pkgsrc/lang/go/version.mk

# $NetBSD: version.mk,v 1.105 2020/11/13 18:45:50 bsiegert Exp $

#
# If bsd.prefs.mk is included before go-package.mk in a package, then this
# file must be included directly in the package prior to bsd.prefs.mk.
#
.include "go-vars.mk"

GO115_VERSION=	1.15.5
GO114_VERSION=	1.14.12
GO113_VERSION=	1.13.15
GO110_VERSION=	1.10.8
GO19_VERSION=	1.9.7
GO14_VERSION=	1.4.3

.include "../../mk/bsd.prefs.mk"

.if ${OPSYS} == "NetBSD" && ${OS_VERSION:M6.*}
# 1.9 is the last Go version to support NetBSD 6
GO_VERSION_DEFAULT?=	19
.elif ${OPSYS} == "Darwin" && ${OS_VERSION:R} < 14
# go 1.11 removed support for osx 10.8 and 10.9
# https://github.com/golang/go/issues/23122
# darwin version 13.4 is osx 10.9.5
GO_VERSION_DEFAULT?=	110
.else
GO_VERSION_DEFAULT?=	115
.endif

.if !empty(GO_VERSION_DEFAULT)
GOVERSSUFFIX=		${GO_VERSION_DEFAULT}
.endif

# How to find the Go tool
GO=			${PREFIX}/go${GOVERSSUFFIX}/bin/go

# Build dependency for Go
GO_PACKAGE_DEP=		go${GOVERSSUFFIX}-${GO${GOVERSSUFFIX}_VERSION}*:../../lang/go${GOVERSSUFFIX}

ONLY_FOR_PLATFORM=	*-*-i386 *-*-x86_64 *-*-earmv[67]hf *-*-aarch64
NOT_FOR_PLATFORM=	SunOS-*-i386
.if ${MACHINE_ARCH} == "i386"
GOARCH=			386
GOCHAR=			8
.elif ${MACHINE_ARCH} == "x86_64"
GOARCH=			amd64
GOCHAR=			6
.elif ${MACHINE_ARCH} == "earmv6hf" || ${MACHINE_ARCH} == "earmv7hf"
GOARCH=			arm
GOCHAR=			5
.elif ${MACHINE_ARCH} == "aarch64"
GOARCH=			arm64
GOOPT=			GOARM=7
# GOHOSTARCH is being misdetected as arm on NetBSD. Unclear why.
GOOPT+=			GOHOSTARCH=arm64
.endif
.if ${MACHINE_ARCH} == "earmv6hf"
GOOPT=			GOARM=6
.elif ${MACHINE_ARCH} == "earmv7hf"
GOOPT=			GOARM=7
.endif
GO_PLATFORM=		${LOWER_OPSYS}_${GOARCH}
PLIST_SUBST+=		GO_PLATFORM=${GO_PLATFORM:Q} GOARCH=${GOARCH:Q}
PLIST_SUBST+=		GOCHAR=${GOCHAR:Q}

