Upstream has released versions 1.7.11 and 1.18.3 on June 1, fixing a security issue: https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 1.17.11Whiteboard: (none) => MGA8TOO
openSUSE has issued an advisory for this on June 7: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7YVS6P6QJPK5B4HQAT2XTPVX5KZ5WZ3B/
1.7.11 pushed to updates_testing 1.18.3 pusshed to cauldron.
Assignee: bruno => qa-bugsWhiteboard: MGA8TOO => (none)Version: Cauldron => 8Status: NEW => ASSIGNED
golang-tests-1.17.11-1.mga8 golang-1.17.11-1.mga8 golang-misc-1.17.11-1.mga8 golang-docs-1.17.11-1.mga8 golang-src-1.17.11-1.mga8 golang-shared-1.17.11-1.mga8 golang-bin-1.17.11-1.mga8 from golang-1.17.11-1.mga8.src.rpm
CC: (none) => brunoStatus comment: Fixed upstream in 1.17.11 => (none)
mga8, x86_64 Problem while updating: golang-tests-1.17.11-1.mga8.noarch.rpm: Missing signature (OK ((none))) Do you wnat to continue installation? -> No
Keywords: (none) => feedbackCC: (none) => tarazed25
I think it's the same issue as last time. Maybe the fact that the package is named test prevent signature to happen correctly (just guessing). Last time when moving to prod, it wasn't a problem anymore. So maybe for your validation you can say yes in order to install it. Anyway that package won't be tested by the docker rebuild ;-) (so you may even not update it
Either that or a build system issue. I've asked for it to be removed and resubmitted. I think I did the same thing last time.
CC: (none) => sysadmin-bugs
OK, thanks. Shall go ahead without the test package.
urpme'd the existing testing package and installed the rest from qarepo. Checked out docker from SVN and built a local version using the tried and tested procedure - see bug 30362 etc. Build requires seemed to be up-to-date and bm proceeded smoothly. The installed system version is docker-20.10.14-3.mga8 and $ urpmq -i docker lists up to 20.10.14. The test build is 20.10.16-1. $ cd ~/dev/docker/RPMS/x86_64 $ ls docker-20.10.16-1.mga8.x86_64.rpm docker-devel-20.10.16-1.mga8.x86_64.rpm docker-fish-completion-20.10.16-1.mga8.x86_64.rpm docker-logrotate-20.10.16-1.mga8.x86_64.rpm docker-nano-20.10.16-1.mga8.x86_64.rpm docker-zsh-completion-20.10.16-1.mga8.x86_64.rpm Assuming this is OK.
Whiteboard: (none) => MGA8-64-OKKeywords: feedback => (none)
We still need to make sure that golang-tests is properly signed.
Keywords: (none) => feedback
The entire list of packages will need to be retested once the signature issue is fixed. Downgrade and reinstall the update after it's fixed. The rebuild that fixes the signature for the golang-tests package might cause a problem with another package from the same srpm such as a missing signature. Unlikely, but without testing we won't know.
Whiteboard: MGA8-64-OK => (none)CC: (none) => davidwhodgins
golang-tests-1.17.11-1.mga8 re-signed on primary mirror
Keywords: feedback => (none)Whiteboard: (none) => MGA8-64-OK
Thanks - I shall catch up with it tomorrow.
Whiteboard: MGA8-64-OK => (none)
Whiteboard: (none) => MGA8-64-OK
Tests are still valid...tmb didn't rebuild it, just signed the one unsigned rpm.
I'm going to hope that something has been noted somewhere so that this issue doesn't come up in the next golang update. Validating.
CC: (none) => andrewsfarmKeywords: (none) => validated_update
Moved to another machine and repeated the whole process. No certificate problems this time and the test rebuild went fine.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0231.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED