Commit Graph

75 Commits

Author SHA1 Message Date
Christian Stewart
9c035502bf package/go: bump version to 1.16
Release notes: https://golang.org/doc/go1.16

The latest Go release, version 1.16, arrives six months after Go 1.15. Most of
its changes are in the implementation of the toolchain, runtime, and libraries.

The linker changes in 1.16 extend the 1.15 improvements to all supported
architecture/OS combinations (the 1.15 performance improvements were primarily
focused on ELF-based OSes and amd64 architectures). For a representative set of
large Go programs, linking is 20-25% faster than 1.15 and requires 5-15% less
memory on average for linux/amd64, with larger improvements for other
architectures and OSes. Most binaries are also smaller as a result of more
aggressive symbol pruning.

According to the release notes, Go 1.16 drops support for x87 mode
compilation (GO386=387).  Support for non-SSE2 processors is now available
using soft float mode.  Buildroot will automatically set GO386=softfloat on
non-SSE2 processors.

Signed-off-by: Christian Stewart <christian@paral.in>

v1 -> v2:

 - added 386=softfloat handling re: Peter's review

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-23 13:48:27 +01:00
Christian Stewart
e92ec59450 package/go: bump to version 1.15.8
go1.15.8 (released 2021/02/04) includes fixes to the compiler, linker, runtime,
the go command, and the net/http package.

https://golang.org/doc/go1.15

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-23 13:47:04 +01:00
Peter Korsgaard
0e1b5aa572 packago/go: security bump to version 1.15.7
Fixes the following security issues:

- cmd/go: packages using cgo can cause arbitrary code execution at build time

  The go command may execute arbitrary code at build time when cgo is in use
  on Windows.  This may occur when running “go get”, or any other command
  that builds code.  Only users who build untrusted code (and don’t execute
  it) are affected.

  In addition to Windows users, this can also affect Unix users who have “.”
  listed explicitly in their PATH and are running “go get” or build commands
  outside of a module or with module mode disabled.

  Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.

  This issue is CVE-2021-3115 and Go issue golang.org/issue/43783.

- crypto/elliptic: incorrect operations on the P-224 curve

  The P224() Curve implementation can in rare circumstances generate
  incorrect outputs, including returning invalid points from ScalarMult.

  The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages
  support P-224 ECDSA keys, but they are not supported by publicly trusted
  certificate authorities.  No other standard library or golang.org/x/crypto
  package supports or uses the P-224 curve.

  The incorrect output was found by the elliptic-curve-differential-fuzzer
  project running on OSS-Fuzz and reported by Philippe Antoine (Catena cyber).

  This issue is CVE-2021-3114 and Go issue golang.org/issue/43786.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-01-21 17:02:19 +01:00
Fabrice Fontaine
d4eefdbed0 package/go: add GO_CPE_ID_VENDOR
golang is the correct CPE ID vendor for the go package, see:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agolang%3Ago

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-01-11 21:38:47 +01:00
Peter Korsgaard
f470ce5f0d package/go: fix s/amrv7/armv7/ typo in comment
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-23 22:35:03 +01:00
Michael Baudino
c59409afd9 package/go: enable ARMv7 optimizations for 32-bit ARMv8
When building for an ARMv8 in 32-bit, Go does not yet support ARMv8
optimizations (see issue: https://github.com/golang/go/issues/29373)
but can still benefit from ARMv7 optimizations.

Signed-off-by: Michael Baudino <michael@baudi.no>
[yann.morin.1998@free.fr:
  - move the comment to its own line, expand and reword it a bit
  - reword the commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-12-19 12:17:12 +01:00
Michael Baudino
4e81152078 package/go: fix a typo in CC and CXX env values
This commit fixes a typo in variable names that caused CC and CXX
environment variables to be empty.

