Ubuntu
golang-defaults package

Feature Freeze Exception: Update golang-defaults to 1.18

Bug #1964270 reported by William Wilson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
golang-defaults (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

This change is necessary because we always update to the latest Go version before each release.

Go's source does not provide a changelog, but the changes in 1.18 can be seen at https://golang.org/doc/go1.18

Go 1.18 is not yet released, though it was originally due to be released in February. I have already set up no change rebuild PPAs to rebuild against Go 1.18, and initial attempts with the beta have gone very smoothly. I will update this bug with more information about those rebuilds when I have been able to complete them against a released version of Go 1.18.

Revision history for this message
William Wilson (jawn-smith) wrote (last edit ):

Go 1.18 has released and test rebuilds have been completed.

Go 1.18 has made the decision to deny SHA1 certificates by default. Per the release notes: "crypto/x509 will now reject certificates signed with the SHA-1 hash function. This doesn't apply to self-signed root certificates. Practical attacks against SHA-1 have been demonstrated since 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015."

The packages below will be marked as having the "SHA1 issue" if this is the only reason for an FTBFS.

The following packages are FTBFS with Go 1.18 but not Go 1.17:

containerd (patch created on bug 1965157)
docker-registry (needs investigation)
golang-github-aws-aws-sdk-go (SHA1 issue: https://github.com/aws/aws-sdk-go/issues/4316)
golang-github-cockroachdb-apd (requires a newer version of golang-golang-x-tools)
golang-github-fullsailor-pkcs7 (SHA1 issue: https://github.com/fullsailor/pkcs7/issues/51)
golang-github-google-wire
golang-github-klauspost-compress (requires a newer version of golang-golang-x-tools)
golang-github-kurin-blazer (upstream PR created: https://github.com/kurin/blazer/pull/83)
golang-github-micromdm-scep (SHA1 issue: https://github.com/micromdm/scep/issues/187)
golang-github-prometheus-common (SHA1 issue: https://github.com/prometheus/common/issues/361)
golang-github-prometheus-exporter-toolkit (SHA1 issue: https://github.com/prometheus/exporter-toolkit/issues/83)
golang-github-rican7-retry (package is out of date in debian/ubuntu and needs repackaging)
golang-github-rogpeppe-go-internal (has 1.18 upstream updates so a new upstream version should be packaged)
golang-github-smartystreets-assertions (requires a newer version of golang-golang-x-tools)
golang-github-streadway-amqp (SHA1 issue: https://github.com/streadway/amqp/issues/523)
golang-github-traefik-yaegi (There is a new upstream version that also seems to have broken tests)
golang-github-ugorji-go-codec (has new upstream version that needs to be packaged. Seems to resolve FTBFS)
golang-github-xanzy-go-gitlab (has new upstream version that needs to be packaged. Seems to resolve FTBFS)
golang-golang-x-tools (needs investigation)
golang-gonum-v1-gonum (needs investigation)
golang-honnef-go-tools (has new upstream version that needs to be packaged)
golang-v2ray-core (requires packaging of https://github.com/marten-seemann/qtls-go1-18)
prometheus (SHA1 issue)
shadowsocks-v2ray-plugin (requires packaging of https://github.com/marten-seemann/qtls-go1-18)
shfmt (requires new upstream version of the rogpeppe-go-internal package)
telegraf (depends on prometheus which is failing due to SHA1 issue)

Revision history for this message
William Wilson (jawn-smith) wrote :

I have a fix for golang-golang-x-tools in a PPA, but it builds a new binary with 1.18, so the upload can't be done until golang-defaults 1.18 is uploaded.

Revision history for this message
William Wilson (jawn-smith) wrote :

We have a plan to fix some of the SHA1 packages by allowing SHA1 certificates in the test cases only. This will allow the tests to fail without changing the behavior of the compiled binaries. It will be accomplished using the GODEBUG=x509sha1=1 environment variable in override_dh_auto_test

Revision history for this message
William Wilson (jawn-smith) wrote :

I have created a PR to fix telegraf upstream, and have it scheduled to build in my PPAs as well.

https://github.com/influxdata/telegraf/pull/10847

Revision history for this message
William Wilson (jawn-smith) wrote :

Prometheus and telegraf are now successfully building in my PPAs. I will upload them to the archive shortly.

Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Okay. This was quite the delay per their schedule! Guess Ubuntu should be proud of never really having a delay longer than a week (which also only happened a few times). It's unfortunate that this happens a week before Beta, along with so many other important changes - but what can one do.

Looking at the PPAs and the progress with the SHA-1 rejection issues, I feel like this is good to go. Seeing how things are, I'm quite happy that this seems to be rather low-risk at this point. We promised 1.18 - so let's deliver! Please proceed ASAP, but also make sure that the other non-SHA1 related build failures are resolved before the Beta.

Changed in golang-defaults (Ubuntu):
status: New → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package golang-defaults - 2:1.18~0ubuntu1

---------------
golang-defaults (2:1.18~0ubuntu1) jammy; urgency=medium

  * Update to Go 1.18 (LP: #1964270)

 -- William 'jawn-smith' Wilson <email address hidden> Thu, 17 Mar 2022 16:05:09 -0500

Changed in golang-defaults (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.