Hey, so I have a package that manually depends on go via: BDEPEND="dev-lang/go" and it does not get rebuilt with @golang-rebuild. ionen dug up that this set is populated by ebuilds that inherit go-related eclasses. So it should rather check the DEPEND/BDEPEND on go either. Also I have a feeling if a package conditionally depend on go, via USE flag, it does not get populated to this set either.
I'll need to think about this, but all packages that use go to build should inherit a go-related eclass. I can't think of a reason that a package should depend on go without inheriting a go-related eclass.
I think this is a Portage issue, the set was introduced in Portage for bug 752153: commit 075c1951e1ac84e99a2219ff14be4a366d274f36 Author: Georgy Yakovlev <gyakovlev@gentoo.org> Date: Fri Oct 16 12:43:54 2020 -0700 cnf/sets/portage.conf: add new sets for go rebuilding go packages go-built binaries may contain security vulnerabilities if a binary built with vulnerable compiler. go is known to embed vulnerable code to all binaries it builds, if vulnerability was present in the compiler or one of standard libraries. This commit adds `golang-rebuild` set, which allows easy rebuild of most go-compiled system packages. simple 'emerge @golang-rebuild' should rebuild everything affected. a prompt to run this command can be added to postinst message in dev-lang/go ebuild. Closes: https://github.com/gentoo/portage/pull/630 Bug: https://bugs.gentoo.org/752153 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> Signed-off-by: Zac Medico <zmedico@gentoo.org> diff --git a/cnf/sets/portage.conf b/cnf/sets/portage.conf index 0d11d7891..22f0fa3a5 100644 --- a/cnf/sets/portage.conf +++ b/cnf/sets/portage.conf @@ -103,3 +103,9 @@ class = portage.sets.dbapi.UnavailableBinaries # to the matching portdb entry. [changed-deps] class = portage.sets.dbapi.ChangedDepsSet + +# Installed packages that inherit from known go related eclasses. +[golang-rebuild] +class = portage.sets.dbapi.VariableSet +variable = INHERITED +includes = golang-base golang-build golang-vcs golang-vcs-snapshot go-module
See bug 865114 for some additional fun related to this bug...
(In reply to J. Paul Reed from comment #3) > See bug 865114 for some additional fun related to this bug... Grr, I meant bug 865115.
The attached function appears to call "go version" on a hard-coded list of directories (/usr/bin /bin /sbin). That's problematic: go binaries could be installed anywhere. I'm not sure it makes sense to implement this as a portage set. All existing sets utilize package metadata to build a list of packages to be rebuilt. None of them call external commands to scan installed files. If package metadata cannot be relied upon, it might make more sense to implement a separate tool outside the package manager for this, similar to revedep-rebuild, perl-cleaner, etc.
(In reply to Mike Gilbert from comment #5) The above comment was meant for bug 865115.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/portage.git/commit/?id=38c479d46dc91be66877d857a3682534eb1b5f12 commit 38c479d46dc91be66877d857a3682534eb1b5f12 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-09-10 06:22:44 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-09-28 23:56:08 +0000 cnf: sets: convert @golang-rebuild into VariableSet This allows rebuilding *all* Go packages correctly, rather than purely going off inherit. There's a few reasons to do this: 1. Even if (and it's a big if) we suppose that all Go packages should inherit a Go eclass, there will be packages in user repositories which don't do that; 2. Eclasses are, by their nature, repository-specific. This solution is a generic approach independent of the eclass layout in ::gentoo. Bug: https://bugs.gentoo.org/827974 Bug: https://bugs.gentoo.org/865115 Signed-off-by: Sam James <sam@gentoo.org> Closes: https://github.com/gentoo/portage/pull/898 Signed-off-by: Sam James <sam@gentoo.org> cnf/sets/portage.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) https://gitweb.gentoo.org/proj/portage.git/commit/?id=bb09a2d4db4cd0f85f8ae8ceaddc05ae2585aba3 commit bb09a2d4db4cd0f85f8ae8ceaddc05ae2585aba3 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-09-10 06:22:39 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-09-28 23:56:08 +0000 portage: sets: VariableSet: parse *DEPEND in includes/excludes VariableSet takes a metadata variable and checks its contents based on 'includes' or 'excludes' from the set definition. Unfortunately, until now, it didn't parse/expand the chosen variable and would only match it literally (it'd also not check effective metadata, just what's listed in the ebuild -- no *DEPEND from an eclass, for example). If variable is *DEPEND, actually parse includes/excludes so we can effecitvely match say, includes="dev-lang/go" against ">=dev-lang/go-1.18" in an ebuild. Bug: https://bugs.gentoo.org/827974 Bug: https://bugs.gentoo.org/865115 Signed-off-by: Sam James <sam@gentoo.org> lib/portage/_sets/dbapi.py | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/portage.git/commit/?id=f034ac4a678a6da8d854f82a52d4fe523bf6cb8f commit f034ac4a678a6da8d854f82a52d4fe523bf6cb8f Author: Sam James <sam@gentoo.org> AuthorDate: 2022-09-29 02:37:14 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-09-30 20:35:00 +0000 cnf: sets: add @rust-rebuild set Rust is statically linked like Go and this is useful for us to mention in GLSAs (and possibly dev-lang/rust{,-bin}'s pkg_postinst). Bug: https://bugs.gentoo.org/827974 Bug: https://bugs.gentoo.org/865115 Signed-off-by: Sam James <sam@gentoo.org> Closes: https://github.com/gentoo/portage/pull/915 Signed-off-by: Sam James <sam@gentoo.org> cnf/sets/portage.conf | 6 ++++++ 1 file changed, 6 insertions(+)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=00f62c1578506cb2d94b3ccf922cb40fa128387a commit 00f62c1578506cb2d94b3ccf922cb40fa128387a Author: Sam James <sam@gentoo.org> AuthorDate: 2022-10-01 02:59:09 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-10-01 02:59:59 +0000 sys-apps/portage: add 3.0.38 Closes: https://bugs.gentoo.org/827974 Closes: https://bugs.gentoo.org/864259 Closes: https://bugs.gentoo.org/865115 Closes: https://bugs.gentoo.org/871570 Closes: https://bugs.gentoo.org/872392 Closes: https://bugs.gentoo.org/872440 Closes: https://bugs.gentoo.org/873088 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/portage/Manifest | 1 + sys-apps/portage/portage-3.0.38.ebuild | 273 +++++++++++++++++++++++++++++++++ 2 files changed, 274 insertions(+)