Signed-off-by: Michael Baudino <michael@baudi.no>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-12-19 12:02:52 +01:00
Christian Stewart
267dd8b427 package/go: bump to version 1.15.6
go1.15.6 (released 2020/12/03) includes fixes to the compiler, linker, runtime,
the go command, and the io package.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-16 12:16:59 +01:00
Peter Korsgaard
7269a73102 package/go: security bump to 1.15.5
Fixes the following security issues:

- math/big: panic during recursive division of very large numbers

  A number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod,
  ModInverse, ModSqrt, Jacobi, and GCD) can panic when provided crafted
  large inputs.  For the panic to happen, the divisor or modulo argument
  must be larger than 3168 bits (on 32-bit architectures) or 6336 bits (on
  64-bit architectures).  Multiple math/big.Rat methods are similarly affected.

  crypto/rsa.VerifyPSS, crypto/rsa.VerifyPKCS1v15, and crypto/dsa.Verify may
  panic when provided crafted public keys and signatures.  crypto/ecdsa and
  crypto/elliptic operations may only be affected if custom CurveParams with
  unusually large field sizes (several times larger than the largest
  supported curve, P-521) are in use.  Using crypto/x509.Verify on a crafted
  X.509 certificate chain can lead to a panic, even if the certificates
  don’t chain to a trusted root.  The chain can be delivered via a
  crypto/tls connection to a client, or to a server that accepts and
  verifies client certificates.  net/http clients can be made to crash by an
  HTTPS server, while net/http servers that accept client certificates will
  recover the panic and are unaffected.

  Moreover, an application might crash invoking
  crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate
  request or during a golang.org/x/crypto/otr conversation.  Parsing a
  golang.org/x/crypto/openpgp Entity or verifying a signature may crash.
  Finally, a golang.org/x/crypto/ssh client can panic due to a malformed
  host key, while a server could panic if either PublicKeyCallback accepts a
  malformed public key, or if IsUserAuthority accepts a certificate with a
  malformed public key.

  Thanks to the Go Ethereum team and the OSS-Fuzz project for reporting
  this.  Thanks to Rémy Oudompheng and Robert Griesemer for their help
  developing and validating the fix.

  This issue is CVE-2020-28362 and Go issue golang.org/issue/42552.

- cmd/go: arbitrary code execution at build time through cgo

  The go command may execute arbitrary code at build time when cgo is in
  use.  This may occur when running go get on a malicious package, or any
  other command that builds untrusted code.

  This can be caused by malicious gcc flags specified via a #cgo directive,
  or by a malicious symbol name in a linked object file.

  Thanks to Imre Rad and to Chris Brown and Tempus Ex respectively for
  reporting these issues.

  These issues are CVE-2020-28367 and CVE-2020-28366, and Go issues
  golang.org/issue/42556 and golang.org/issue/42559 respectively.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-13 14:48:20 +01:00
Christian Stewart
6ba64976d3 package/go: bump to 1.15.4
Bugfix release. From the release notes:

go1.15.4 (released 2020/11/05) includes fixes to cgo, the compiler, linker,
runtime, and the compress/flate, net/http, reflect, and time packages.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-09 21:06:20 +01:00
Christian Stewart
ce0d25ffc7 package/go: bump to version 1.15.3
go1.15.3 (released 2020/10/14) includes fixes to cgo, the compiler, runtime, the
go command, and the bytes, plugin, and testing packages.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-10-25 10:22:44 +01:00
Alexander Egorenkov
e013029b17 package/go: fix GO_ARCH for s390x arch
Fixes:
- http://autobuild.buildroot.net/results/82c440825290804c2fd6a92d916c93d2934e0a95
- http://autobuild.buildroot.net/results/e8f8e232fb6bf6167f25c82026f4e2321cca9c26
- http://autobuild.buildroot.net/results/7d4137c439ade81ab7bf141ad6504a69746d6dbc

Signed-off-by: Alexander Egorenkov <egorenar@linux.ibm.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-03 08:56:01 +02:00
Alexander Egorenkov
9eaab4e2c5 package/go: add support for IBM s390x and Z arch
Signed-off-by: Alexander Egorenkov <egorenar@linux.ibm.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-09-24 22:57:57 +02:00
Christian Stewart
ddaba441d4 package/go: bump to 1.15.2
go1.15.2 (released 2020/09/09) includes fixes to the compiler, runtime,
documentation, the go command, and the net/mail, os, sync, and testing packages.

https://golang.org/doc/devel/release.html#go1.15

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-13 15:48:56 +02:00
Christian Stewart
9400e8a4c3 package/go: bump to go 1.15.1
Go 1.14, 1.15 are major releases of Go.

Read the Release Notes for more information:

 - https://golang.org/doc/go1.14
 - https://golang.org/doc/go1.15

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-06 14:31:35 +02:00
Christian Stewart
7afd262da0 package/go: implement go modules integration
The Go compiler needs to know the "import path" to the root of package
source repositories. Previously, this was done by creating a fake
_gopath in the build directory and symlinking the package source into
that path.

Go has deprecated the GOPATH mechanism in favor of a new approach -
Modules - which specifies the root import path (and dependencies) in a
"go.mod" file. This commit moves Buildroot to use the new go.mod
approach, which requires:

 - Passing GO111MODULE=on when building host or target Go packages.

 - Passing GOPROXY=off and -mod=vendor to prevent the Go module system
   from downloading by itself sources from the Internet. We currently
   only support Go packages that have all their dependencies in their
   source tree in "vendor" directories.

 - Specifying a <pkg>_GOMOD variable, which is used both to create a
   minimal go.mod file in the package source tree if it exists, and to
   invoke the right build targets. Indeed, all elements in
   <pkg>_BUILD_TARGETS are now relative to <pkg>_GOMOD.

Reference: https://github.com/golang/go/wiki/Modules

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:49:06 +02:00
Thomas Petazzoni
1a17e4ae99 package/go: re-integrate GO_COMMON_ENV into HOST_GO_COMMON_ENV
There is no point in having some common Go env variables defined in
pkg-golang.mk:GO_COMMON_ENV, and some in
package/go/go.mk:HOST_GO_COMMON_ENV. Let's move all of them to
package/go/go.mk:HOST_GO_COMMON_ENV.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:35:49 +02:00
Thomas Petazzoni
7a89fa07ee package/go: pass CFLAGS/CXXFLAGS/LDFLAGS in HOST_GO_TARGET_ENV
HOST_GO_HOST_ENV is explicitly specifying
HOST_CGO_{CFLAGS,CXXFLAGS,LDFLAGS}, so let's do the same for target
packages.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:35:49 +02:00
Thomas Petazzoni
557282a9c0 package/go: introduce HOST_GO_COMMON_ENV
A few variables are common between HOST_GO_TARGET_ENV and
HOST_GO_HOST_ENV, so let's introduce a HOST_GO_COMMON_ENV variable for
those few common ones (which will increase in follow-up commits).

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:35:49 +02:00
Thomas Petazzoni
7c3e3cbcf2 package/go: add a HOST_GO_HOST_ENV variable
package/go/go.mk provides a HOST_GO_TARGET_ENV which provides a useful
set of environment variables needed to build target Go packages.

For host packages, we simply have package/pkg-golang.mk defining
GO_HOST_ENV to specify CFLAGS/LDFLAGS, but that's it: we don't pass an
explicit path to the compiler, we don't pass GO111MODULE, GOCACHE,
GOROOT, etc.

This commit introduces a HOST_GO_HOST_ENV variable that provides the
appropriate set of environment variables to use when building host
golang packages.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:35:48 +02:00
Christian Stewart
593254c6f9 package/go: bump version to 1.13.14
go1.13.14 (released 2020/07/16) includes fixes to the compiler, vet, and
the database/sql, net/http, and reflect packages.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-07-18 15:20:46 +02:00
Christian Stewart
e31919878d package/go: bump version to 1.13.13
go1.13.13 (released 2020/07/14) includes security fixes to the
crypto/x509 and net/http packages.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-07-16 21:54:34 +02:00
Christian Stewart
7cbb3dd94e package/go: bump version to 1.13.12
go1.13.9 (released 2020/03/19) includes fixes to the go command, tools, the
runtime, the toolchain, and the crypto/cypher package.

go1.13.10 (released 2020/04/08) includes fixes to the go command, the runtime,
and the os/exec and time packages.

go1.13.11 (released 2020/05/14) includes fixes to the compiler.

go1.13.12 (released 2020/06/01) includes fixes to the runtime, and the go/types
and math/big packages.

Release notes: https://golang.org/doc/go1.13

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-06-07 11:12:29 +02:00
Peter Korsgaard
9b15ef3505 package/go: bump version to 1.13.8
Includes fixes to the runtime, the crypto/x509, and net/http
packages.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-15 11:53:19 +01:00
Peter Korsgaard
f40acb4684 package/go: security bump to version 1.13.7
Fixes the following security issue:

- Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte

On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1
parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic.
The malformed certificate can be delivered via a crypto/tls connection to a
client, or to a server that accepts client certificates.  net/http clients
can be made to crash by an HTTPS server, while net/http servers that accept
client certificates will recover the panic and are unaffected.  Thanks to
Project Wycheproof for providing the test cases that led to the discovery of
this issue.  The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-01-29 20:47:32 +01:00
Christian Stewart
17aea508c7 package/go: bump to 1.13.6
go1.13.6 (released 2020/01/09) includes fixes to the runtime and the net/http
package.

https://github.com/golang/go/issues?q=milestone=Go1.13.6

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-01-10 09:07:43 +01:00
Christian Stewart
bdc395db0d package/go: bump to 1.13.5
go1.13.5 (released 2019/12/04) includes fixes to the go command, the runtime,
the linker, and the net/http package.

https://github.com/golang/go/issues?q=milestone%3AGo1.13.5

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-12-08 08:33:26 +01:00
Christian Stewart
aa4218f73f package/go: bump to 1.13.4
go1.13.4 (released 2019/10/31) with fixes to the net/http and syscall packages.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-11-30 22:41:43 +01:00
Peter Korsgaard
2580a12e5a package/go: security bump to version 1.13.3
Fixes the following security issues (1.33.2):

- CVE-2019-17596: Invalid DSA public keys can cause a panic in dsa.Verify.
  In particular, using crypto/x509.Verify on a crafted X.509 certificate
  chain can lead to a panic, even if the certificates don’t chain to a
  trusted root.  The chain can be delivered via a crypto/tls connection to a
  client, or to a server that accepts and verifies client certificates.
  net/http clients can be made to crash by an HTTPS server, while net/http
  servers that accept client certificates will recover the panic and are
  unaffected.

Additionally, 1.13.3 fixes a number of issues. From the release notes:

Fixes to the go command, the toolchain, the runtime, syscall, net, net/http,
and crypto/ecdsa packages

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-28 08:43:17 +01:00
Christian Stewart
f9d2bd24ca package/go: bump to 1.13.1
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-09 22:51:26 +02:00
Peter Korsgaard
bd574c445c package/go: security bump to version 1.12.10
Fixes the following security vulnerabilities:

- CVE-2019-16276: Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP
  Request Smuggling.
  https://github.com/golang/go/issues/34540

>From the release notes:

go1.12.10 (released 2019/09/25) includes security fixes to the net/http and
net/textproto packages

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-02 08:07:49 +02:00
Peter Korsgaard
b84261e5ca package/go: bump version to 1.12.9
For post-1.12.8 fixes. From the release notes:

go1.12.9 (released 2019/08/15) includes fixes to the linker, and the os and
math/big packages.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-20 13:22:33 +02:00
Christian Stewart
81b164c537 package/go: bump version to 1.12.8
go1.12.6 (released 2019/06/11) includes fixes to the compiler, the linker, the
go command, and the crypto/x509, net/http, and os packages.

go1.12.7 (released 2019/07/08) includes fixes to cgo, the compiler, and the
linker.

go1.12.8 (released 2019/08/13) includes security fixes to the net/http and
net/url packages.

https://golang.org/doc/devel/release.html

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-08-15 15:07:16 +02:00
Peter Korsgaard
ce32fa6cc1 package/go: bump version to 1.12.5
Fixes a number of issues discovered since 1.12.4.  From the release notes:

go1.12.5 (released 2019/05/06) includes fixes to the compiler, the linker,
the go command, the runtime, and the os package.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-05-07 22:30:13 +02:00
Peter Korsgaard
4f5584af06 package/go: bump version to 1.12.4
Fixes a number of issues discovered since 1.12.1.  From the release notes:

go1.12.2 (released 2019/04/05) includes fixes to the compiler, the go
command, the runtime, and the doc, net, net/http/httputil, and os packages.
See the Go 1.12.2 milestone on our issue tracker for details.

go1.12.3 (released 2019/04/08) was accidentally released without its
intended fix.  It is identical to go1.12.2, except for its version number.
The intended fix is in go1.12.4.

go1.12.4 (released 2019/04/11) fixes an issue where using the prebuilt
binary releases on older versions of GNU/Linux led to failures when linking
programs that used cgo.  Only Linux users who hit this issue need to update.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-30 13:17:21 +02:00
Anisse Astier
ed36d20daa package/go: fix building host go toolchain when target isn't supported
The go toolchain can cross-compile by default. So most of the time,
building a toolchain that supports a target, allows us to also build go
binaries for the host. This is how support for host go packages was
added: we use the same toolchain that was initially built only for
target.