PRINT_PLIST_AWK+=	{ sub("/${GO_PLATFORM}/", "/$${GO_PLATFORM}/") }

TOOLS_CREATE+=		go
TOOLS_PATH.go=		${GO}
Update go115 to 1.15.5 (security fix). - math/big: panic during recursive division of very large numbers A number of math/big.Int <https://pkg.go.dev/math/big#Int> methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD) can panic when provided crafted large inputs. For the panic to happen, the divisor or modulo argument must be larger than 3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit architectures). Multiple math/big.Rat <https://pkg.go.dev/math/big#Rat> methods are similarly affected. crypto/rsa.VerifyPSS <https://pkg.go.dev/crypto/rsa#VerifyPSS>, crypto/rsa.VerifyPKCS1v15 <https://pkg.go.dev/crypto/rsa#VerifyPKCS1v15>, and crypto/dsa.Verify <https://pkg.go.dev/crypto/dsa#Verify> may panic when provided crafted public keys and signatures. crypto/ecdsa and crypto/elliptic operations may only be affected if custom CurveParams <https://pkg.go.dev/crypto/elliptic#CurveParams> with unusually large field sizes (several times larger than the largest supported curve, P-521) are in use. Using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates don’t chain to a trusted root. The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Moreover, an application might crash invoking crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate request or during a golang.org/x/crypto/otr conversation. Parsing a golang.org/x/crypto/openpgp Entity or verifying a signature may crash. Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host key, while a server could panic if either PublicKeyCallback accepts a malformed public key, or if IsUserAuthority accepts a certificate with a malformed public key. This issue is CVE-2020-28362 and Go issue golang.org/issue/42552. - cmd/go: arbitrary code execution at build time through cgo The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by malicious gcc flags specified via a #cgo directive, or by a malicious symbol name in a linked object file. These issues are CVE-2020-28367 and CVE-2020-28366, and Go issues golang.org/issue/42556 and golang.org/issue/42559 respectively. 2020-11-13 19:45:50 +01:00			`# $NetBSD: version.mk,v 1.105 2020/11/13 18:45:50 bsiegert Exp $`
go*: Disable SSP support completely. It's not supported by the go linker, and can cause issues when building third-party modules if the SSP libraries are handled by pkgsrc. 2018-01-30 18:05:21 +01:00
go: Split _SUPPORTED variables out into new go-vars.mk. It's not always possible to include go-package.mk earlier than bsd.prefs.mk in a package, for example if the package defines its own do-install target, so move out the _SUPPORTED variables that need to be included first. 2019-12-09 10:59:31 +01:00			`#`
			`# If bsd.prefs.mk is included before go-package.mk in a package, then this`
			`# file must be included directly in the package prior to bsd.prefs.mk.`
			`#`
			`.include "go-vars.mk"`
Add a separate Makefile for the version string plus GOARCH. To be used by Go packages. 2014-11-18 21:39:11 +01:00
Update go115 to 1.15.5 (security fix). - math/big: panic during recursive division of very large numbers A number of math/big.Int <https://pkg.go.dev/math/big#Int> methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD) can panic when provided crafted large inputs. For the panic to happen, the divisor or modulo argument must be larger than 3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit architectures). Multiple math/big.Rat <https://pkg.go.dev/math/big#Rat> methods are similarly affected. crypto/rsa.VerifyPSS <https://pkg.go.dev/crypto/rsa#VerifyPSS>, crypto/rsa.VerifyPKCS1v15 <https://pkg.go.dev/crypto/rsa#VerifyPKCS1v15>, and crypto/dsa.Verify <https://pkg.go.dev/crypto/dsa#Verify> may panic when provided crafted public keys and signatures. crypto/ecdsa and crypto/elliptic operations may only be affected if custom CurveParams <https://pkg.go.dev/crypto/elliptic#CurveParams> with unusually large field sizes (several times larger than the largest supported curve, P-521) are in use. Using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates don’t chain to a trusted root. The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Moreover, an application might crash invoking crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate request or during a golang.org/x/crypto/otr conversation. Parsing a golang.org/x/crypto/openpgp Entity or verifying a signature may crash. Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host key, while a server could panic if either PublicKeyCallback accepts a malformed public key, or if IsUserAuthority accepts a certificate with a malformed public key. This issue is CVE-2020-28362 and Go issue golang.org/issue/42552. - cmd/go: arbitrary code execution at build time through cgo The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by malicious gcc flags specified via a #cgo directive, or by a malicious symbol name in a linked object file. These issues are CVE-2020-28367 and CVE-2020-28366, and Go issues golang.org/issue/42556 and golang.org/issue/42559 respectively. 2020-11-13 19:45:50 +01:00			`GO115_VERSION= 1.15.5`
Update go114 to 1.14.12 (security fix). - math/big: panic during recursive division of very large numbers A number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD) can panic when provided crafted large inputs. For the panic to happen, the divisor or modulo argument must be larger than 3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit architectures). Multiple math/big.Rat <https://pkg.go.dev/math/big#Rat> methods are similarly affected. crypto/rsa.VerifyPSS <https://pkg.go.dev/crypto/rsa#VerifyPSS>, crypto/rsa.VerifyPKCS1v15 <https://pkg.go.dev/crypto/rsa#VerifyPKCS1v15>, and crypto/dsa.Verify <https://pkg.go.dev/crypto/dsa#Verify> may panic when provided crafted public keys and signatures. crypto/ecdsa and crypto/elliptic operations may only be affected if custom CurveParams <https://pkg.go.dev/crypto/elliptic#CurveParams> with unusually large field sizes (several times larger than the largest supported curve, P-521) are in use. Using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates don’t chain to a trusted root. The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Moreover, an application might crash invoking crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate request or during a golang.org/x/crypto/otr conversation. Parsing a golang.org/x/crypto/openpgp Entity or verifying a signature may crash. Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host key, while a server could panic if either PublicKeyCallback accepts a malformed public key, or if IsUserAuthority accepts a certificate with a malformed public key. Thanks to the Go Ethereum team and the OSS-Fuzz project for reporting this. Thanks to Rémy Oudompheng and Robert Griesemer for their help developing and validating the fix. This issue is CVE-2020-28362 and Go issue golang.org/issue/42552. - cmd/go: arbitrary code execution at build time through cgo The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by malicious gcc flags specified via a #cgo directive, or by a malicious symbol name in a linked object file. These issues are CVE-2020-28367 and CVE-2020-28366, and Go issues golang.org/issue/42556 and golang.org/issue/42559 respectively. 2020-11-13 19:27:35 +01:00			`GO114_VERSION= 1.14.12`
Update go113 to 1.13.15. go1.13.15 (released 2020/08/06) includes security fixes to the encoding/binary package. See the Go 1.13.15 milestone on our issue tracker for details. 2020-08-14 20:28:29 +02:00			`GO113_VERSION= 1.13.15`
Update go110 to 1.10.8 (security). This release addresses a recently supported security issue. This DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU. These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery. The issue is CVE-2019-6486 and Go issue golang.org/issue/29903. See the Go issue for more details. 2019-01-24 10:33:08 +01:00			`GO110_VERSION= 1.10.8`
Update go19 to 1.9.7, latest on that branch. go1.9.5 (released 2018/03/28) includes fixes to the compiler, go command, and net/http/pprof package. See the Go 1.9.5 milestone on our issue tracker for details. go1.9.6 (released 2018/05/01) includes fixes to the compiler and go command. See the Go 1.9.6 milestone on our issue tracker for details. go1.9.7 (released 2018/06/05) includes fixes to the go command, and the crypto/x509, and strings packages. In particular, it adds minimal support to the go command for the vgo transition. See the Go 1.9.7 milestone on our issue tracker for details. 2018-07-08 20:40:40 +02:00			`GO19_VERSION= 1.9.7`
Update go14 to 1.4.3. It fixes four security-related issues. The issues were reported in Go's net/http package. They affect programs using that package to proxy HTTP requests. We recommend that all users upgrade to Go 1.5, which fixes these issues. For users unable to upgrade to Go 1.5, we have released version 1.4.3, which is based on Go 1.4.2 plus fixes for these issues. Affected Go programs—those that use the net/http package as a proxy server—must be recompiled with Go 1.5 or Go 1.4.3 to receive the fixes. The CVE issue descriptions and fixes are linked below. CVE-2015-5739 "Content Length" treated as valid header: https://go-review.googlesource.com/#/c/11772/ CVE-2015-5740 Double content-length headers does not return 400 error: https://go-review.googlesource.com/#/c/11810/ CVE-2015-5741 Additional hardening, not sending Content-Length w/Transfer-Encoding, Closing connections: https://go-review.googlesource.com/#/c/11810/ https://go-review.googlesource.com/#/c/12865/ https://go-review.googlesource.com/#/c/13148/ The Go team would like to thank Jed Denlea and Régis Leroy for their contributions to this release. They have been awarded 1337 USD under the Google Security Bounty program. 2015-09-26 19:37:01 +02:00			`GO14_VERSION= 1.4.3`
Add a separate Makefile for the version string plus GOARCH. To be used by Go packages. 2014-11-18 21:39:11 +01:00
go: Split _SUPPORTED variables out into new go-vars.mk. It's not always possible to include go-package.mk earlier than bsd.prefs.mk in a package, for example if the package defines its own do-install target, so move out the _SUPPORTED variables that need to be included first. 2019-12-09 10:59:31 +01:00			`.include "../../mk/bsd.prefs.mk"`

Move most of the version selection logic into version.mk. Provide a new variable, GO_PACKAGE_DEP, with the correct dependency on the user-selected Go version, to be used for fixing syncthing and friends. 2018-09-22 21:44:21 +02:00			`.if ${OPSYS} == "NetBSD" && ${OS_VERSION:M6.*}`
			`# 1.9 is the last Go version to support NetBSD 6`
			`GO_VERSION_DEFAULT?= 19`
lang/go: on osx 10.9 and earlier, use go110 go 1.11 removed support for osx 10.8 and 10.9 https://github.com/golang/go/issues/23122 2019-09-17 06:39:20 +02:00			`.elif ${OPSYS} == "Darwin" && ${OS_VERSION:R} < 14`
			`# go 1.11 removed support for osx 10.8 and 10.9`
			`# https://github.com/golang/go/issues/23122`
			`# darwin version 13.4 is osx 10.9.5`
			`GO_VERSION_DEFAULT?= 110`
Move most of the version selection logic into version.mk. Provide a new variable, GO_PACKAGE_DEP, with the correct dependency on the user-selected Go version, to be used for fixing syncthing and friends. 2018-09-22 21:44:21 +02:00			`.else`
Update go115 to 1.15.1. go1.15.1 (released 2020/09/01) includes security fixes to the net/http/cgi and net/http/fcgi packages. See the Go 1.15.1 milestone on our issue tracker for details. 2020-09-03 08:47:21 +02:00			`GO_VERSION_DEFAULT?= 115`
Move most of the version selection logic into version.mk. Provide a new variable, GO_PACKAGE_DEP, with the correct dependency on the user-selected Go version, to be used for fixing syncthing and friends. 2018-09-22 21:44:21 +02:00			`.endif`

			`.if !empty(GO_VERSION_DEFAULT)`
			`GOVERSSUFFIX= ${GO_VERSION_DEFAULT}`
			`.endif`

Move definition of $GO to version.mk. We have some packages, like mongodb-tools, that cannot include go-package.mk but need to call the go tool. 2018-07-08 15:53:42 +02:00			`# How to find the Go tool`
			`GO= ${PREFIX}/go${GOVERSSUFFIX}/bin/go`

Move most of the version selection logic into version.mk. Provide a new variable, GO_PACKAGE_DEP, with the correct dependency on the user-selected Go version, to be used for fixing syncthing and friends. 2018-09-22 21:44:21 +02:00			`# Build dependency for Go`
			`GO_PACKAGE_DEP= go${GOVERSSUFFIX}-${GO${GOVERSSUFFIX}_VERSION}*:../../lang/go${GOVERSSUFFIX}`

go/version.mk: now supports aarch64 2020-05-01 18:39:59 +02:00			`ONLY_FOR_PLATFORM= --i386 --x86_64 --earmv[67]hf --aarch64`
Add a separate Makefile for the version string plus GOARCH. To be used by Go packages. 2014-11-18 21:39:11 +01:00			`NOT_FOR_PLATFORM= SunOS-*-i386`
			`.if ${MACHINE_ARCH} == "i386"`
lang: align variable assignments pkglint -Wall -F --only aligned --only indent -r No manual corrections. 2019-11-03 20:03:56 +01:00			`GOARCH= 386`
			`GOCHAR= 8`
Add a separate Makefile for the version string plus GOARCH. To be used by Go packages. 2014-11-18 21:39:11 +01:00			`.elif ${MACHINE_ARCH} == "x86_64"`
lang: align variable assignments pkglint -Wall -F --only aligned --only indent -r No manual corrections. 2019-11-03 20:03:56 +01:00			`GOARCH= amd64`
			`GOCHAR= 6`
Add Yasushi Oshima patches for arm from: https://github.com/oshimaya/pkgsrc/tree/master/lang/go 2018-01-20 17:55:05 +01:00			`.elif ${MACHINE_ARCH} == "earmv6hf" \|\| ${MACHINE_ARCH} == "earmv7hf"`
lang: align variable assignments pkglint -Wall -F --only aligned --only indent -r No manual corrections. 2019-11-03 20:03:56 +01:00			`GOARCH= arm`
			`GOCHAR= 5`
go/version.mk: now supports aarch64 2020-05-01 18:39:59 +02:00			`.elif ${MACHINE_ARCH} == "aarch64"`
			`GOARCH= arm64`
			`GOOPT= GOARM=7`
			`# GOHOSTARCH is being misdetected as arm on NetBSD. Unclear why.`
			`GOOPT+= GOHOSTARCH=arm64`
Add a separate Makefile for the version string plus GOARCH. To be used by Go packages. 2014-11-18 21:39:11 +01:00			`.endif`
Add Yasushi Oshima patches for arm from: https://github.com/oshimaya/pkgsrc/tree/master/lang/go 2018-01-20 17:55:05 +01:00			`.if ${MACHINE_ARCH} == "earmv6hf"`
lang: align variable assignments pkglint -Wall -F --only aligned --only indent -r No manual corrections. 2019-11-03 20:03:56 +01:00			`GOOPT= GOARM=6`
Add Yasushi Oshima patches for arm from: https://github.com/oshimaya/pkgsrc/tree/master/lang/go 2018-01-20 17:55:05 +01:00			`.elif ${MACHINE_ARCH} == "earmv7hf"`
lang: align variable assignments pkglint -Wall -F --only aligned --only indent -r No manual corrections. 2019-11-03 20:03:56 +01:00			`GOOPT= GOARM=7`
Add Yasushi Oshima patches for arm from: https://github.com/oshimaya/pkgsrc/tree/master/lang/go 2018-01-20 17:55:05 +01:00			`.endif`
lang: align variable assignments pkglint -Wall -F --only aligned --only indent -r No manual corrections. 2019-11-03 20:03:56 +01:00			`GO_PLATFORM= ${LOWER_OPSYS}_${GOARCH}`
			`PLIST_SUBST+= GO_PLATFORM=${GO_PLATFORM:Q} GOARCH=${GOARCH:Q}`
			`PLIST_SUBST+= GOCHAR=${GOCHAR:Q}`
go: Improve PRINT_PLIST_AWK patterns and avoid possible double definition - Move GO_PLATFORM definition in lang/go/version.mk in order that also lang/go* packages can (re)use it - Change PRINT_PLIST_AWK pattern that replace all ${GO_PLATFORM} and apply it only when ${GO_PLATFORM} is a directory (between two "/"). There are only 3 exceptions to that in lang/go14. Move it to version.mk so lang/go* PLIST can be mostly automatically generated. These changes should help to avoid (most) manual editing of lang/go*/PLIST. Discussed with and thanks to <bsiegert>! 2018-10-26 15:49:23 +02:00
			`PRINT_PLIST_AWK+= { sub("/${GO_PLATFORM}/", "/$${GO_PLATFORM}/") }`
lang/go: add go to the tools directory This makes it easier to run the Go compiler from within the build environment created by "bmake build-env". 2019-12-07 19:15:13 +01:00
			`TOOLS_CREATE+= go`
			`TOOLS_PATH.go= ${GO}`