go1.11.1 (released 2018/10/01) includes fixes to the compiler, documentation,
go command, runtime, and the crypto/x509, encoding/json, go/types, net,
net/http, and reflect packages. See the Go 1.11.1 milestone on our issue
tracker for details.
Also correct the PLIST and use ln -sf instead of ln -s.
Replacements: the versioned lang/go19, lang/go110 and lang/go111.
Nothing in pkgsrc directly depends on this anymore. There are a few
stragglers in wip, which will be fixed.
This moves builds of packages using Go off the unversioned lang/go package
and onto Go 1.11 or Go 1.9 (on NetBSD 6) by default.
There is a new, user-settable variable GO_VERSION_DEFAULT.
NOTE: not all Go packages completely implement this yet. For example,
net/syncthing does its own thing. This will be fixed.
This uses a similar approach as go111. Its revision is one higher than
the existing lang/go.
Next steps:
- make builds use this for dependent packages
- delete lang/go to complete the move
This installs the go tool as go111; all the supporting files go under
$PREFIX/go111, so it does not conflict with other Go versions. Go packages
in pkgsrc do not use it to build yet.
Changes:
There are many changes and improvements to the toolchain, runtime, and
libraries, but two features stand out as being especially exciting: modules
and WebAssembly support.
This release adds preliminary support for a new concept called "modules," an
alternative to GOPATH with integrated support for versioning and package
distribution. Module support is considered experimental, and there are still
a few rough edges to smooth out, so please make liberal use of the issue
tracker.
Go 1.11 also adds an experimental port to WebAssembly (js/wasm). This allows
programmers to compile Go programs to a binary format compatible with four
major web browsers.
Go packages create ${PREFIX}/bin and ${PREFIX}/gopkg even when they
don't install anything in them. This change sets PRINT_PLIST_AWK to
ignore such empty directories.
Previously GOCACHE was not passed as environment variable and hence
during the build of packages the cache was stored in `${GO} env
GOCACHE' (${XDG_CACHE_HOME} if defined or ${HOME}/.cache).
Pass GOCACHE so that all cached file will ends up under ${WRKDIR}.
While here also pass both GOPATH and GOCACHE via MAKE_ENV.
Thanks to Antonio Huete Jimenez for spotting this problem!
Discussed and ok by <bsiegert>, thanks!
go1.10.4 (released 2018/08/24) includes fixes to the go command, linker, and
the net/http, mime/multipart, ld/macho, bytes, and strings packages. See the
Go 1.10.4 milestone on our issue tracker for details.
pkgsrc note: After the import of Go 1.11, this package will be renamed to
lang/go110.
go1.9.5 (released 2018/03/28) includes fixes to the compiler, go command, and
net/http/pprof package. See the Go 1.9.5 milestone on our issue tracker for
details.
go1.9.6 (released 2018/05/01) includes fixes to the compiler and go command.
See the Go 1.9.6 milestone on our issue tracker for details.
go1.9.7 (released 2018/06/05) includes fixes to the go command, and the
crypto/x509, and strings packages. In particular, it adds minimal support to
the go command for the vgo transition. See the Go 1.9.7 milestone on our issue
tracker for details.
Otherwise, you will not be able to build Go code in pkgsrc if you do not
have pkg_alternatives installed.
Introduce a variable (user-settable for now) GOVERSSUFFIX.
$GO is now the Go tool with full path.
leot@ convinced me to go full Python (e.g. one directory per major version,
GO_VERSION_ACCEPTED etc.) but that will be another series of commits.
BREAKING CHANGE: If you do not have pkg_alternatives installed, then you
will not get a "go" tool in the PATH, and builds of packages using Go may
fail. (This will be fixed in the next commit.)
go1.10.3 (released 2018/06/05) includes fixes to the go command, and the
crypto/tls, crypto/x509, and strings packages. In particular, it adds minimal
support to the go command for the vgo transition. See the Go 1.10.3 milestone
on our issue tracker for details.
Previously all lines (matching or not /${GO_PLATFORM}/) were printed
unconditionally and could interfere with other PRINT_PLIST_AWKs used by always
printing every line in `print-PLIST' phase.
