File go1.13.changes of Package go1.13.14135

-------------------------------------------------------------------
Thu Feb 13 19:45:43 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13.8 (released 2020/02/12) includes fixes to the runtime, the
  crypto/x509, and net/http packages.
  Refs boo#1149259.
  * go#37067 crypto/x509: MarshalPKCS8PrivateKey doc says RSA private key while it supports more than that
  * go#36583 net/http: HTTP/2 with MaxConnsPerHost hangs or crashes
  * go#36575 runtime: "PowerRegisterSuspendResumeNotification failed with errno= 87" when running in Windows docker containers
  * Truncate changelog for versions older than go1.13

-------------------------------------------------------------------
Wed Jan 29 00:18:21 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13.7 (released 2020/01/28) includes two security fixes to
  the crypto/x509 package.
  Refs boo#1149259.
  * go#36838 crypto/x509, x/crypto/cryptobyte: panic in certificate parsing
  * go#36835 crypto/x509: certificate validation bypass on Windows 10

-------------------------------------------------------------------
Fri Jan 10 08:25:35 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13.6 (released 2020/01/09) includes fixes to the runtime
  and the net/http package
  Refs boo#1149259.
  * go#36434 net/http: racing write to t.ProxyConnectHeader in dialConn when proxy URL includes auth credentials
  * go#36361 runtime: sweep increased allocation count crash on arm64
  * go#36127 runtime: "attempt to execute system stack code on user stack" during heap scavenging
  * go#36003 doc: release history webpage contains suboptimal links
  * go#35746 runtime: "fatal error: PowerRegisterSuspendResumeNotification failure" when running in Windows docker containers

-------------------------------------------------------------------
Fri Dec  6 04:38:50 UTC 2019 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13.5 (released 2019/12/04) includes fixes to the go command,
  the runtime, the linker, and the net/http package.
  Refs boo#1149259.
  * go#35765 net/http: Server.ConnContext accidentally modifies context for all connections
  * go#35748 ensure that Go toolchain meets Apple’s notarization requirements
  * go#35408 runtime: panic when using errors.As with validation errors from github.com/go-ozzo/ozzo-validation
  * go#35318 cmd/go: "fatal error: concurrent map writes" during go get
  * go#35211 runtime: function textOff returns incorrect value if multiple text sections are present
  * go#34825 cmd/link: nil pointer dereference crash when building with an Android NDK toolchain
  * go#34642 syscall: (*LazyProc).Call does not keep arguments alive (anymore)

-------------------------------------------------------------------
Fri Nov  1 04:38:50 UTC 2019 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13.4 (released 2019/10/31) includes fixes to the net/http and
  syscall packages. It also fixes an issue on macOS 10.15 Catalina
  where the non-notarized installer and binaries were being rejected
  by Gatekeeper.
  Refs boo#1149259.
  * go#35119 cmd/go: incorrectly rejects '@' character in directory names
  * go#35105 syscall: the wrong sysctl was gimped on iOS
  * go#35087 net/http: transport caches permanently broken persistent connections if write error happens during h2 handshake

-------------------------------------------------------------------
Wed Oct 23 20:52:04 UTC 2019 - Jeff Kowalczyk <jkowalczyk@suse.com>

- Prevent stripping of go .a archives to fix invalid binaries
  produced by build that runs successfully to completion.
  Indication which can be found in build logs is:
  objcopy a(__.PKGDEF): Unable to recognise the format of file
  objcopy a(_go_.o): Unable to recognise the format of file
  * boo#1149638 NO_BRP_STRIP_DEBUG NO_BRP_AR to prevent stripping go .a archives

