Build broken with go 1.19

[jech]

We depend on golang.org/x/crypto@v0.25.0, which requires Go 1.20:

$ /usr/lib/go-1.19/bin/go build
../../../../pkg/mod/golang.org/x/crypto@v0.25.0/curve25519/curve25519.go:13:8: package crypto/ecdh is not in GOROOT (/usr/lib/go-1.19/src/crypto/ecdh)

This is rather unfortunate, since Debian Stable still uses Go 1.19.

@Sean-Der, your enlightened leadership is required: either we fix the build under 1.19 (which will probably require changes across modules), or else we decide that Debian Stable can go kiss our collective toches and change the go.mod to require 1.20.

[Sean-Der]

This is a tough one.

I don't want to pin to old versions of golang.org/x we will miss on bug/security fixes.

I want to support as many Go versions as possible. The harder it is to use Pion the worse off everyone is.

Let me figure out if we can drop the dependency/contain this somehow. If that isn't possible we might have to do 1.20

[nils-ohlmeier]

Just as a thought: if the dependencies can be changed to accommodate 1.19 maybe it best/easiest to maintain a patch for the Debian folks.

[jech]

Just as a thought: if the dependencies can be changed to accommodate 1.19 maybe it best/easiest to maintain a patch for the Debian folks.

That would unfortunately be of no help for users of Debian. If an application depends on github.com/pion/webrtc/v3, then it cannot easily be built against a patched version of Pion. And if we ask users to manually hack the code, we might as well ask them to manually download a more recent compiler.

[nils-ohlmeier]

That would unfortunately be of no help for users of Debian. If an application depends on github.com/pion/webrtc/v3, then it cannot easily be built against a patched version of Pion. And if we ask users to manually hack the code, we might as well ask them to manually download a more recent compiler.

Good point. I overlooked that they don't pull Pion packages from Debian repositories.

[danjenkins]

This is a tough one.

I don't want to pin to old versions of golang.org/x we will miss on bug/security fixes.

I want to support as many Go versions as possible. The harder it is to use Pion the worse off everyone is.

Let me figure out if we can drop the dependency/contain this somehow. If that isn't possible we might have to do 1.20

Personally the first thing I do is install a newer version of go from the website on debian hosts. 1.19 is pretty old in comparison... I'd potentially only put the effort into making it work with 1.19 if people start making issues saying "pion doesnt work"

[jech]

Personally the first thing I do is install a newer version of go

So do I.

But this is not about us, it's about our users. In the past, I did receive a number of queries from users who were puzzled about why Galene wouldn't build on our system. I advised them to upgrade their compiler, but I do not know how many simply gave up and went back to Zoom.

[jech]

Here's a recent example: https://lists.galene.org/galene/34a5369a7ecd2d62eafe3f7d092b780c@cock.li

[danjenkins]

Surely that’s a documentation issue though? If the docs said 1.20 was required that issue wouldn’t have happened?

Dan Jenkins Founder @ Nimble Ape / Everycast Labs / CommCon

Nimble Ape: nimblea.pe Everycast Labs: everycastlabs.uk // broadcastbridge.app CommCon: commcon.xyz

On Tue, 20 Aug 2024 at 19:30, Juliusz Chroboczek @.***> wrote:

Here's a recent example: @.***

— Reply to this email directly, view it on GitHub https://github.com/pion/webrtc/issues/2869#issuecomment-2299485984, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAB3LLJLOQCCA4MNC4C3WA3ZSODLFAVCNFSM6AAAAABMOMMVJGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEOJZGQ4DKOJYGQ . You are receiving this because you commented.Message ID: @.***>

[jech]

If the docs said 1.20 was required that issue wouldn’t have happened?

Yes, but it still shows that there are people who are attempting to build Galene with 1.19. And even if the docs were up to date, it would have forced the user to enable Debian Backports, and to download a more recent compiler. (I, for one, never enable backports on my servers, since Debian Backports does not necessarily receive the same amount of security care as Debian proper.)

[Sean-Der]

I opened a PR against Galene that fixes the build on 1.19 here

I am going to update the go.mod in all the Pion repos to 1.20

---

I am not happy about this breakage, but I think it is 'less bad' then pinning to an old version of the crypto package. If I lock pion/dtls to an old version and expose users to a security problem that would be even worse.