-
Notifications
You must be signed in to change notification settings - Fork 321
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update to Go 1.20.5 #140
Update to Go 1.20.5 #140
Conversation
This allows us to drop the mips64le upstream patch we've been applying (fixed in Go 1.20.0) and the GO-2023-1840 / CVE-2023-29403 govulncheck exclusion (which still doesn't apply, but was fixed in Go in 1.20.5 and thus we no longer need to ignore). Also: - update the tests to Debian Bookworm and Alpine 3.19 - update `SECURITY.md` to make our Go version update policy explicit and written down (including the parallel to how Linux distributions handle similar situations)
Why not to latest go version? |
Of course, in the spirit of golang/go#6853, this does make our binaries larger, but not by a significant amount (and mitigated somewhat by #138 and #139). Before (on 64a0cd9): $ stat --format '% 13n %s' gosu-*
gosu-amd64 1478001
gosu-arm64 1545902
gosu-armel 1529287
gosu-armhf 1529706
gosu-i386 1390620
gosu-mips64el 1745078
gosu-ppc64el 1549439
gosu-riscv64 1648084
gosu-s390x 1612814 After (on 9ea56fe): $ stat --format '% 13n %s' gosu-*
gosu-amd64 1567985
gosu-arm64 1619900
gosu-armel 1667383
gosu-armhf 1602228
gosu-i386 1491793
gosu-mips64el 1883141
gosu-ppc64el 1687472
gosu-riscv64 1726260
gosu-s390x 1751615 The 1.17 release builds, for comparison: $ stat --format '% 13n %s' gosu-*
gosu-amd64 2355481
gosu-arm64 2402948
gosu-armel 2375335
gosu-armhf 2376208
gosu-i386 2204407
gosu-mips64el 2669254
gosu-ppc64el 2407305
gosu-riscv64 2451268
gosu-s390x 2536037 |
I've attempted to answer that more explicitly in my update to
|
This is really counter intuitive. I can not imagine e.g. a distro to downgrade dependencies. |
Ok, I think I get it now - this is the version required by github.com/moby/sys/user |
This allows us to drop the mips64le upstream patch we've been applying (fixed in Go 1.20.0) and the GO-2023-1840 / CVE-2023-29403 govulncheck exclusion (which still doesn't apply, but was fixed in Go in 1.20.5 and thus we no longer need to ignore).
Also:
SECURITY.md
to make our Go version update policy explicit and written down (including the parallel to how Linux distributions handle similar situations)(refs #136)