Bug 1212669

Summary: go1.21+ toolchains change default GOTOOLCHAIN=auto to local to prevent downloading upstream go1.x toolchain binaries
Product: [openSUSE] openSUSE Tumbleweed Reporter: Jeff Kowalczyk <jkowalczyk>
Component: DevelopmentAssignee: Jeff Kowalczyk <jkowalczyk>
Status: NEW --- QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None    
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Jeff Kowalczyk 2023-06-24 00:22:13 UTC 
Change the go.env default value GOTOOLCHAIN=auto to GOTOOLCHAIN=local in go1.21+ toolchain packages.

go1.21+ introduce new default behavior that can download additional versions of go1.x toolchain binaries built by upstream. See https://go.dev/doc/toolchain for details. The go tool would attempt toolchain downloads as needed to satisfy a minimum go version specified in go.mod of the program containing main() or any of its dependencies.

In the OBS build environment, it is not permitted to download and use an externally built toolchain during build phase. Additionally, network access is not permitted in OBS and the download attempt would fail.

In practice the behaviour will rarely be triggered on openSUSE or SUSE as we ship go1.x toolchain packages ASAP upon their release date.

The download attempt could be triggered when using BuildRequire: go and the metapackage points to the older stable version e.g. 6 months of updates remaining, only if the Go application or a dependency has marked the new stable version e.g. with 12 months of updates remaining as necessary to utilize some new feature. With GOTOOLCHAIN=local the build would fail and the packager could update their BuildRequires as needed. We will update the go metapackage version as soon as each new go1.x package is accepted to minimize the times in which these circumstances exist.
Comment 1 OBSbugzilla Bot 2023-06-26 05:55:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1212669) was mentioned in
https://build.opensuse.org/request/show/1095300 Factory / go1.21
Comment 3 Maintenance Automation 2023-08-15 20:30:03 UTC 
SUSE-RU-2023:3323-1: An update that has three recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1212475, 1212667, 1212669
Sources used:
Development Tools Module 15-SP4 (src): go1.21-1.21.0-150000.1.3.1
Development Tools Module 15-SP5 (src): go1.21-1.21.0-150000.1.3.1
openSUSE Leap 15.4 (src): go1.21-1.21.0-150000.1.3.1
openSUSE Leap 15.5 (src): go1.21-1.21.0-150000.1.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 OBSbugzilla Bot 2023-10-31 15:35:17 UTC 
This is an autogenerated message for OBS integration:
This bug (1212669) was mentioned in
https://build.opensuse.org/request/show/1121461 Backports:SLE-12 / go1.21
Comment 7 Marcus Meissner 2023-11-09 14:05:11 UTC 
openSUSE-SU-2023:0360-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1212475,1212667,1212669,1215084,1215085,1215086,1215087,1215090,1215985,1216109
CVE References: CVE-2023-39318,CVE-2023-39319,CVE-2023-39320,CVE-2023-39321,CVE-2023-39322,CVE-2023-39323,CVE-2023-39325,CVE-2023-44487
JIRA References: 
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    go-1.21-41.1, go1.21-1.21.3-2.1
Comment 9 Maintenance Automation 2023-11-16 20:30:11 UTC 
SUSE-SU-2023:4469-1: An update that solves 10 vulnerabilities, contains one feature and has two security fixes can now be installed.

Category: security (moderate)
Bug References: 1212475, 1212667, 1212669, 1215084, 1215085, 1215086, 1215087, 1215090, 1215985, 1216109, 1216943, 1216944
CVE References: CVE-2023-39318, CVE-2023-39319, CVE-2023-39320, CVE-2023-39321, CVE-2023-39322, CVE-2023-39323, CVE-2023-39325, CVE-2023-44487, CVE-2023-45283, CVE-2023-45284
Jira References: SLE-18320
Sources used:
openSUSE Leap 15.4 (src): go1.21-openssl-1.21.4.1-150000.1.5.1
openSUSE Leap 15.5 (src): go1.21-openssl-1.21.4.1-150000.1.5.1
Development Tools Module 15-SP4 (src): go1.21-openssl-1.21.4.1-150000.1.5.1
Development Tools Module 15-SP5 (src): go1.21-openssl-1.21.4.1-150000.1.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.