Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

go 1.17.7 #94895

Closed
wants to merge 1 commit into from
Closed

go 1.17.7 #94895

wants to merge 1 commit into from

Conversation

jidicula
Copy link
Contributor

Created with brew bump-formula-pr.

resource blocks may require updates.

@BrewTestBot BrewTestBot added bump-formula-pr PR was created using `brew bump-formula-pr` CI-build-dependents-from-source Pass --build-dependents-from-source to brew test-bot. CI-linux-self-hosted Build on Linux self-hosted runner labels Feb 10, 2022
@carlocab carlocab added CI-skip-recursive-dependents Pass --skip-recursive-dependents to brew test-bot. long build Set a long timeout for formula testing CI-long-timeout [DEPRECATED] Use longer GitHub Actions CI timeout. labels Feb 11, 2022
@SMillerDev SMillerDev removed the CI-long-timeout [DEPRECATED] Use longer GitHub Actions CI timeout. label Feb 11, 2022
@carlocab carlocab added CI-long-timeout [DEPRECATED] Use longer GitHub Actions CI timeout. CI-no-fail-fast Continue CI tests despite failing GitHub Actions matrix builds. and removed CI-long-timeout [DEPRECATED] Use longer GitHub Actions CI timeout. labels Feb 11, 2022
@github-actions
Copy link
Contributor

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. To keep this pull request open, add a help wanted or in progress label.

@github-actions github-actions bot added the stale No recent activity label Feb 14, 2022
@SMillerDev SMillerDev added in progress Stale bot should stay away and removed stale No recent activity labels Feb 14, 2022
@iMichka iMichka removed the CI-long-timeout [DEPRECATED] Use longer GitHub Actions CI timeout. label Feb 14, 2022
@iMichka
Copy link
Member

iMichka commented Feb 14, 2022

Fix for terraform-rover: #95105

@iMichka
Copy link
Member

iMichka commented Feb 14, 2022

Fix for revive #95106

@iMichka
Copy link
Member

iMichka commented Feb 14, 2022

Fix for jd: #95107

@chenrui333
Copy link
Member

I have checked out the branch and installed 1.17.7 in my local, cql and httpx seems not an issue in my local run. IMO, I think we can make a new run and see if we can merge the PR.

@gonzaloserrano
Copy link

Any chance for the new build run to happen?

@iMichka iMichka added the CI-long-timeout [DEPRECATED] Use longer GitHub Actions CI timeout. label Feb 23, 2022
@gonzaloserrano
Copy link

7 formula failed to build, and all look to me to non-go related errors:

  • akamai: some 404 getting a resource that I could not reproduce in local env
  • awsweeper: terraform issues Minitest::Assertion: Expected /Error:\ failed\ to\ configure\ provider\ \(name=aws/ to match "\nfailed to install provider (aws): 2 problems:\n\n- registry.terraform.io: This version of Terraform has an outdated GPG key and is unable to verify new provider releases. Please upgrade Terraform to at least 0.12.31 to receive new provider updates.
  • cassowari: Formula reports different sha256: 385232478b8552d56429fbe2584950bfbe42e3b611919a31075366a143aae9a9
  • cf-tool: depends on gopsutil that does not fully support M1s yet cpu.Info() errors on Apple Silicon M1 (darwin/arm64) shirou/gopsutil#1000 (comment)
  • dvm: dvm-helper dockerArch issue, does not build with prev go versions and looks unmaintained because it has not not even correct import paths?
  • mpdviz: also super old, unmaintaned project which has an unmtainanted forked dependency that does not support arm64 src/github.com/lucy/termbox-go/api.go:57:17: undefined: syscall_IGNBR
  • perkeep: depends on go 1.12 that's not supported anymore in brew https://github.com/Homebrew/homebrew-core/blob/master/Formula/perkeep.rb#L37 FormulaUnavailableError: No available formula with the name "[email protected]". Did you mean [email protected], [email protected], [email protected] or [email protected]?
  • pilosa: like cf-tool, also depends on gopsutil
  • virgil: no arm64 compatibility ld: symbol(s) not found for architecture arm64

So I think upgrading the go version is a good call.