Avoid that by limiting the pattern of PRINT_PLIST_AWK in go-package.mk.
As far as I can see, only non-security-relevant bugfixes.
go1.10.2 (released 2018/05/01) includes fixes to the compiler, linker, and go
command. See the Go 1.10.2 milestone on our issue tracker for details.
This fixes a security issue (https://github.com/golang/go/issues/23867).
Also:
These releases include fixes to the compiler, runtime, go command, and the
archive/zip, crypto/tls, crypto/x509, encoding/json, net, net/http, and
net/http/pprof packages.
ok wiz@ for committing during freeze
Full release notes at https://golang.org/doc/go1.10.
The latest Go release, version 1.10, arrives six months after Go 1.9. Most of
its changes are in the implementation of the toolchain, runtime, and libraries.
As always, the release maintains the Go 1 promise of compatibility. We expect
almost all Go programs to continue to compile and run as before.
This release improves caching of built packages, adds caching of successful
test results, runs vet automatically during tests, and permits passing string
values directly between Go and C using cgo. A new compiler option whitelist may
cause unexpected invalid flag errors in code that built successfully with older
releases.
As announced in the Go 1.9 release notes, Go 1.10 now requires FreeBSD 10.3 or
later; support for FreeBSD 9.3 has been removed.
Go now runs on NetBSD again but requires the unreleased NetBSD 8. Only GOARCH
amd64 and 386 have been fixed. The arm port is still broken.
On 32-bit MIPS systems, the new environment variable settings GOMIPS=hardfloat
(the default) and GOMIPS=softfloat select whether to use hardware instructions
or software emulation for floating-point computations.
Go 1.10 is the last release that will run on OpenBSD 6.0. Go 1.11 will require
OpenBSD 6.2.
Go 1.10 is the last release that will run on OS X 10.8 Mountain Lion or OS X
10.9 Mavericks. Go 1.11 will require OS X 10.10 Yosemite or later.
Go 1.10 is the last release that will run on Windows XP or Windows Vista. Go
1.11 will require Windows 7 or later.
By using the clang or gcc plugin mechanism, it was possible for an attacker to
trick the “go get” command into executing arbitrary code. The go command now
restricts the set of allowed host compiler and linker arguments in cgo source
files to a list of allowed flags, in particular disallowing -fplugin= and
-plugin=.
The issue is CVE-2018-6574 and Go issue golang.org/issue/23672. See the Go
issue for details.
Thanks to Christopher Brown of Mattermost for reporting this problem.
This release includes fixes to the compiler, runtime, and the database/sql,
math/big, net/http, and net/url packages.
View the release notes for more information:
https://golang.org/doc/devel/release.html#go1.9.minor
This release includes fixes to the compiler, linker, runtime, documentation,
go command, and the crypto/x509, database/sql, log, and net/smtp packages. It
includes a fix to a bug introduced in Go 1.9.1 that broke "go get"
of non-Git repositories under certain conditions.
Two security-related issues were recently reported.
To address this issue, we have just released Go 1.8.4 and Go 1.9.1.
We recommend that all users update to one of these releases (if you're not sure
which, choose Go 1.9.1).
The issues addressed by these releases are:
By nesting a git checkout inside another version control repository, it was
possible for an attacker to trick the "go get" command into executing arbitrary
code. The go command now refuses to use version control checkouts found inside
other version control systems, with an exception for git submodules (git inside
git).
The issue is tracked as https://golang.org/issue/22125 (Go 1.8.4) and
https://golang.org/issue/22131 (Go 1.9.1). Fixes are linked from the issues.
Thanks to Simon Rawet for the report.
In the smtp package, PlainAuth is documented as sending credentials only over
authenticated, encrypted TLS connections, but it was changed in Go 1.1 to also
send credentials on non-TLS connections when the remote server advertises that
PLAIN authentication is supported. The change was meant to allow use of PLAIN
authentication on localhost, but it has the effect of allowing a
man-in-the-middle attacker to harvest credentials. PlainAuth now requires
either TLS or a localhost connection before sending credentials, regardless of
what the remote server claims.