-------------------------------------------------------------------
Sat Oct 19 20:25:46 UTC 2019 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13.3 (released 2019/10/17) includes fixes to the go command,
  the toolchain, the runtime, syscall, net, net/http, and
  crypto/ecdsa packages.
  Refs boo#1149259.
  * go#34928 crypto/ecdsa: revert ECDSA assembly on s390x
  * go#34922 cmd/vet: go vet -vettool=$(which shadow) errors in go1.13 only (flag provided but not defined: -unsafeptr)
  * go#34884 net/http: Client.Do() panics when URL includes HTTP basic auth
  * go#34882 net/http: Client.Do() panics when URL includes HTTP basic auth
  * go#34800 cmd/go: newlines inconsistently preserved in go.mod rewriting
  * go#34747 cmd/go: 'go get […]/v2@v2.X.Y' fails when the repo root contains the go.mod file for […]/v2 but no .go source files
  * go#34714 runtime, internal/poll: darwin: ensure that no thread is consumed, nor a syscall.Read if FD isn't yet ready for I/O
  * go#34712 runtime: "program exceeds 50-thread limit" in test of os package on darwin-arm-mg912baios
  * go#34694 cmd/go: loading dependencies with `go test -i` does not correctly handle `*.go` import paths
  * go#34679 cmd/go: `go mod download -json` is a lot slower with go1.13
  * go#34662 net: infinite loop in LookupAddr()
  * go#34636 x/net/http2: window updates on randomWriteScheduler after stream closed cause memory leaks
  * go#34579 net/http: TestTimeoutHandlerAndFlusher flaky on darwin-arm64-corellium
  * go#34560 net/http: Flush in TimeoutHandler for Go1.13 is broken and might need a revert
  * go#34556 runtime: high-percentile latency of memory allocations has regressed significantly
  * go#34498 net/http: Connection to HTTP/2 site with IdleConnTimeout hangs
  * go#34497 cmd/go: 'go get […]/v2@v2.X.Y' fails when the go.mod file for […]/v2 is at the repo root
  * go#34477 cmd/go: 'go get cloud.google.com/go@master' chooses a v0.0.0- pseudo-version
  * go#34388 syscall: memory corruption in *bool types generated by mksyscall_windows.go
  * go#34328 cmd/go: 'go list -test' prints main package twice
  * go#34326 cmd/go: working directory affects binaries even with -trimpath
  * go#34321 cmd/go: 'go list -test' prints main package twice NeedsFix Testing Tools
  * go#34285 net/http/httptrace: panic on GotConn
  * go#34243 cmd/go: `go get` fails when repository ends with `.go`
  * go#34223 cmd/go: Duplicate symbols with more than one main package in -coverpkg
  * go#34215 cmd/go: get fails on gitlab subgroups
  * go#34170 x/mobile: apps built with go 1.13, still rejected by Apple app store
  * go#34150 runtime: potential deadlock cycle caused by scavenge.lock
  * go#34149 runtime: scavenger pacing fails to account for fragmentation
  * go#34130 runtime: Timer buckets may get "stuck" for long periods of time after Windows 8/10 systems wake from sleep
  * go#34118 cmd/go: "found, but does not contain package" error refers to replaced version instead of its replacement
  * go#34083 cmd/go: 'go test' adds test.timeout flag after positional arguments
  * go#34082 doc: errors: wrong unwrap example
  * go#34081 cmd/go: go get panics in GOPATH mode on custom import path with an insecure redirect
  * go#33984 cmd/cover: cannot run in directory with no .go files
  * go#33761 cmd/compile: "only supported as of -lang=go1.13" error is misleading

-------------------------------------------------------------------
Fri Oct 18 05:41:03 UTC 2019 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13.2 (released 2019/10/17) includes security fixes to
  the compiler and crypto/dsa addressing the following CVE:
  CVE-2019-17596
  Refs boo#1149259.
  * boo#1154402 CVE-2019-17596
  * go#34962 crypto/dsa: invalid public key causes panic in dsa.Verify
  * go#34807 cmd/compile: access to negative slice indices improperly permitted

-------------------------------------------------------------------
Thu Sep 26 04:10:20 UTC 2019 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13.1 (released 2019/09/25) includes security fixes to the
  net/http package addressing the following CVE:
  CVE-2019-16276
  Refs boo#1149259.
  * boo#1152082 CVE-2019-16276
  * go#34540 net/http: invalid headers are normalized, allowing request smuggling

