shall run some user-side commands to ensure full functionality.
$ export GOPATH=/home/lcl/go/ $ go version go version go1.8.1 linux/amd64 $ cd go $ tree . └── src ├── hello_1.go ├── hello.go └── stringutil └── reverse.go $ cd src Classic one-liner: $ go run hello_1.go Good morning QA $ go build hello.go $ ll total 1536 -rwxr-xr-x 1 lcl lcl 1560023 Jan 21 16:46 hello* -rw-r--r-- 1 lcl lcl 80 Jan 21 15:22 hello_1.go -rw-r--r-- 1 lcl lcl 155 Jan 21 15:21 hello.go Use package function to reverse the message string. $ ./hello Good morning QA !AQ gninrom dooG This will do I think.
Whiteboard: (none) => MGA6-64-OK
Created attachment 9917 [details] Hello world program written in go.
Created attachment 9918 [details] String manipulation in go
CC: (none) => sysadmin-bugsKeywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0089.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED