2024-10-03 17:15:04 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Feb 27 05:45:13 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
|
|
|
|
|
|
|
|
|
- Packaging improvements:
|
|
|
|
|
* Use %patch -P N instead of deprecated %patchN
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Feb 6 22:28:04 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
|
|
|
|
|
|
|
|
|
- Packaging improvements:
|
|
|
|
|
* boo#1219988 ensure VERSION file is present in GOROOT
|
|
|
|
|
as required by go tool dist and go tool distpack
|
|
|
|
|
|
2024-05-03 13:07:09 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Feb 6 18:22:28 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
|
|
|
|
|
|
|
|
|
- go1.20.14 (released 2024-02-06) includes fixes to the crypto/x509
|
|
|
|
|
package.
|
|
|
|
|
Refs boo#1206346 go1.20 release tracking
|
|
|
|
|
* go#64760 staticlockranking builders failing on release branches on LUCI
|
|
|
|
|
* go#65322 crypto: rollback BoringCrypto fips-20220613 update
|
|
|
|
|
* go#65379 crypto/x509: TestIssue51759 consistently failing on gotip-darwin-amd64_10.15 LUCI builder
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jan 9 18:40:15 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
|
|
|
|
|
|
|
|
|
- go1.20.13 (released 2024-01-09) includes fixes to the runtime and
|
|
|
|
|
the crypto/tls package.
|
|
|
|
|
Refs boo#1206346 go1.20 release tracking
|
|
|
|
|
* go#63910 x/build,os/signal: TestDetectNohup and TestNohup fail on replacement darwin LUCI builders
|
|
|
|
|
* go#64409 runtime: ReadMemStats fatal error: mappedReady and other memstats are not equal
|
|
|
|
|
* go#64718 crypto: upgrade to BoringCrypto fips-20220613 and enable TLS 1.3
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Dec 5 19:03:51 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
|
|
|
|
|
|
|
|
|
- go1.20.12 (released 2023-12-05) includes security fixes to the go
|
|
|
|
|
command, and the net/http and path/filepath packages, as well as
|
|
|
|
|
bug fixes to the compiler and the go command.
|
|
|
|
|
Refs boo#1206346 go1.20 release tracking
|
|
|
|
|
CVE-2023-45285 CVE-2023-45284 CVE-2023-39326
|
|
|
|
|
* go#63972 go#63845 boo#1217834 security: fix CVE-2023-45285 cmd/go: git VCS qualifier in module path uses git:// scheme
|
|
|
|
|
* go#64040 go#63713 boo#1216943 security: fix CVE-2023-45284 path/filepath: Clean removes ending slash for volume on Windows in Go 1.21.4
|
|
|
|
|
* go#64434 go#64433 boo#1217833 security: fix CVE-2023-39326 net/http: limit chunked data overhead
|
|
|
|
|
* go#63983 cmd/compile: internal compiler error: panic during prove while compiling: unexpected induction with too many parents
|
|
|
|
|
* go#63988 cmd/go: TestScript/mod_get_direct fails with "Filename too long" on Windows
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Nov 7 19:29:09 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
|
|
|
|
|
|
|
|
|
- go1.20.11 (released 2023-11-07) includes security fixes to the
|
|
|
|
|
path/filepath package, as well as bug fixes to the linker and the
|
|
|
|
|
net/http package.
|
|
|
|
|
Refs boo#1206346 go1.20 release tracking
|
|
|
|
|
CVE-2023-45283 CVE-2023-45284
|
|
|
|
|
* go#63714 go#63713 boo#1216943 boo#1216944 security: fix CVE-2023-45283 CVE-2023-45284 path/filepath: insecure parsing of Windows paths
|
|
|
|
|
* go#63316 cmd/link: split text sections for arm 32-bit
|
|
|
|
|
* go#63740 net/http: http2 page fails on firefox/safari if pushing resources
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Oct 10 18:27:08 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
|
|
|
|
|
|
|
|
|
- go1.20.10 (released 2023-10-10) includes a security fix to the
|
|
|
|
|
net/http package.
|
|
|
|
|
Refs boo#1206346 go1.20 release tracking
|
|
|
|
|
CVE-2023-39325 CVE-2023-44487
|
|
|
|
|
* go#63426 go#63417 boo#1216109 security: fix CVE-2023-39325 CVE-2023-44487 net/http: rapid stream resets can cause excessive work
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Oct 5 20:28:19 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
|
|
|
|
|
|
|
|
|
- go1.20.9 (released 2023-10-05) includes one security fixes to the
|
|
|
|
|
cmd/go package, as well as bug fixes to the go command and the
|
|
|
|
|
linker.
|
|
|
|
|
Refs boo#1206346 go1.20 release tracking
|
|
|
|
|
CVE-2023-39323
|
|
|
|
|
* go#63213 go#63211 boo#1215985 security: fix CVE-2023-39323 cmd/go: line directives allows arbitrary execution during build
|
|
|
|
|
* go#62597 cmd/link: issues with Apple's new linker in Xcode 15 beta
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Sep 6 15:08:50 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
|
|
|
|
|
|
|
|
|
- go1.20.8 (released 2023-09-06) includes two security fixes to the
|
|
|
|
|
html/template package, as well as bug fixes to the compiler, the
|
|
|
|
|
go command, the runtime, and the crypto/tls, go/types, net/http,
|
|
|
|
|
and path/filepath packages.
|
|
|
|
|
Refs boo#1206346 go1.20 release tracking
|
|
|
|
|
CVE-2023-39318 CVE-2023-39319
|
|
|
|
|
* go#62395 go#62196 boo#1215084 security: fix CVE-2023-39318 html/template: improper handling of HTML-like comments within script contexts
|
|
|
|
|
* go#62397 go#62197 boo#1215085 security: fix CVE-2023-39319 html/template: improper handling of special tags within script contexts
|
|
|
|
|
* go#61198 cmd/go: extended forwards compatibility for Go
|
|
|
|
|
* go#61744 go/types: interface.Complete panics for interfaces with duplicate methods
|
|
|
|
|
* go#61826 net/http: go 1.20.6 host validation breaks setting Host to a unix socket address
|
|
|
|
|
* go#61867 path/filepath: Clean on some invalid Windows paths can lose .. components
|
|
|
|
|
* go#61873 cmd/go: using a module path without dot fails to build after toolchain selection
|
|
|
|
|
* go#61966 crypto/tls: add GODEBUG to control max RSA key size
|
|
|
|
|
* go#62018 runtime: execution halts with goroutines stuck in runtime.gopark (protocol error E08 during memory read for packet)
|
|
|
|
|
* go#62056 cmd/compile: internal compiler error: 'F': func F, startMem[b1] has different values
|
|
|
|
|
* go#62070 cmd/api: make non-importable
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Sep 5 19:12:05 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
|
|
|
|
|
|
|
|
|
- Add missing directory pprof html asset directory to package.
|
|
|
|
|
Refs boo#1215090
|
|
|
|
|
* src/cmd/vendor/github.com/google/pprof/internal/driver/html/
|
|
|
|
|
dir containing html assets is present in upstream Go
|
|
|
|
|
distribution but missing from SUSE go1.x packages
|
|
|
|
|
* Go programs importing runtime/pprof may fail with error:
|
|
|
|
|
/usr/lib64/go/1.21/src/cmd/vendor/github.com/google/pprof/internal/driver/webhtml.go
|
|
|
|
|
pattern html: no matching files found
|
|
|
|
|
* Reformat adjacent commment in spec file
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Aug 1 20:35:02 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
|
|
|
|
|
|
|
|
|
- go1.20.7 (released 2023-08-01) includes a security fix to the
|
|
|
|
|
crypto/tls package, as well as bug fixes to the assembler and the
|
|
|
|
|
compiler.
|
|
|
|
|
Refs boo#1206346 go1.20 release tracking
|
|
|
|
|
CVE-2023-29409
|
|
|
|
|
* go#61580 go#61460 boo#1213880 security: fix CVE-2023-29409 crypto/tls: restrict RSA keys in certificates to <= 8192 bits
|
|
|
|
|
* go#61320 cmd/compile: ppc64le: sign extension issue in go 1.21rc2
|
|
|
|
|
* go#61449 net: TestInterfaceArrivalAndDepartureZoneCache is broken on linux-arm64
|
|
|
|
|
* go#61471 cmd/compile: failed to make Go on riscv64 CPU with numa
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jul 11 17:50:52 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
|
|
|
|
|
|
|
|
|
- go1.20.6 (released 2023-07-11) includes a security fix to the
|
|
|
|
|
net/http package, as well as bug fixes to the compiler, cgo, the
|
|
|
|
|
cover tool, the go command, the runtime, and the crypto/ecdsa,
|
|
|
|
|
go/build, go/printer, net/mail, and text/template packages.
|
|
|
|
|
Refs boo#1206346 go1.20 release tracking
|
|
|
|
|
CVE-2023-29406
|
|
|
|
|
* go#61076 go#60374 boo#1213229 security: fix CVE-2023-29406 net/http: insufficient sanitization of Host header
|
|
|
|
|
* go#60352 cmd/go: go mod tidy introduces ambiguous imports in pruned modules
|
|
|
|
|
* go#60535 runtime: TLS slot index over 64 and crash
|
|
|
|
|
* go#60675 cmd/compile: internal compiler error: out of range for go.shape.int64
|
|
|
|
|
* go#60698 cmd/go: go list fails with submodules which have test-only dependencies
|
|
|
|
|
* go#60744 crypto/ecdsa: P521 ecdsa.Verify panics with malformed message
|
|
|
|
|
* go#60754 cmd/go: panic: LoadImport called with empty package path when listing GOROOT/test/*.go
|
|
|
|
|
* go#60760 runtime: checkdead fires due to suspected race in the Go runtime when GOMAXPROCS=1 on AWS
|
|
|
|
|
* go#60802 text/template: key/value assignment is reversed within range loop
|
|
|
|
|
* go#60845 runtime: SIGSEGV in race + coverage mode
|
|
|
|
|
* go#60849 cmd/go: go test deadlocked without enforcing timeouts when killed with ^C
|
|
|
|
|
* go#60874 net/mail: mail.ReadMessage in 1.20 cannot parse mbox headers
|
|
|
|
|
* go#60875 net/mail: characters allowed in RFC 5322 are invalid while parsing email header
|
|
|
|
|
* go#60927 x/tools/go/analysis/unitchecker: TestVetStdlib failures
|
|
|
|
|
* go#60947 crypto/x509: TestSystemVerify/EKULeafValid fails on LUCI
|
|
|
|
|
* go#60949 runtime: goroutines that stop after calling runtime.RaceDisable break race detector
|
|
|
|
|
* go#61055 runtime: TestWindowsStackMemory flakes on windows-386-2016
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jun 6 19:13:57 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
|
|
|
|
|
|
|
|
|
- go1.20.5 (released 2023-06-06) includes four security fixes to
|
|
|
|
|
the cmd/go and runtime packages, as well as bug fixes to the
|
|
|
|
|
compiler, the go command, the runtime, and the crypto/rsa, net,
|
|
|
|
|
and os packages.
|
|
|
|
|
Refs boo#1206346 go1.20 release tracking
|
|
|
|
|
CVE-2023-29402 CVE-2023-29403 CVE-2023-29404 CVE-2023-29405
|
|
|
|
|
* go#60516 go#60167 boo#1212073 security: fix CVE-2023-29402 cmd/go: cgo code injection
|
|
|
|
|
* go#60518 go#60272 boo#1212074 security: fix CVE-2023-29403 runtime: unexpected behavior of setuid/setgid binaries
|
|
|
|
|
* go#60512 go#60305 boo#1212075 security: fix CVE-2023-29404 cmd/go: improper sanitization of LDFLAGS
|
|
|
|
|
* go#60514 go#60306 boo#1212076 security: fix CVE-2023-29405 cmd/go: improper sanitization of LDFLAGS
|
|
|
|
|
* go#58927 crypto/rsa: 4096 bit keys are not generated with BoringCrypto
|
|
|
|
|
* go#59975 cmd/compile: multiple memories live at block start
|
|
|
|
|
* go#60001 cmd/go: missing checksums for dependencies of go get arguments and tests of external dependencies
|
|
|
|
|
* go#60217 os: Read of a device driver fails only with Go 1.20
|
|
|
|
|
* go#60458 cmd/go: document GOROOT/bin/go PATH entry for go test and go generate
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue May 2 17:24:29 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
|
|
|
|
|
|
|
|
|
- go1.20.4 (released 2023-05-02) includes three security fixes to
|
|
|
|
|
the html/template package, as well as bug fixes to the compiler,
|
|
|
|
|
the runtime, and the crypto/subtle, crypto/tls, net/http, and
|
|
|
|
|
syscall packages.
|
|
|
|
|
Refs boo#1206346 go1.20 release tracking
|
|
|
|
|
CVE-2023-29400 CVE-2023-24540 CVE-2023-24539
|
|
|
|
|
* go#59812 go#59720 boo#1211029 security: fix CVE-2023-24539 html/template: improper sanitization of CSS values
|
|
|
|
|
* go#59814 go#59721 boo#1211030 security: fix CVE-2023-24540 html/template: improper handling of JavaScript whitespace
|
|
|
|
|
* go#59816 go#59722 boo#1211031 security: fix CVE-2023-29400 html/template: improper handling of empty HTML attributes
|
|
|
|
|
* go#59064 runtime: automatically bump RLIMIT_NOFILE on Unix
|
|
|
|
|
* go#59336 crypto/subtle: xor fails when run with race+purego
|
|
|
|
|
* go#59374 cmd/compile: encoding/binary.PutUint16 sometimes doesn't write
|
|
|
|
|
* go#59450 cmd/compile: internal compiler error: cannot call SetType(go.shape.int) on v (type int)
|
|
|
|
|
* go#59468 cmd/compile: miscompilation in star-tex.org/x/cmd/star-tex
|
|
|
|
|
* go#59469 net/http: FileServer no longer serves content for POST
|
|
|
|
|
* go#59540 crypto/tls: TLSv1.3 connection fails with invalid PSK binder
|
|
|
|
|
* go#59580 cmd/compile: incorrect inline function variable
|
|
|
|
|
* go#59585 cmd/compile: Unified IR exports table is binary unstable in presence of generics
|
|
|
|
|
* go#59637 go/internal/gcimporter: lookupGorootExport should use the go command from build.Default.GOROOT
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue May 2 17:08:49 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
|
|
|
|
|
|
|
|
|
- Packaging revert go1.x Suggests go1.x-race boo#1210963
|
|
|
|
|
* Upstream go binary distributions do include race detector .syso
|
|
|
|
|
* Default Recommends for subpackages is best suited in this case
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Apr 28 23:47:22 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
|
|
|
|
|
|
|
|
|
- Packaging improvements:
|
|
|
|
|
* Re-enable binary stripping and debuginfo boo#1210938
|
|
|
|
|
* go1.x Suggests go1.x-race do not install by default boo#1210963
|
|
|
|
|
* Use Group: Development/Languages/Go instead of Other
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Apr 4 20:42:31 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
|
|
|
|
|
|
|
|
|
- go1.20.3 (released 2023-04-04) includes security fixes to the
|
|
|
|
|
go/parser, html/template, mime/multipart, net/http, and
|
|
|
|
|
net/textproto packages, as well as bug fixes to the compiler, the
|
|
|
|
|
linker, the runtime, and the time package.
|
|
|
|
|
Refs boo#1206346 go1.20 release tracking
|
|
|
|
|
CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538
|
|
|
|
|
* go#59268 go#58975 boo#1210127 security: fix CVE-2023-24534 net/http, net/textproto: denial of service from excessive memory allocation
|
|
|
|
|
* go#59270 go#59153 boo#1210128 security: fix CVE-2023-24536 net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption
|
|
|
|
|
* go#59274 go#59180 boo#1210129 security: fix CVE-2023-24537 go/parser: infinite loop in parsing
|
|
|
|
|
* go#59272 go#59234 boo#1210130 security: fix CVE-2023-24538 html/template: backticks not treated as string delimiters
|
|
|
|
|
* go#58920 x/text: building as a plugin failure on darwin/arm64
|
|
|
|
|
* go#58938 cmd/go: timeout on darwin-amd64-race builder
|
|
|
|
|
* go#58942 internal/testpty: fails on some Linux machines due to incorrect error handling
|
|
|
|
|
* go#58954 cmd/link: Incorrect symbol linked in darwin/arm64
|
|
|
|
|
* go#59051 cmd/link: linker fails on linux/amd64 when gcc's lto options are used
|
|
|
|
|
* go#59059 cmd/link/internal/arm: off-by-one error in trampoline phase call reachability calculation
|
|
|
|
|
* go#59075 time: time zone lookup using extend string makes wrong start time for non-DST zones
|
|
|
|
|
* go#59220 runtime: crash on linux-ppc64le
|
|
|
|
|
* go#59236 cmd/compile: crypto/elliptic build error under -linkshared mode
|
|
|
|
|
* go#59296 cmd/compile: unsafe.SliceData incoherent resuilt with nil argument
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Apr 4 16:59:57 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
|
|
|
|
|
|
|
|
|
- Build subpackage go1.x-libstd compiled shared object libstd.so
|
|
|
|
|
only on Tumbleweed at this time.
|
|
|
|
|
Refs jsc#PED-1962
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Mar 9 20:39:23 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
|
|
|
|
|
|
|
|
|
- Add subpackage go1.x-libstd for compiled shared object libstd.so.
|
|
|
|
|
Refs jsc#PED-1962
|
|
|
|
|
* Main go1.x package included libstd.so in previous versions
|
|
|
|
|
* Split libstd.so into subpackage that can be installed standalone
|
|
|
|
|
* Continues the slimming down of main go1.x package by 40 Mb
|
|
|
|
|
* Experimental and not recommended for general use, Go currently has no ABI
|
|
|
|
|
* Upstream Go has not committed to support buildmode=shared long-term
|
|
|
|
|
* Do not use in packaging, build static single binaries (the default)
|
|
|
|
|
* Upstream Go go1.x binary releases do not include libstd.so
|
|
|
|
|
* go1.x Suggests go1.x-libstd so not installed by default Recommends
|
|
|
|
|
* go1.x-libstd does not Require: go1.x so can install standalone
|
|
|
|
|
* Provides go-libstd unversioned package name
|
|
|
|
|
* Fix build step -buildmode=shared std to omit -linkshared
|
|
|
|
|
- Packaging improvements:
|
|
|
|
|
* go1.x Suggests go1.x-doc so not installed by default Recommends
|
|
|
|
|
* Use Group: Development/Languages/Go instead of Other
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Mar 7 18:03:10 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
|
|
|
|
|
|
|
|
|
- go1.20.2 (released 2023-03-07) includes a security fix to the
|
|
|
|
|
crypto/elliptic package, as well as bug fixes to the compiler,
|
|
|
|
|
the covdata command, the linker, the runtime, and the
|
|
|
|
|
crypto/ecdh, crypto/rsa, crypto/x509, os, and syscall packages.
|
|
|
|
|
Refs boo#1206346 go1.20 release tracking
|
|
|
|
|
CVE-2023-24532
|
|
|
|
|
* go#58720 go#58647 boo#1209030 security: fix CVE-2023-24532 crypto/elliptic: specific unreduced P-256 scalars produce incorrect results
|
|
|
|
|
* go#58427 cmd/covdata: short read on string table when merging coverage counters
|
|
|
|
|
* go#58442 runtime: some linkname signatures do not match
|
|
|
|
|
* go#58444 cmd/compile: inline static init cause compile time error
|
|
|
|
|
* go#58467 cmd/compile: internal compiler error: '(*Tree[go.shape.int]).RemoveParent.func1': value .dict (nil) incorrectly live at entry
|
|
|
|
|
* go#58498 crypto/ecdh: ECDH method doesn't check curve
|
|
|
|
|
* go#58503 cmd/link: relocation truncated to fit: R_ARM_CALL against `runtime.duffcopy'
|
|
|
|
|
* go#58505 crypto/internal/bigmod: flag amd64 assembly as noescape
|
|
|
|
|
* go#58531 runtime: endless traceback when panic in generics funtion
|
|
|
|
|
* go#58536 runtime: long latency of sweep assists
|
|
|
|
|
* go#58624 syscall.Faccessat and os.LookPath regression in Go 1.20
|
|
|
|
|
* go#58627 os: cmd/go gets error "copy_file_range: function not implemented"
|
|
|
|
|
* go#58717 net: TestTCPSelfConnect failures due to unexpected connections
|
|
|
|
|
* go#58774 syscall: Environ uses an invalid unsafe.Pointer conversion on Windows
|
|
|
|
|
* go#58776 cmd/compile: ICE on method value involving imported anonymous interface
|
|
|
|
|
* go#58793 crypto/x509: Incorrect documentation for ParsePKCS8PrivateKey
|
|
|
|
|
* go#58811 crypto/x509: TestSystemVerify consistently failing
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Feb 17 07:26:36 UTC 2023 - Dirk Müller <dmueller@suse.com>
|
|
|
|
|
|
|
|
|
|
- Improvements to go1.x packaging spec:
|
|
|
|
|
* On Tumbleweed bootstrap with current default gcc13 and gccgo118
|
|
|
|
|
* On SLE-12 aarch64 ppc64le ppc64 remove overrides to bootstrap
|
|
|
|
|
using go1.x package (%bcond_without gccgo). This is no longer
|
|
|
|
|
needed on current SLE-12:Update and removing will consolidate
|
|
|
|
|
the build configurations used.
|
|
|
|
|
* Change source URLs to go.dev as per Go upstream
|
|
|
|
|
* On x86_64 export GOAMD64=v1 as per the current baseline.
|
|
|
|
|
At this time forgo GOAMD64=v3 option for x86_64_v3 support.
|
|
|
|
|
* On x86_64 %define go_amd64=v1 as current instruction baseline
|
|
|
|
|
* In %check on x86_64 use value %go_amd64=v1 as GOAMD64=v1 to
|
|
|
|
|
grep correct TSAN version is checked out from LLVM with new
|
|
|
|
|
spelling for internal/amd64v1/race_linux.syso
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Feb 14 18:28:32 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
|
|
|
|
|
|
|
|
|
- go1.20.1 (released 2023-02-14) includes security fixes to the
|
|
|
|
|
crypto/tls, mime/multipart, net/http, and path/filepath packages,
|
|
|
|
|
as well as bug fixes to the compiler, the go command, the linker,
|
|
|
|
|
the runtime, and the time package.
|
|
|
|
|
Refs boo#1206346 go1.20 release tracking
|
|
|
|
|
CVE-2022-41722 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725
|
|
|
|
|
* go#57276 boo#1208269 security: fix CVE-2022-41722 path/filepath: path traversal in filepath.Clean on Windows
|
|
|
|
|
* go#58356 boo#1208270 security: fix CVE-2022-41723 net/http: avoid quadratic complexity in HPACK decoding
|
|
|
|
|
* go#58359 boo#1208271 security: fix CVE-2022-41724 crypto/tls: large handshake records may cause panics
|
|
|
|
|
* go#58363 boo#1208272 security: fix CVE-2022-41725 net/http, mime/multipart: denial of service from excessive resource consumption
|
|
|
|
|
* go#58117 time: update zoneinfo_abbrs on Windows
|
|
|
|
|
* go#58224 cmd/link: .go.buildinfo is gc'ed by --gc-sections
|
|
|
|
|
* go#58309 cmd/compile/internal/pgo: Detect sample value position instead of hard-coding
|
|
|
|
|
* go#58319 cmd/compile: constant overflows when assigned to package level var (Go 1.20 regression)
|
|
|
|
|
* go#58335 cmd/compile: internal compiler error: panic: interface conversion: ir.Node is *ir.CompLitExpr, not *ir.Name
|
|
|
|
|
* go#58413 cmd/compile: internal compiler error: Type.Elem UNION
|
|
|
|
|
* go#58419 runtime: GOOS=ios fails Apple's app validation due to use of private API
|
|
|
|
|
* go#58421 cmd/go/internal/test: stale flagdefs.go not detected by tests
|
|
|
|
|
* go#58431 all: test failures with ETXTBSY
|
|
|
|
|
* go#58450 cmd/go/internal/modfetch: TestCodeRepo/gopkg.in_natefinch_lumberjack.v2/latest failing
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Feb 1 20:18:59 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
|
|
|
|
|
|
|
|
|
- go1.20 (released 2023-02-01) is a major release of Go.
|
|
|
|
|
go1.20.x minor releases will be provided through February 2024.
|
|
|
|
|
https://github.com/golang/go/wiki/Go-Release-Cycle
|
|
|
|
|
go1.20 arrives six months after go1.19. Most of its changes are
|
|
|
|
|
in the implementation of the toolchain, runtime, and libraries.
|
|
|
|
|
As always, the release maintains the Go 1 promise of
|
|
|
|
|
compatibility. We expect almost all Go programs to continue to
|
|
|
|
|
compile and run as before.
|
|
|
|
|
Refs boo#1206346 go1.20 release tracking
|
|
|
|
|
Refs jsc#PED-1962
|
|
|
|
|
* Go 1.20 includes four changes to the language
|
|
|
|
|
* Language change: Go 1.17 added conversions from slice to an
|
|
|
|
|
array pointer. Go 1.20 extends this to allow conversions from a
|
|
|
|
|
slice to an array
|
|
|
|
|
* Language change: The unsafe package defines three new functions
|
|
|
|
|
SliceData, String, and StringData. Along with Go 1.17's Slice,
|
|
|
|
|
these functions now provide the complete ability to construct
|
|
|
|
|
and deconstruct slice and string values, without depending on
|
|
|
|
|
their exact representation.
|
|
|
|
|
* Language change: The specification now defines that struct
|
|
|
|
|
values are compared one field at a time, considering fields in
|
|
|
|
|
the order they appear in the struct type definition, and
|
|
|
|
|
stopping at the first mismatch. The specification could
|
|
|
|
|
previously have been read as if all fields needed to be
|
|
|
|
|
compared beyond the first mismatch. Similarly, the
|
|
|
|
|
specification now defines that array values are compared one
|
|
|
|
|
element at a time, in increasing index order. In both cases,
|
|
|
|
|
the difference affects whether certain comparisons must
|
|
|
|
|
panic. Existing programs are unchanged: the new spec wording
|
|
|
|
|
describes what the implementations have always done.
|
|
|
|
|
* Language change: Comparable types (such as ordinary interfaces)
|
|
|
|
|
may now satisfy comparable constraints, even if the type
|
|
|
|
|
arguments are not strictly comparable (comparison may panic at
|
|
|
|
|
runtime). This makes it possible to instantiate a type
|
|
|
|
|
parameter constrained by comparable (e.g., a type parameter for
|
|
|
|
|
a user-defined generic map key) with a non-strictly comparable
|
|
|
|
|
type argument such as an interface type, or a composite type
|
|
|
|
|
containing an interface type.
|
|
|
|
|
* go command: The directory $GOROOT/pkg no longer stores
|
|
|
|
|
pre-compiled package archives for the standard library: go
|
|
|
|
|
install no longer writes them, the go build no longer checks
|
|
|
|
|
for them, and the Go distribution no longer ships
|
|
|
|
|
them. Instead, packages in the standard library are built as
|
|
|
|
|
needed and cached in the build cache, just like packages
|
|
|
|
|
outside GOROOT. This change reduces the size of the Go
|
|
|
|
|
distribution and also avoids C toolchain skew for packages that
|
|
|
|
|
use cgo. Refs jsc#PED-1962
|
|
|
|
|
* go command: The implementation of go test -json has been
|
|
|
|
|
improved to make it more robust. Programs that run go test
|
|
|
|
|
-json do not need any updates. Programs that invoke go tool
|
|
|
|
|
test2json directly should now run the test binary with
|
|
|
|
|
-v=test2json (for example, go test -v=test2json or ./pkg.test
|
|
|
|
|
-test.v=test2json) instead of plain -v.
|
|
|
|
|
* go command: A related change to go test -json is the addition
|
|
|
|
|
of an event with Action set to start at the beginning of each
|
|
|
|
|
test program's execution. When running multiple tests using the
|
|
|
|
|
go command, these start events are guaranteed to be emitted in
|
|
|
|
|
the same order as the packages named on the command line.
|
|
|
|
|
* go command: The go command now defines architecture feature
|
|
|
|
|
build tags, such as amd64.v2, to allow selecting a package
|
|
|
|
|
implementation file based on the presence or absence of a
|
|
|
|
|
particular architecture feature. See go help buildconstraint
|
|
|
|
|
for details.
|
|
|
|
|
* go command: The go subcommands now accept -C <dir> to change
|
|
|
|
|
directory to <dir> before performing the command, which may be
|
|
|
|
|
useful for scripts that need to execute commands in multiple
|
|
|
|
|
different modules.
|
|
|
|
|
* go command: The go build and go test commands no longer accept
|
|
|
|
|
the -i flag, which has been deprecated since Go 1.16.
|
|
|
|
|
* go command: The go generate command now accepts -skip <pattern>
|
|
|
|
|
to skip //go:generate directives matching <pattern>.
|
|
|
|
|
* go command: The go test command now accepts -skip <pattern> to
|
|
|
|
|
skip tests, subtests, or examples matching <pattern>.
|
|
|
|
|
* go command: When the main module is located within GOPATH/src,
|
|
|
|
|
go install no longer installs libraries for non-main packages
|
|
|
|
|
to GOPATH/pkg, and go list no longer reports a Target field for
|
|
|
|
|
such packages. (In module mode, compiled packages are stored in
|
|
|
|
|
the build cache only, but a bug had caused the GOPATH install
|
|
|
|
|
targets to unexpectedly remain in effect.)
|
|
|
|
|
* go command: The go build, go install, and other build-related
|
|
|
|
|
commands now support a -pgo flag that enables profile-guided
|
|
|
|
|
optimization, which is described in more detail in the Compiler
|
|
|
|
|
section below. The -pgo flag specifies the file path of the
|
|
|
|
|
profile. Specifying -pgo=auto causes the go command to search
|
|
|
|
|
for a file named default.pgo in the main package's directory
|
|
|
|
|
and use it if present. This mode currently requires a single
|
|
|
|
|
main package to be specified on the command line, but we plan
|
|
|
|
|
to lift this restriction in a future release. Specifying
|
|
|
|
|
-pgo=off turns off profile-guided optimization.
|
|
|
|
|
* go command: The go build, go install, and other build-related
|
|
|
|
|
commands now support a -cover flag that builds the specified
|
|
|
|
|
target with code coverage instrumentation. This is described in
|
|
|
|
|
more detail in the Cover section below.
|
|
|
|
|
* go version: The go version -m command now supports reading more
|
|
|
|
|
types of Go binaries, most notably, Windows DLLs built with go
|
|
|
|
|
build -buildmode=c-shared and Linux binaries without execute
|
|
|
|
|
permission.
|
|
|
|
|
* Cgo: The go command now disables cgo by default on systems
|
|
|
|
|
without a C toolchain. More specifically, when the CGO_ENABLED
|
|
|
|
|
environment variable is unset, the CC environment variable is
|
|
|
|
|
unset, and the default C compiler (typically clang or gcc) is
|
|
|
|
|
not found in the path, CGO_ENABLED defaults to 0. As always,
|
|
|
|
|
you can override the default by setting CGO_ENABLED explicitly.
|
|
|
|
|
The most important effect of the default change is that when Go
|
|
|
|
|
is installed on a system without a C compiler, it will now use
|
|
|
|
|
pure Go builds for packages in the standard library that use
|
|
|
|
|
cgo, instead of using pre-distributed package archives (which
|
|
|
|
|
have been removed, as noted above) or attempting to use cgo and
|
|
|
|
|
failing. This makes Go work better in some minimal container
|
|
|
|
|
environments as well as on macOS, where pre-distributed package
|
|
|
|
|
archives have not been used for cgo-based packages since Go
|
|
|
|
|
1.16.
|
|
|
|
|
The packages in the standard library that use cgo are net,
|
|
|
|
|
os/user, and plugin. On macOS, the net and os/user packages
|
|
|
|
|
have been rewritten not to use cgo: the same code is now used
|
|
|
|
|
for cgo and non-cgo builds as well as cross-compiled builds. On
|
|
|
|
|
Windows, the net and os/user packages have never used cgo. On
|
|
|
|
|
other systems, builds with cgo disabled will use a pure Go
|
|
|
|
|
version of these packages.
|
|
|
|
|
On macOS, the race detector has been rewritten not to use cgo:
|
|
|
|
|
race-detector-enabled programs can be built and run without
|
|
|
|
|
Xcode. On Linux and other Unix systems, and on Windows, a host
|
|
|
|
|
C toolchain is required to use the race detector.
|
|
|
|
|
* go cover: Go 1.20 supports collecting code coverage profiles
|
|
|
|
|
for programs (applications and integration tests), as opposed
|
|
|
|
|
to just unit tests. To collect coverage data for a program,
|
|
|
|
|
build it with go build's -cover flag, then run the resulting
|
|
|
|
|
binary with the environment variable GOCOVERDIR set to an
|
|
|
|
|
output directory for coverage profiles. See the 'coverage for
|
|
|
|
|
integration tests' landing page for more on how to get
|
|
|
|
|
started. For details on the design and implementation, see the
|
|
|
|
|
proposal.
|
|
|
|
|
* go vet: Improved detection of loop variable capture by nested
|
|
|
|
|
functions. The vet tool now reports references to loop
|
|
|
|
|
variables following a call to T.Parallel() within subtest
|
|
|
|
|
function bodies. Such references may observe the value of the
|
|
|
|
|
variable from a different iteration (typically causing test
|
|
|
|
|
cases to be skipped) or an invalid state due to unsynchronized
|
|
|
|
|
concurrent access.
|
|
|
|
|
* go vet: The tool also detects reference mistakes in more
|
|
|
|
|
places. Previously it would only consider the last statement
|
|
|
|
|
of the loop body, but now it recursively inspects the last
|
|
|
|
|
statements within if, switch, and select statements.
|
|
|
|
|
* go vet: New diagnostic for incorrect time formats. The vet tool
|
|
|
|
|
now reports use of the time format 2006-02-01 (yyyy-dd-mm) with
|
|
|
|
|
Time.Format and time.Parse. This format does not appear in
|
|
|
|
|
common date standards, but is frequently used by mistake when
|
|
|
|
|
attempting to use the ISO 8601 date format (yyyy-mm-dd).
|
|
|
|
|
* Runtime: Some of the garbage collector's internal data
|
|
|
|
|
structures were reorganized to be both more space and CPU
|
|
|
|
|
efficient. This change reduces memory overheads and improves
|
|
|
|
|
overall CPU performance by up to 2%.
|
|
|
|
|
* Runtime: The garbage collector behaves less erratically with
|
|
|
|
|
respect to goroutine assists in some circumstances.
|
|
|
|
|
* Runtime: Go 1.20 adds a new runtime/coverage package containing
|
|
|
|
|
APIs for writing coverage profile data at runtime from
|
|
|
|
|
long-running and/or server programs that do not terminate via
|
|
|
|
|
os.Exit().
|
|
|
|
|
* Compiler: Go 1.20 adds preview support for profile-guided
|
|
|
|
|
optimization (PGO). PGO enables the toolchain to perform
|
|
|
|
|
application- and workload-specific optimizations based on
|
|
|
|
|
run-time profile information. Currently, the compiler supports
|
|
|
|
|
pprof CPU profiles, which can be collected through usual means,
|
|
|
|
|
such as the runtime/pprof or net/http/pprof packages. To enable
|
|
|
|
|
PGO, pass the path of a pprof profile file via the -pgo flag to
|
|
|
|
|
go build, as mentioned above. Go 1.20 uses PGO to more
|
|
|
|
|
aggressively inline functions at hot call sites. Benchmarks for
|
|
|
|
|
a representative set of Go programs show enabling
|
|
|
|
|
profile-guided inlining optimization improves performance about
|
|
|
|
|
3–4%. See the PGO user guide for detailed documentation. We
|
|
|
|
|
plan to add more profile-guided optimizations in future
|
|
|
|
|
releases. Note that profile-guided optimization is a preview,
|
|
|
|
|
so please use it with appropriate caution.
|
|
|
|
|
* Compiler: The Go 1.20 compiler upgraded its front-end to use a
|
|
|
|
|
new way of handling the compiler's internal data, which fixes
|
|
|
|
|
several generic-types issues and enables type declarations
|
|
|
|
|
within generic functions and methods.
|
|
|
|
|
* Compiler: The compiler now rejects anonymous interface cycles
|
|
|
|
|
with a compiler error by default. These arise from tricky uses
|
|
|
|
|
of embedded interfaces and have always had subtle correctness
|
|
|
|
|
issues, yet we have no evidence that they're actually used in
|
|
|
|
|
practice. Assuming no reports from users adversely affected by
|
|
|
|
|
this change, we plan to update the language specification for
|
|
|
|
|
Go 1.22 to formally disallow them so tools authors can stop
|
|
|
|
|
supporting them too.
|
|
|
|
|
* Compiler: Go 1.18 and 1.19 saw regressions in build speed,
|
|
|
|
|
largely due to the addition of support for generics and
|
|
|
|
|
follow-on work. Go 1.20 improves build speeds by up to 10%,
|
|
|
|
|
bringing it back in line with Go 1.17. Relative to Go 1.19,
|
|
|
|
|
generated code performance is also generally slightly improved.
|
|
|
|
|
* Linker: On Linux, the linker now selects the dynamic
|
|
|
|
|
interpreter for glibc or musl at link time.
|
|
|
|
|
* Linker: On Windows, the Go linker now supports modern
|
|
|
|
|
LLVM-based C toolchains.
|
|
|
|
|
* Linker: Go 1.20 uses go: and type: prefixes for
|
|
|
|
|
compiler-generated symbols rather than go. and type.. This
|
|
|
|
|
avoids confusion for user packages whose name starts with
|
|
|
|
|
go.. The debug/gosym package understands this new naming
|
|
|
|
|
convention for binaries built with Go 1.20 and newer.
|
|
|
|
|
* Bootstrap: When building a Go release from source and
|
|
|
|
|
GOROOT_BOOTSTRAP is not set, previous versions of Go looked for
|
|
|
|
|
a Go 1.4 or later bootstrap toolchain in the directory
|
|
|
|
|
$HOME/go1.4 (%HOMEDRIVE%%HOMEPATH%\go1.4 on Windows). Go 1.18
|
|
|
|
|
and Go 1.19 looked first for $HOME/go1.17 or $HOME/sdk/go1.17
|
|
|
|
|
before falling back to $HOME/go1.4, in anticipation of
|
|
|
|
|
requiring Go 1.17 for use when bootstrapping Go 1.20. Go 1.20
|
|
|
|
|
does require a Go 1.17 release for bootstrapping, but we
|
|
|
|
|
realized that we should adopt the latest point release of the
|
|
|
|
|
bootstrap toolchain, so it requires Go 1.17.13. Go 1.20 looks
|
|
|
|
|
for $HOME/go1.17.13 or $HOME/sdk/go1.17.13 before falling back
|
|
|
|
|
to $HOME/go1.4 (to support systems that hard-coded the path
|
|
|
|
|
$HOME/go1.4 but have installed a newer Go toolchain there). In
|
|
|
|
|
the future, we plan to move the bootstrap toolchain forward
|
|
|
|
|
approximately once a year, and in particular we expect that Go
|
|
|
|
|
1.22 will require the final point release of Go 1.20 for
|
|
|
|
|
bootstrap.
|
|
|
|
|
* Library: Go 1.20 adds a new crypto/ecdh package to provide
|
|
|
|
|
explicit support for Elliptic Curve Diffie-Hellman key
|
|
|
|
|
exchanges over NIST curves and Curve25519. Programs should use
|
|
|
|
|
crypto/ecdh instead of the lower-level functionality in
|
|
|
|
|
crypto/elliptic for ECDH, and third-party modules for more
|
|
|
|
|
advanced use cases.
|
|
|
|
|
* Error handling: Go 1.20 expands support for error wrapping to
|
|
|
|
|
permit an error to wrap multiple other errors.
|
|
|
|
|
* Error handling: An error e can wrap more than one error by
|
|
|
|
|
providing an Unwrap method that returns a []error.
|
|
|
|
|
* Error handling: The errors.Is and errors.As functions have been
|
|
|
|
|
updated to inspect multiply wrapped errors.
|
|
|
|
|
* Error handling: The fmt.Errorf function now supports multiple
|
|
|
|
|
occurrences of the %w format verb, which will cause it to
|
|
|
|
|
return an error that wraps all of those error operands.
|
|
|
|
|
* Error handling: The new function errors.Join returns an error
|
|
|
|
|
wrapping a list of errors.
|
|
|
|
|
* HTTP ResponseController: The new "net/http".ResponseController
|
|
|
|
|
type provides access to extended per-request functionality not
|
|
|
|
|
handled by the "net/http".ResponseWriter interface. The
|
|
|
|
|
ResponseController type provides a clearer, more discoverable
|
|
|
|
|
way to add per-handler controls. Two such controls also added
|
|
|
|
|
in Go 1.20 are SetReadDeadline and SetWriteDeadline, which
|
|
|
|
|
allow setting per-request read and write deadlines.
|
|
|
|
|
* New ReverseProxy Rewrite hook: The httputil.ReverseProxy
|
|
|
|
|
forwarding proxy includes a new Rewrite hook function,
|
|
|
|
|
superseding the previous Director hook.
|
|
|
|
|
* archive/tar: When the GODEBUG=tarinsecurepath=0 environment
|
|
|
|
|
variable is set, Reader.Next method will now return the error
|
|
|
|
|
ErrInsecurePath for an entry with a file name that is an
|
|
|
|
|
absolute path, refers to a location outside the current
|
|
|
|
|
directory, contains invalid characters, or (on Windows) is a
|
|
|
|
|
reserved name such as NUL. A future version of Go may disable
|
|
|
|
|
insecure paths by default.
|
|
|
|
|
* archive/zip: When the GODEBUG=zipinsecurepath=0 environment
|
|
|
|
|
variable is set, NewReader will now return the error
|
|
|
|
|
ErrInsecurePath when opening an archive which contains any file
|
|
|
|
|
name that is an absolute path, refers to a location outside the
|
|
|
|
|
current directory, contains invalid characters, or (on Windows)
|
|
|
|
|
is a reserved names such as NUL. A future version of Go may
|
|
|
|
|
disable insecure paths by default.
|
|
|
|
|
* archive/zip: Reading from a directory file that contains file
|
|
|
|
|
data will now return an error. The zip specification does not
|
|
|
|
|
permit directory files to contain file data, so this change
|
|
|
|
|
only affects reading from invalid archives.
|
|
|
|
|
* bytes: The new CutPrefix and CutSuffix functions are like
|
|
|
|
|
TrimPrefix and TrimSuffix but also report whether the string
|
|
|
|
|
was trimmed.
|
|
|
|
|
* bytes: The new Clone function allocates a copy of a byte slice.
|
|
|
|
|
* context: The new WithCancelCause function provides a way to
|
|
|
|
|
cancel a context with a given error. That error can be
|
|
|
|
|
retrieved by calling the new Cause function.
|
|
|
|
|
* crypto/ecdsa: When using supported curves, all operations are
|
|
|
|
|
now implemented in constant time. This led to an increase in
|
|
|
|
|
CPU time between 5% and 30%, mostly affecting P-384 and P-521.
|
|
|
|
|
* crypto/ecdsa: The new PrivateKey.ECDH method converts an
|
|
|
|
|
ecdsa.PrivateKey to an ecdh.PrivateKey.
|
|
|
|
|
* crypto/ed25519: The PrivateKey.Sign method and the
|
|
|
|
|
VerifyWithOptions function now support signing pre-hashed
|
|
|
|
|
messages with Ed25519ph, indicated by an Options.HashFunc that
|
|
|
|
|
returns crypto.SHA512. They also now support Ed25519ctx and
|
|
|
|
|
Ed25519ph with context, indicated by setting the new
|
|
|
|
|
Options.Context field.
|
|
|
|
|
* crypto/rsa: The new field OAEPOptions.MGFHash allows
|
|
|
|
|
configuring the MGF1 hash separately for OAEP decryption.
|
|
|
|
|
* crypto/rsa: crypto/rsa now uses a new, safer, constant-time
|
|
|
|
|
backend. This causes a CPU runtime increase for decryption
|
|
|
|
|
operations between approximately 15% (RSA-2048 on amd64) and
|
|
|
|
|
45% (RSA-4096 on arm64), and more on 32-bit
|
|
|
|
|
architectures. Encryption operations are approximately 20x
|
|
|
|
|
slower than before (but still 5-10x faster than
|
|
|
|
|
decryption). Performance is expected to improve in future
|
|
|
|
|
releases. Programs must not modify or manually generate the
|
|
|
|
|
fields of PrecomputedValues.
|
|
|
|
|
* crypto/subtle: The new function XORBytes XORs two byte slices
|
|
|
|
|
together.
|
|
|
|
|
* crypto/tls: Parsed certificates are now shared across all
|
|
|
|
|
clients actively using that certificate. The memory savings can
|
|
|
|
|
be significant in programs that make many concurrent
|
|
|
|
|
connections to a server or collection of servers sharing any
|
|
|
|
|
part of their certificate chains.
|
|
|
|
|
* crypto/tls: For a handshake failure due to a certificate
|
|
|
|
|
verification failure, the TLS client and server now return an
|
|
|
|
|
error of the new type CertificateVerificationError, which
|
|
|
|
|
includes the presented certificates.
|
|
|
|
|
* crypto/x509: ParsePKCS8PrivateKey and MarshalPKCS8PrivateKey
|
|
|
|
|
now support keys of type *crypto/ecdh.PrivateKey.
|
|
|
|
|
ParsePKIXPublicKey and MarshalPKIXPublicKey now support keys of
|
|
|
|
|
type *crypto/ecdh.PublicKey. Parsing NIST curve keys still
|
|
|
|
|
returns values of type *ecdsa.PublicKey and *ecdsa.PrivateKey.
|
|
|
|
|
Use their new ECDH methods to convert to the crypto/ecdh types.
|
|
|
|
|
* crypto/x509: The new SetFallbackRoots function allows a program
|
|
|
|
|
to define a set of fallback root certificates in case an
|
|
|
|
|
operating system verifier or standard platform root bundle is
|
|
|
|
|
unavailable at runtime. It will most commonly be used with a
|
|
|
|
|
new package, golang.org/x/crypto/x509roots/fallback, which will
|
|
|
|
|
provide an up to date root bundle.
|
|
|
|
|
* debug/elf: Attempts to read from a SHT_NOBITS section using
|
|
|
|
|
Section.Data or the reader returned by Section.Open now return
|
|
|
|
|
an error.
|
|
|
|
|
* debug/elf: Additional R_LARCH_* constants are defined for use
|
|
|
|
|
with LoongArch systems.
|
|
|
|
|
* debug/elf: Additional R_PPC64_* constants are defined for use
|
|
|
|
|
with PPC64 ELFv2 relocations.
|
|
|
|
|
* debug/elf: The constant value for R_PPC64_SECTOFF_LO_DS is
|
|
|
|
|
corrected, from 61 to 62.
|
|
|
|
|
* debug/gosym: Due to a change of Go's symbol naming conventions,
|
|
|
|
|
tools that process Go binaries should use Go 1.20's debug/gosym
|
|
|
|
|
package to transparently handle both old and new binaries.
|
|
|
|
|
* debug/pe: Additional IMAGE_FILE_MACHINE_RISCV* constants are
|
|
|
|
|
defined for use with RISC-V systems.
|
|
|
|
|
* encoding/binary: The ReadVarint and ReadUvarint functions will
|
|
|
|
|
now return io.ErrUnexpectedEOF after reading a partial value,
|
|
|
|
|
rather than io.EOF.
|
|
|
|
|
* encoding/xml: The new Encoder.Close method can be used to check
|
|
|
|
|
for unclosed elements when finished encoding.
|
|
|
|
|
* encoding/xml: The decoder now rejects element and attribute
|
|
|
|
|
names with more than one colon, such as <a:b:c>, as well as
|
|
|
|
|
namespaces that resolve to an empty string, such as xmlns:a="".
|
|
|
|
|
* encoding/xml: The decoder now rejects elements that use
|
|
|
|
|
different namespace prefixes in the opening and closing tag,
|
|
|
|
|
even if those prefixes both denote the same namespace.
|
|
|
|
|
* errors: The new Join function returns an error wrapping a list
|
|
|
|
|
of errors.
|
|
|
|
|
* fmt: The Errorf function supports multiple occurrences of the
|
|
|
|
|
%w format verb, returning an error that unwraps to the list of
|
|
|
|
|
all arguments to %w.
|
|
|
|
|
* fmt: The new FormatString function recovers the formatting
|
|
|
|
|
directive corresponding to a State, which can be useful in
|
|
|
|
|
Formatter. implementations.
|
|
|
|
|
* go/ast: The new RangeStmt.Range field records the position of
|
|
|
|
|
the range keyword in a range statement.
|
|
|
|
|
* go/ast: The new File.FileStart and File.FileEnd fields record
|
|
|
|
|
the position of the start and end of the entire source file.
|
|
|
|
|
* go/token: The new FileSet.RemoveFile method removes a file from
|
|
|
|
|
a FileSet. Long-running programs can use this to release memory
|
|
|
|
|
associated with files they no longer need.
|
|
|
|
|
* go/types: The new Satisfies function reports whether a type
|
|
|
|
|
satisfies a constraint. This change aligns with the new
|
|
|
|
|
language semantics that distinguish satisfying a constraint
|
|
|
|
|
from implementing an interface.
|
|
|
|
|
* io: The new OffsetWriter wraps an underlying WriterAt and
|
|
|
|
|
provides Seek, Write, and WriteAt methods that adjust their
|
|
|
|
|
effective file offset position by a fixed amount.
|
|
|
|
|
* io/fs: The new error SkipAll terminates a WalkDir immediately
|
|
|
|
|
but successfully.
|
|
|
|
|
* math/big: The math/big package's wide scope and input-dependent
|
|
|
|
|
timing make it ill-suited for implementing cryptography. The
|
|
|
|
|
cryptography packages in the standard library no longer call
|
|
|
|
|
non-trivial Int methods on attacker-controlled inputs. In the
|
|
|
|
|
future, the determination of whether a bug in math/big is
|
|
|
|
|
considered a security vulnerability will depend on its wider
|
|
|
|
|
impact on the standard library.
|
|
|
|
|
* math/rand: The math/rand package now automatically seeds the
|
|
|
|
|
global random number generator (used by top-level functions
|
|
|
|
|
like Float64 and Int) with a random value, and the top-level
|
|
|
|
|
Seed function has been deprecated. Programs that need a
|
|
|
|
|
reproducible sequence of random numbers should prefer to
|
|
|
|
|
allocate their own random source, using
|
|
|
|
|
rand.New(rand.NewSource(seed)).
|
|
|
|
|
* math/rand: Programs that need the earlier consistent global
|
|
|
|
|
seeding behavior can set GODEBUG=randautoseed=0 in their
|
|
|
|
|
environment.
|
|
|
|
|
* math/rand: The top-level Read function has been deprecated. In
|
|
|
|
|
almost all cases, crypto/rand.Read is more appropriate.
|
|
|
|
|
* mime: The ParseMediaType function now allows duplicate
|
|
|
|
|
parameter names, so long as the values of the names are the
|
|
|
|
|
same.
|
|
|
|
|
* mime/multipart: Methods of the Reader type now wrap errors
|
|
|
|
|
returned by the underlying io.Reader.
|
|
|
|
|
* net: The LookupCNAME function now consistently returns the
|
|
|
|
|
contents of a CNAME record when one exists. Previously on Unix
|
|
|
|
|
systems and when using the pure Go resolver, LookupCNAME would
|
|
|
|
|
return an error if a CNAME record referred to a name that with
|
|
|
|
|
no A, AAAA, or CNAME record. This change modifies LookupCNAME
|
|
|
|
|
to match the previous behavior on Windows, allowing LookupCNAME
|
|
|
|
|
to succeed whenever a CNAME exists.
|
|
|
|
|
* net: Interface.Flags now includes the new flag FlagRunning,
|
|
|
|
|
indicating an operationally active interface. An interface
|
|
|
|
|
which is administratively configured but not active (for
|
|
|
|
|
example, because the network cable is not connected) will have
|
|
|
|
|
FlagUp set but not FlagRunning.
|
|
|
|
|
* net: The new Dialer.ControlContext field contains a callback
|
|
|
|
|
function similar to the existing Dialer.Control hook, that
|
|
|
|
|
additionally accepts the dial context as a parameter. Control
|
|
|
|
|
is ignored when ControlContext is not nil.
|
|
|
|
|
* net: The Go DNS resolver recognizes the trust-ad resolver
|
|
|
|
|
option. When options trust-ad is set in resolv.conf, the Go
|
|
|
|
|
resolver will set the AD bit in DNS queries. The resolver does
|
|
|
|
|
not make use of the AD bit in responses.
|
|
|
|
|
* net: DNS resolution will detect changes to /etc/nsswitch.conf
|
|
|
|
|
and reload the file when it changes. Checks are made at most
|
|
|
|
|
once every five seconds, matching the previous handling of
|
|
|
|
|
/etc/hosts and /etc/resolv.conf.
|
|
|
|
|
* net/http: The ResponseWriter.WriteHeader function now supports
|
|
|
|
|
sending 1xx status codes.
|
|
|
|
|
* net/http: The new Server.DisableGeneralOptionsHandler
|
|
|
|
|
configuration setting allows disabling the default OPTIONS *
|
|
|
|
|
handler.
|
|
|
|
|
* net/http: The new Transport.OnProxyConnectResponse hook is
|
|
|
|
|
called when a Transport receives an HTTP response from a proxy
|
|
|
|
|
for a CONNECT request.
|
|
|
|
|
* net/http: The HTTP server now accepts HEAD requests containing
|
|
|
|
|
a body, rather than rejecting them as invalid.
|
|
|
|
|
* net/http: HTTP/2 stream errors returned by net/http functions
|
|
|
|
|
may be converted to a golang.org/x/net/http2.StreamError using
|
|
|
|
|
errors.As.
|
|
|
|
|
* net/http: Leading and trailing spaces are trimmed from cookie
|
|
|
|
|
names, rather than being rejected as invalid. For example, a
|
|
|
|
|
cookie setting of "name =value" is now accepted as setting the
|
|
|
|
|
cookie "name".
|
|
|
|
|
* net/netip: The new IPv6LinkLocalAllRouters and IPv6Loopback
|
|
|
|
|
functions are the net/netip equivalents of net.IPv6loopback and
|
|
|
|
|
net.IPv6linklocalallrouters.
|
|
|
|
|
* os: On Windows, the name NUL is no longer treated as a special
|
|
|
|
|
case in Mkdir and Stat.
|
|
|
|
|
* os: On Windows, File.Stat now uses the file handle to retrieve
|
|
|
|
|
attributes when the file is a directory. Previously it would
|
|
|
|
|
use the path passed to Open, which may no longer be the file
|
|
|
|
|
represented by the file handle if the file has been moved or
|
|
|
|
|
replaced. This change modifies Open to open directories without
|
|
|
|
|
the FILE_SHARE_DELETE access, which match the behavior of
|
|
|
|
|
regular files.
|
|
|
|
|
* os: On Windows, File.Seek now supports seeking to the beginning
|
|
|
|
|
of a directory.
|
|
|
|
|
* os/exec: The new Cmd fields Cancel and WaitDelay specify the
|
|
|
|
|
behavior of the Cmd when its associated Context is canceled or
|
|
|
|
|
its process exits with I/O pipes still held open by a child
|
|
|
|
|
process.
|
|
|
|
|
* path/filepath: The new error SkipAll terminates a Walk
|
|
|
|
|
immediately but successfully.
|
|
|
|
|
* path/filepath: The new IsLocal function reports whether a path
|
|
|
|
|
is lexically local to a directory. For example, if IsLocal(p)
|
|
|
|
|
is true, then Open(p) will refer to a file that is lexically
|
|
|
|
|
within the subtree rooted at the current directory.
|
|
|
|
|
* reflect: The new Value.Comparable and Value.Equal methods can
|
|
|
|
|
be used to compare two Values for equality. Comparable reports
|
|
|
|
|
whether Equal is a valid operation for a given Value receiver.
|
|
|
|
|
* reflect: The new Value.Grow method extends a slice to guarantee
|
|
|
|
|
space for another n elements.
|
|
|
|
|
* reflect: The new Value.SetZero method sets a value to be the
|
|
|
|
|
zero value for its type.
|
|
|
|
|
* reflect: Go 1.18 introduced Value.SetIterKey and
|
|
|
|
|
Value.SetIterValue methods. These are optimizations:
|
|
|
|
|
v.SetIterKey(it) is meant to be equivalent to
|
|
|
|
|
v.Set(it.Key()). The implementations incorrectly omitted a
|
|
|
|
|
check for use of unexported fields that was present in the
|
|
|
|
|
unoptimized forms. Go 1.20 corrects these methods to include
|
|
|
|
|
the unexported field check.
|
|
|
|
|
* regexp: Go 1.19.2 and Go 1.18.7 included a security fix to the
|
|
|
|
|
regular expression parser, making it reject very large
|
|
|
|
|
expressions that would consume too much memory. Because Go
|
|
|
|
|
patch releases do not introduce new API, the parser returned
|
|
|
|
|
syntax.ErrInternalError in this case. Go 1.20 adds a more
|
|
|
|
|
specific error, syntax.ErrLarge, which the parser now returns
|
|
|
|
|
instead.
|
|
|
|
|
* runtime/cgo: Go 1.20 adds new Incomplete marker type. Code
|
|
|
|
|
generated by cgo will use cgo.Incomplete to mark an incomplete
|
|
|
|
|
C type.
|
|
|
|
|
* runtime/metrics: Go 1.20 adds new supported metrics, including
|
|
|
|
|
the current GOMAXPROCS setting (/sched/gomaxprocs:threads), the
|
|
|
|
|
number of cgo calls executed (/cgo/go-to-c-calls:calls), total
|
|
|
|
|
mutex block time (/sync/mutex/wait/total:seconds), and various
|
|
|
|
|
measures of time spent in garbage collection.
|
|
|
|
|
* runtime/metrics: Time-based histogram metrics are now less
|
|
|
|
|
precise, but take up much less memory.
|
|
|
|
|
* runtime/pprof: Mutex profile samples are now pre-scaled, fixing
|
|
|
|
|
an issue where old mutex profile samples would be scaled
|
|
|
|
|
incorrectly if the sampling rate changed during execution.
|
|
|
|
|
* runtime/pprof: Profiles collected on Windows now include memory
|
|
|
|
|
mapping information that fixes symbolization issues for
|
|
|
|
|
position-independent binaries.
|
|
|
|
|
* runtime/trace: The garbage collector's background sweeper now
|
|
|
|
|
yields less frequently, resulting in many fewer extraneous
|
|
|
|
|
events in execution traces.
|
|
|
|
|
* strings: The new CutPrefix and CutSuffix functions are like
|
|
|
|
|
TrimPrefix and TrimSuffix but also report whether the string
|
|
|
|
|
was trimmed.
|
|
|
|
|
* sync: The new Map methods Swap, CompareAndSwap, and
|
|
|
|
|
CompareAndDelete allow existing map entries to be updated
|
|
|
|
|
atomically.
|
|
|
|
|
* syscall: On FreeBSD, compatibility shims needed for FreeBSD 11
|
|
|
|
|
and earlier have been removed.
|
|
|
|
|
* syscall: On Linux, additional CLONE_* constants are defined for
|
|
|
|
|
use with the SysProcAttr.Cloneflags field.
|
|
|
|
|
* syscall: On Linux, the new SysProcAttr.CgroupFD and
|
|
|
|
|
SysProcAttr.UseCgroupFD fields provide a way to place a child
|
|
|
|
|
process into a specific cgroup.
|
|
|
|
|
* testing: The new method B.Elapsed reports the current elapsed
|
|
|
|
|
time of the benchmark, which may be useful for calculating
|
|
|
|
|
rates to report with ReportMetric.
|
|
|
|
|
* time: The new time layout constants DateTime, DateOnly, and
|
|
|
|
|
TimeOnly provide names for three of the most common layout
|
|
|
|
|
strings used in a survey of public Go source code.
|
|
|
|
|
* time: The new Time.Compare method compares two times.
|
|
|
|
|
* time: Parse now ignores sub-nanosecond precision in its input,
|
|
|
|
|
instead of reporting those digits as an error.
|
|
|
|
|
* time: The Time.MarshalJSON method is now more strict about
|
|
|
|
|
adherence to RFC 3339.
|
|
|
|
|
* unicode/utf16: The new AppendRune function appends the UTF-16
|
|
|
|
|
encoding of a given rune to a uint16 slice, analogous to
|
|
|
|
|
utf8.AppendRune.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Jan 12 18:02:43 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
|
|
|
|
- go1.20rc3 (released 2023-01-12) is a release candidate version of
|
|
|
|
|
go1.20 cut from the master branch at the revision tagged
|
|
|
|
|
go1.20rc3.
|
|
|
|
|
Refs boo#1206346 go1.20 release tracking
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jan 4 18:16:56 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
|
|
|
|
- go1.20rc2 (released 2023-01-04) is a release candidate version of
|
|
|
|
|
go1.20 cut from the master branch at the revision tagged
|
|
|
|
|
go1.20rc2.
|
|
|
|
|
Refs boo#1206346 go1.20 release tracking
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Dec 8 17:00:19 UTC 2022 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
|
|
|
|
|
|
|
|
|
- go1.20rc1 (released 2022-12-08) is a release candidate version of
|
|
|
|
|
go1.20 cut from the master branch at the revision tagged
|
|
|
|
|
go1.20rc1.
|
|
|
|
|
Refs boo#1206346 go1.20 release tracking
|