This issue is tracked as https://golang.org/issue/22134 (Go 1.8.4) and
https://golang.org/issue/22133 (Go 1.9.1). Fixes are linked from the issues.
Thanks to Stevie Johnstone for the report.
NetBSD (8.99.2)'s "/bin/tar" fails to handle the extented headers
and extracts files into the wrong directory. This in turn least
to package list problems during the installation phase.
The latest Go release, version 1.9, arrives six months after Go 1.8 and
is the tenth release in the Go 1.x series. There are two changes to the
language: adding support for type aliases and defining when
implementations may fuse floating point operations. Most of the changes
are in the implementation of the toolchain, runtime, and libraries. As
always, the release maintains the Go 1 promise of compatibility. We
expect almost all Go programs to continue to compile and run as before.
The release adds transparent monotonic time support, parallelizes
compilation of functions within a package, better supports test helper
functions, includes a new bit manipulation package, and has a new
concurrent map type.
There are some instabilities on FreeBSD that are known but not
understood. These can lead to program crashes in rare cases. See issue
15658. Any help in solving this FreeBSD-specific issue would be
appreciated.
Go stopped running NetBSD builders during the Go 1.9 development cycle
due to NetBSD kernel crashes, up to and including NetBSD 7.1. As Go 1.9
is being released, NetBSD 7.1.1 is being released with a fix. However,
at this time we have no NetBSD builders passing our test suite. Any help
investigating the various NetBSD issues would be appreciated.
go14 has no relro support AFAICT.
go-1.8.3 has if you use -buildmode=pie, but it claims it's not supported
on Linux.
Disable relro checking for go packages until bsiegert has time to
look at this.
This release includes fixes to the compiler, runtime, documentation, and the
database/sql package.
https://golang.org/doc/devel/release.html#go1.8.minor
It also includes the security fix to the crypto/elliptic package from Go 1.8.2.
carry bug in x86-64 P-256.
A security-related issue was recently reported in Go's crypto/elliptic package.
To address this issue, we have just released Go 1.7.6 and Go 1.8.2.
The Go team would like to thank Vlad Krasnov and Filippo Valsorda at Cloudflare
for reporting the issue and providing a fix.
The issue affects Go's P-256 implementation on the 64-bit x86 architecture.
This is CVE-2017-8932 and was addressed by this change:
https://golang.org/cl/41070, tracked in this issue:
https://golang.org/issue/20040
Upstream changes:
go1.8.1 (released 2017/04/07) includes fixes to the compiler, linker, runtime, documentation, go command and the crypto/tls, encoding/xml, image/png, net, net/http, reflect, text/template, and time packages. See the Go 1.8.1 milestone on our issue tracker for details.
The compiler back end introduced in Go 1.7 for 64-bit x86 is now used on all
architectures, and those architectures should see significant performance
improvements. For instance, the CPU time required by our benchmark programs was
reduced by 20-30% on 32-bit ARM systems. There are also some modest performance
improvements in this release for 64-bit x86 systems. The compiler and linker
have been made faster. Compile times should be improved by about 15% over Go
1.7. There is still more work to be done in this area: expect faster
compilation speeds in future releases.
Garbage collection pauses should be significantly shorter, usually under 100
microseconds and often as low as 10 microseconds.
The HTTP server adds support for HTTP/2 Push, allowing servers to preemptively
send responses to a client. This is useful for minimizing network latency by
eliminating roundtrips. The HTTP server also adds support for graceful
shutdown, allowing servers to minimize downtime by shutting down only after
serving all requests that are in flight.
Contexts (added to the standard library in Go 1.7) provide a cancelation and
timeout mechanism. Go 1.8 adds support for contexts in more parts of the
standard library, including the database/sql and net packages and
Server.Shutdown in the net/http package.
Go 1.8 includes many more additions, improvements, and fixes. Find the complete
set of changes, and more information about the improvements listed above, in
the Go 1.8 release notes: https://golang.org/doc/go1.8
Upstream changes:
go1.7.5 (released 2017/01/26) includes fixes to the compiler, runtime, and the crypto/x509 and time packages. See the Go 1.7.5 milestone on our issue tracker for details.
