Update to Go 1.20.5 - Githubissues

tianon / gosu

Simple Go-based setuid+setgid+setgroups+exec

Apache License 2.0

4.68k stars 312 forks source link

Update to Go 1.20.5 #140

Closed tianon closed 5 months ago

tianon commented 5 months ago

This allows us to drop the mips64le upstream patch we've been applying (fixed in Go 1.20.0) and the GO-2023-1840 / CVE-2023-29403 govulncheck exclusion (which still doesn't apply, but was fixed in Go in 1.20.5 and thus we no longer need to ignore).

Also:

update the tests to Debian Bookworm and Alpine 3.19
update SECURITY.md to make our Go version update policy explicit and written down (including the parallel to how Linux distributions handle similar situations)

(refs #136)

AlexanderYastrebov commented 5 months ago

Why not to latest go version?

tianon commented 5 months ago

Of course, in the spirit of https://github.com/golang/go/issues/6853, this does make our binaries larger, but not by a significant amount (and mitigated somewhat by #138 and #139).

Before (on 64a0cd92b71e0299d8f326856038920ed899e1bf):

$ stat --format '% 13n %s' gosu-*
   gosu-amd64 1478001
   gosu-arm64 1545902
   gosu-armel 1529287
   gosu-armhf 1529706
    gosu-i386 1390620
gosu-mips64el 1745078
 gosu-ppc64el 1549439
 gosu-riscv64 1648084
   gosu-s390x 1612814

After (on 9ea56fefddfda3644e0ded04d303ebc15147f040):

$ stat --format '% 13n %s' gosu-*
   gosu-amd64 1567985
   gosu-arm64 1619900
   gosu-armel 1667383
   gosu-armhf 1602228
    gosu-i386 1491793
gosu-mips64el 1883141
 gosu-ppc64el 1687472
 gosu-riscv64 1726260
   gosu-s390x 1751615

The 1.17 release builds, for comparison:

$ stat --format '% 13n %s' gosu-*
   gosu-amd64 2355481
   gosu-arm64 2402948
   gosu-armel 2375335
   gosu-armhf 2376208
    gosu-i386 2204407
gosu-mips64el 2669254
 gosu-ppc64el 2407305
 gosu-riscv64 2451268
   gosu-s390x 2536037

tianon commented 5 months ago

Why not to latest go version?

I've attempted to answer that more explicitly in my update to SECURITY.md in this PR:

Similar to the how traditional Linux distributions such as Debian handle rebuilding binaries between stable releases / for updated compilers (or rather, the situations and reasons for which they do not do so), and in the same spirit as the above CVE policy, we do not update the compiler/rebuild with a newer compiler unless there is a compelling functional or security reason in the code that ends up as part of the gosu binary that warrants doing so.

As above, if you have a "security scanning" tool which does not agree with this policy, please take that up with your scanning tool vendor (report as a false positive, improve the tool to govulncheck, etc).

AlexanderYastrebov commented 5 months ago

Adjust minimum required golang.org/x/sys down to v0.1.0

This is really counter intuitive. I can not imagine e.g. a distro to downgrade dependencies.

AlexanderYastrebov commented 5 months ago

Adjust minimum required golang.org/x/sys down to v0.1.0

Ok, I think I get it now - this is the version required by github.com/moby/sys/user