@iMichka
Copy link
Member

iMichka commented Feb 23, 2022

Thanks for the list. That's only for the ARM part, more might pop up on Intel or Linux.

Unless this release fixes a CVE and there is an emergency, we should focus on fixing all of these. We can't just stay forever with broken builds. We have a policy in place, and we should try to follow it.

Here a patches for:
perkeep: #95740
cassowary: #95741
mpdviz: #95742

@jidicula
Copy link
Contributor Author

jidicula commented Feb 23, 2022

@iMichka not sure if these count as emergencies, but here are the CVEs fixed in Go 1.17.7:


Announcement:

Hello gophers,

We have just released Go versions 1.17.7 and 1.16.14, minor point releases.

These minor releases include three security fixes following the security policy:

  • crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates

    Some big.Int values that are not valid field elements (negative or overflowing)
    might cause Curve.IsOnCurve to incorrectly return true. Operating on those values
    may cause a panic or an invalid curve operation. Note that Unmarshal will never
    return such values.

    Thanks to Guido Vranken for reporting this.

    This is CVE-2022-23806 and https://go.dev/issue/50974.

  • math/big: prevent large memory consumption in Rat.SetString

    An attacker can cause unbounded memory growth in a program using (*Rat).SetString
    due to an unhandled overflow.

    Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke
    (@odeke_et) for reporting it.

    This is CVE-2022-23772 and Go issue https://go.dev/issue/50699.

  • cmd/go: prevent branches from materializing into versions

    A branch whose name resembles a version tag (such as "v1.0.0" or "subdir/v2.0.0-dev")
    can be considered a valid version by the go command. Materializing versions from
    branches might be unexpected and bypass ACLs that limit the creation of tags but not
    branches.

    This is CVE-2022-23773 and Go issue https://go.dev/issue/35671.

View the release notes for more information:
https://go.dev/doc/devel/release.html#go1.17.minor

You can download binary and source distributions from the Go web site:
https://go.dev/dl/

To compile from source using a Git clone, update to the release with
"git checkout go1.17.7" and build as usual.

Thanks to everyone who contributed to the releases.

Cheers,
Cherry and Alex for the Go team

@alebcay alebcay removed the CI-long-timeout [DEPRECATED] Use longer GitHub Actions CI timeout. label Feb 26, 2022
@iMichka iMichka mentioned this pull request Feb 28, 2022
6 tasks
@stefanb
Copy link
Member

stefanb commented Mar 1, 2022

This should be tried again now that everything was fixed and virgil marked as depending on x86_64 in #96009

@iMichka
Copy link
Member

iMichka commented Mar 1, 2022

Yes. We also fixed goproxy: #96014

@iMichka iMichka added the CI-long-timeout [DEPRECATED] Use longer GitHub Actions CI timeout. label Mar 1, 2022
Copy link
Member

@carlocab carlocab left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's ship this when CI finishes.

@carlocab carlocab removed the CI-linux-self-hosted Build on Linux self-hosted runner label Mar 2, 2022
@gonzaloserrano gonzaloserrano mentioned this pull request Mar 2, 2022
@cho-m cho-m added ready to merge PR can be merged once CI is green and removed CI-long-timeout [DEPRECATED] Use longer GitHub Actions CI timeout. in progress Stale bot should stay away labels Mar 2, 2022
@BrewTestBot
Copy link
Member

:shipit: @iMichka has triggered a merge.

@iMichka
Copy link
Member

iMichka commented Mar 2, 2022

At least I got some tests green ...

@stefanb stefanb mentioned this pull request Mar 4, 2022
@github-actions github-actions bot added the outdated PR was locked due to age label Apr 2, 2022
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 2, 2022
@jidicula jidicula deleted the bump-go-1.17.7 branch April 12, 2022 18:11
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bump-formula-pr PR was created using `brew bump-formula-pr` CI-build-dependents-from-source Pass --build-dependents-from-source to brew test-bot. CI-no-fail-fast Continue CI tests despite failing GitHub Actions matrix builds. CI-skip-recursive-dependents Pass --skip-recursive-dependents to brew test-bot. long build Set a long timeout for formula testing outdated PR was locked due to age ready to merge PR can be merged once CI is green
Projects
None yet
Development

Successfully merging this pull request may close these issues.

10 participants