Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <5a747a70-61e1-4efe-914f-13cedca4c229@gmail.com>
Date: Mon, 20 Apr 2026 13:10:13 -0400
From: Demi Marie Obenour <demiobenour@...il.com>
To: oss-security@...ts.openwall.com, Morten Linderud <morten@...derud.pw>
Subject: Re: Go 1.26.2 and Go 1.25.9 are released with 10
 security fixes

On 4/20/26 12:07, Morten Linderud wrote:
> On Sun, Apr 19, 2026 at 10:46:43PM +0200, Matthias Ferdinand wrote:
>>
>> Arch linux appears not to have recompiled Go applications (or at least
>> not all of them, only checked restic)
> 
> We don't.
> 
> I originall did this work a few years ago but it just produced a huge list of
> packages that would need to be worked through that carried other issues. The
> build infra is not there to dispatch larger rebuilds for this and all of it
> would be hand holding.
> 
> There are 431 depending on go, and each project would need to be
> unpacked/scanned and then rebuilt accordingly.
> 
> You could just rebuild everything, but that alone would take a few days
> depending on volunteer time.

I wonder if build infra needs to be updated to support automated
rebuilds when a reverse dependency is updated.  My understanding is
that FreeBSD ports, Nix, and OBS already support this.

There is a very strong trend towards static linking, and even when
dynamic linking is used, ABI stability might not be guaranteed.

I agree that this is extra work for distros, but I don't think distros
will be able to convince upstreams to prioritize ABI stability for
general libraries (as opposed to special cases).  I'll write up a
blog post about this later.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Download attachment "OpenPGP_0xB288B55FFF9C22C1.asc" of type "application/pgp-keys" (7141 bytes)

Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.