Soon, with the new release of Go 1.18, Go 1.16 will be deprecated.
Currently Fedora 35 has Go 1.16. We have several options: a) Backport critical CVEs to 1.16 b) Update to 1.17 c) Update to 1.18
[0] https://go.dev/doc/devel/release#policy [1] https://bugzilla.redhat.com/show_bug.cgi?id=2060299
b) Update to 1.17 c) Update to 1.18
I don't think we can do either of these due to our Updates policy.
Metadata Update from @jcajka: - Issue untagged with: meeting
For the record: As @jcajka pointed during the meeting where we discussed this issue, doing backports of the CVEs is probably the best way to handle this. It's not the first time it is done and as @qulogic said, updating seems impossible due the Fedora Updates Policy.
My intentions are: With every new 1.18/1.17 update, I'll check the CVEs and try to backport those that affects 1.16 and are feasible, until the Fedora 35 EOL.
I guess because of the limited lifetime of Fedora releases, as long as you start out a new release with the latest golang version, you might not have to backport fixes for CVEs for very long. This is not a viable option for EPEL packages, however, because the lifetime of each EL is just too long. Each EL8 minor release also comes out with a newer golang version. So I plan to try to track EL8 versions fairly closely in EPEL7. Until the next update of golang in EL8, if @alexsaezm backports important CVEs to 1.16 I guess I could build those for EPEL7 too.
On second thought, I'll plan to exactly follow EL8 versions in EPEL7. Any time there is an update in EL8, I will start from that src rpm.
I think we can close this now. We've already decided to backport CVEs to f35.
f35
Metadata Update from @gotmax23: - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.