Re: git: cf25897f304e - main - lang/go119: Update to 1.19.5

Reply: Adam Weinberger : "Re: git: cf25897f304e - main - lang/go119: Update to 1.19.5"
In reply to: Emmanuel Vadot : "Re: git: cf25897f304e - main - lang/go119: Update to 1.19.5"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Dmitri Goutnik <dg_at_syrec.org>
Date: Wed, 11 Jan 2023 20:44:58 UTC

On 11/01/2023 13:13, Emmanuel Vadot wrote:
> On Wed, 11 Jan 2023 10:58:14 -0700
> Adam Weinberger<adamw@adamw.org>  wrote:
>
>> Ahh okay, I wondered what the calculus on that was!
>>
>> It seems a little odd to me to only bump for security changes. Given that
>> all go binaries are statically linked from the go stdlib, upgrading go
>> alone does nothing for the entirety of go ports.
>   It does not do nothing, in fact it does a really bad thing which is
> that we now have different package result for all go ports that what is
> currently in the package repo (official or not).
>   Also since the builder always bulk -c (I think) this means that if a
> user install whatever go package today and another user install the same
> package after the next build they will have different package. And if
> this go update actually fixes a bug that is present in this package it
> means that the first user will have the bug and not the second one, so
> it causes headache for PR.
I will bump revisions, but the same problem exists with Rust, Crystal 
and anything else that builds
statically linked executables.

My perception of this issue is less dramatic, but if it seems super 
important then perhaps revision bumps
shouldn't be left to committers and pkg and/or poudriere could record 
the Go version that packages were
built with and do rebuilds automatically as needed. It seems that only 
FreeBSD does these massive revision
bumps, neither Arch, Debian or OpenBSD are doing that (I don't know 
whether their packaging infrastructure
handles rebuilds automatically or they just don't see the need).

Also, there's a whole another can of worms that is quarterly, where 
these revision bump commits are
practically unmergeable.

>> Does the benefit of fewer upgrades offset the value lost by go upgrades
>> that don't make it to go-based ports?
>>
>> # Adam
>>
>>
>> On Wed, Jan 11, 2023 at 9:47 AM Dmitri Goutnik<dg@syrec.org>  wrote:
>>
>>> Hi Adam,
>>>
>>> No, the release notes do not mention any security fixes so this is just a
>>> bugfix release.
>>> On 11/01/2023 10:56, Adam Weinberger wrote:
>>>
>>> On Wed, Jan 11, 2023 at 7:01 AM Dmitri Goutnik<dmgk@freebsd.org>  wrote:
>>>
>>>> The branch main has been updated by dmgk:
>>>>
>>>> URL:
>>>> https://cgit.FreeBSD.org/ports/commit/?id=cf25897f304ef0251fdc238c9d13ea3b1b6dad16
>>>>
>>>> commit cf25897f304ef0251fdc238c9d13ea3b1b6dad16
>>>> Author:     Dmitri Goutnik<dmgk@FreeBSD.org>  <dmgk@FreeBSD.org>
>>>> AuthorDate: 2023-01-11 13:58:47 +0000
>>>> Commit:     Dmitri Goutnik<dmgk@FreeBSD.org>  <dmgk@FreeBSD.org>
>>>> CommitDate: 2023-01-11 14:01:05 +0000
>>>>
>>>>      lang/go119: Update to 1.19.5
>>>>
>>>>      Changes:https://go.dev/doc/devel/release#go1.19.5
>>>>
>>> Hi Dmitri,
>>>
>>> Are you intending to bump go ports after this update?
>>>
>>> # Adam
>>>
>>>
>>> --
>>> Adam Weinberger
>>> adamw@adamw.org
>>> https://www.adamw.org
>>>
>>>
>> -- 
>> Adam Weinberger
>> adamw@adamw.org
>> https://www.adamw.org