But we might want to build a go binary for the host, when compiling a
target for which go isn't supported. Then, building host-go will fail:
by default, we build go for a specific target, and give the toolchain
bootstrap scripts the cross compiler we'll use.

This change modifies this behaviour: we only assume the go toolchain is
cross-capable if we know the current target is supported. Otherwise this
is a simple host go tool. We don't need to set any of the options needed
for cross-compilation in that case.

Thus, only set all the target-specific go options under a condition that
the target arch is supported. The only option we still set is
HOST_GO_CGO_ENABLED, and we always set it to enabled.

It was also considered to create a separate package to build the
go-for-host compiler which would be used for host-go-packages, but that
would lead to a lot of duplication and is completely unnecessary.

Fixes:
http://autobuild.buildroot.net/results/98b9c7aaff2af4d19adfedac00b768d92530ce94
http://autobuild.buildroot.net/results/bed228995ce3778720f991df9b41345a7c724a46
http://autobuild.buildroot.net/results/3b3ea148165b96513ea511ee0d4adb334a6afac8

Signed-off-by: Anisse Astier <anisse@astier.eu>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Reviewed-by: Anisse Astier <anisse@astier.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-04-17 09:00:19 +02:00
Mirza Krak
aba08cd218 package/pkg-golang: add support for building host packages
With this you can add:

    $(eval $(host-golang-package))

to a package .mk file to build for host.

Signed-off-by: Mirza Krak <mirza.krak@northern.tech>
Acked-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Tested-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Tested-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-03-17 17:21:10 +01:00
Angelo Compagnucci
8291bc7793 package/go: rename BR2_PACKAGE_HOST_GO_{ARCH_SUPPORTS,CGO_LINKING_SUPPORTS}
The hidden Config.in option BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS name is
not very clear as to whether it says whether Go is available for the
target architecture or the host architecture.

Until now, this was fine since there was support for host Go
packages. But as we are about to introduce support for building host
Go packages, we need to clarify the meaning of
BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS. Since it says whether the target
architecture has support for Go or not, we rename it to
BR2_PACKAGE_HOST_GO_TARGET_ARCH_SUPPORTS.

And since BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS is tightly related,
we rename it to BR2_PACKAGE_HOST_GO_TARGET_CGO_LINKING_SUPPORTS.

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Tested-by: Adam Duskett <aduskett@gmail.com>
[Thomas: entirely rewrite commit log]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-03-17 17:20:53 +01:00
Christian Stewart
1af9d9dd25 package/go: bump to version 1.12.1
Go 1.12 was released on 2/25/2019: https://blog.golang.org/go1.12

Go 1.12.1 was released on 3/14/2019:
https://golang.org/doc/devel/release.html#go1.12.minor

Additional notes on how Go modules will evolve in 2019 are here:
https://blog.golang.org/modules2019

In Go 1.12, module support remains the same as in Go 1.11. GOPATH is scheduled
for deprecation in 1.13, however. The Buildroot Go package infrastructure should
therefore aim to migrate to a new, currently undefined, Go module friendly
compilation approach before Go 1.13 is released.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-03-17 11:07:41 +01:00
Christian Stewart
3909423f1c package/go: set GOCACHE to a host path
Set the GOCACHE environment variable properly.

It was previously unset, and defaults to $HOME/.cache/go-build.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-03-12 22:05:57 +01:00
Christian Stewart
f7a2870dd1 go: explicitly disable modules to avoid unintended network lookup
Go "modules" refers to the dependency fetching, verification (hashing), and
version control system built into Go as of 1.11.

It is not desirable to have Go modules enabled in Buildroot in the normal case,
as Buildroot manages downloading the sources, and third party dependency
managers are typically not used.

In the absence of the GO111MODULE environment variable, the Go compiler will
correctly compile using the "vendor" version of dependencies downloaded by
Buildroot during the compilation process for Go-based packages.

However, if the user sets the GO111MODULE=on environment variable, the Go
compiler will download the Go dependencies for Buildroot packages, using the
modules system. This is potentially unintended behavior from user environment
variables.

This commit sets the GO111MODULE=off variable in the Go target and host
compilation environments, disabling Go modules support for Buildroot mainline
packages.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-03 22:15:24 +01:00
Christian Stewart
0ab3cb7a97 go: security bump to 1.11.5
Go 1.11.5 addresses a reported security issue, CVE-2019-6486.

Signed-off-by: Christian Stewart <christian@paral.in>
Acked-by: Anisse Astier <anisse@astier.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-01-24 10:46:22 +01:00
Peter Korsgaard
d810fee306 package/go: security bump to version 1.11.4
go 1.11.3 fixes the following security issues:

cmd/go: remote command execution during "go get -u"
The issue is CVE-2018-16873 and Go issue golang.org/issue/29230. See the Go issue for details.
Thanks to Etienne Stalmans from the Heroku platform security team for discovering and reporting this issue.

cmd/go: directory traversal in "go get" via curly braces in import paths
The issue is CVE-2018-16874 and Go issue golang.org/issue/29231. See the Go issue for details.
Thanks to ztz of Tencent Security Platform for discovering and reporting this issue.

crypto/x509: CPU denial of service in chain validation
The issue is CVE-2018-16875 and Go issue golang.org/issue/29233. See the Go issue for details.
Thanks to Netflix for discovering and reporting this issue.

go 1.11.4 fixes issues, including regressions introduced by 1.11.3:

1.11.4 includes fixes to cgo, the compiler, linker, runtime, documentation, go
command, and the net/http and go/types packages.  It includes a fix to a bug
introduced in Go 1.11.3 that broke go get for import path patterns
containing "...".

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-12-16 12:17:47 +01:00
Yann E. MORIN
bcb8ef0fdc package: hide golang packages for toolchains with binutils bug 20006
Fixes:
    http://autobuild.buildroot.org/results/020/02039969b16534d4020ecd4574bae71b91c1e6b8/ (flannel)
    http://autobuild.buildroot.org/results/e95/e9528b06b350ef84c1e2cb59fba87b4db77b4660/ (docker-engine)
    [...]

Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-11-29 21:22:45 +01:00
Christian Stewart
b869212d0c go: bump to v1.11.2
Bumps Golang host-go compiler to 1.11.2 release.

Add hash for LICENSE.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-11-08 21:02:06 +01:00
Christian Stewart
67190f7635 go: bump to v1.11.1
Bumps Golang host-go compiler to 1.11.1 release.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-10-31 10:25:35 +01:00
Christian Stewart
f99efd731c go: bump to v1.11
Signed-off-by: Christian Stewart <christian@paral.in>
Reviewed-by: Anisse Astier <anisse@astier.eu>
Tested-by: Anisse Astier <anisse@astier.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-09-13 20:49:41 +02:00
Anisse Astier
81815b85a2 go: security bump to version 1.10.2
This bump contains many bug fixes, as well as the following security
issue, patched in Go 1.10.1:

CVE-2018-7187: The "go get" implementation in Go 1.9.4, when the
-insecure command-line option is used, does not validate the import path
(get/vcs.go only checks for "://" anywhere in the string), which allows
remote attackers to execute arbitrary OS commands via a crafted web
site.

Signed-off-by: Anisse Astier <anisse@astier.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-05-11 23:10:27 +02:00
Anisse Astier
486334dd81 go: honor building with V=1 for debugging purposes
Signed-off-by: Anisse Astier <anisse@astier.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-05-11 23:05:32 +02:00
Anisse Astier
72c2992563 go: cleanup cross-compilation support
Now that we fixed cross-compilation in the go package, cleanup the build
to remove the workaround added in 60c5c96ae1
"package/go: Build host tools with host CC". We only need a single pass
to build the go toolchain.

Signed-off-by: Anisse Astier <anisse@astier.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-05-11 23:05:30 +02:00