-------------------------------------------------------------------
Tue Sep  3 18:43:11 UTC 2019 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13 (released 2019-09-03) is a major release of Go.
  Minor releases of go1.13.x will be provided through August 2020.
  Most go1.13 changes are in the implementation of the toolchain,
  runtime, and libraries. As always, the release maintains the Go 1
  promise of compatibility. Upstream expects almost all Go programs
  to continue to compile and run as before. Changes relevant to
  packaging and the OBS build environment are summarized below,
  see https://golang.org/doc/go1.13 for additional details.
  Refs boo#1149259.
  * As of Go 1.13, the go command by default downloads and
    authenticates modules using the Go module mirror and Go
    checksum database run by Google.
  * Default GO111MODULE="auto" now activates the module-aware mode
    when the current or parent directory contains a go.mod file.
  * Default GOPROXY="https://proxy.golang.org,direct" can contain a
    comma-separated list of proxy URLs or the special token direct.
  * Default GOSUMDB="sum.golang.org" verifies checksums of present
    in go.sum as well as checksums of dependency modules not
    present in go.sum.
  * Build environments which do not have network access should set
    GOPROXY to direct, and/or GOSUMDB to off.
  * If GOSUMDB is set to off, the checksum database is not
    consulted and only the existing checksums in the go.sum file
    are verified.
  * If your code uses modules and your go.mod files specifies a
    language version, be sure it is set to at least 1.13 to get
    access to go1.13 language changes. You can do this by editing
    the go.mod file directly, or you can run go mod edit -go=1.13.
  * As announced in Go 1.12, Go 1.13 enables support for TLS 1.3 in
    the crypto/tls package by default. It can be disabled by adding
    the value tls13=0 to the GODEBUG environment variable. The
    opt-out will be removed in Go 1.14.
  * The new crypto/ed25519 package implements the Ed25519 signature
    scheme. This functionality was previously provided by the
    golang.org/x/crypto/ed25519 package, which becomes a wrapper
    for crypto/ed25519 when used with Go 1.13+.
  * The runtime is now more aggressive at returning memory to the
    operating system to make it available to co-tenant
    applications. Previously, the runtime could retain memory for
    five or more minutes following a spike in the heap size. It
    will now begin returning it promptly after the heap
    shrinks. However, on many OSes, including Linux, the OS itself
    reclaims memory lazily, so process RSS will not decrease until
    the system is under memory pressure.
  * The compiler has a new implementation of escape analysis that
    is more precise. For most Go code should be an improvement (in
    other words, more Go variables and expressions allocated on the
    stack instead of heap). However, this increased precision may
    also break invalid code that happened to work before (for
    example, code that violates the unsafe.Pointer safety
    rules). If you notice any regressions that appear related, the
    old escape analysis pass can be re-enabled with
    go build -gcflags=all=-newescape=false. The option to use the
    old escape analysis will be removed in a future release.
  * The compiler no longer emits floating point or complex
    constants to go_asm.h files. These have always been emitted in
    a form that could not be used as numeric constant in assembly
    code.
- Drop patch allow-binary-only-packages.patch
  * This change was applied as of go1.13beta1 packaging
  * As announced in the Go 1.12 release notes, binary-only packages
    are no longer supported. Building a binary-only package (marked
    with a //go:binary-only-package comment) now results in an
    error.
  * In go1.12 and earlier, it was possible to distribute packages in
    binary form without including the source code used for compiling
    the package. "go build" and other commands no longer support
    binary-only-packages.
    https://tip.golang.org/pkg/go/build/#hdr-Binary_Only_Packages
  * Go applications are statically compiled from collected sources
    and compiled go modules are not commonly deployed as binary-only
    dependency packages.
  * Support for binary-only packages has been narrowing since
    go1.10. Context noted here for historical purposes:
    * https://tip.golang.org/doc/go1.10: Many details of the go
      build implementation have changed to support these
      improvements. One new requirement implied by these changes is
      that binary-only packages must now declare accurate import
      blocks in their stub source code, so that those imports can
      be made available when linking a program using the
      binary-only package. For more details, see go help filetype.
    * go help filetype: Non-test Go source files can also include a
      //go:binary-only-package comment, indicating that the package
      sources are included for documentation only and must not be
      used to build the package binary. This enables distribution
      of Go packages in their compiled form alone. Even binary-only
      packages require accurate import blocks listing required
      dependencies, so that those dependencies can be supplied when
      linking the resulting command.
    * go#23473 cmd/go: can't link programs that depend on transitive binary only packages
    * go#24318 cmd/go: go:binary-only-package not working in go 1.10
- Regenerate gcc6 go bootstrap patch gcc6-go.patch to include recent
  GO111MODULE=off argument in go (patch to go-6) build commands

-------------------------------------------------------------------
Thu Aug 29 16:46:13 UTC 2019 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13rc2 (released 2019/08/29) is packaged before stable
  release of go1.13 to provide a preview of the new default
  behavior for go modules. This early access is primarily intended
  to test OBS use with upstream go proxy infrastructure. Relevant
  changes are listed below in changelog entries for go1.13beta1,
  see https://tip.golang.org/doc/go1.13#modules for details
  * See https://tip.golang.org/doc/go1.13 for WIP documentation
  * Full changelog against go1.12.x generated upon go1.13 release

-------------------------------------------------------------------
Wed Aug 21 21:56:14 UTC 2019 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13rc1 (released 2019/08/21) is packaged before stable
  release of go1.13 to provide a preview of the new default
  behavior for go modules. This early access is primarily intended
  to test OBS use with upstream go proxy infrastructure. Relevant
  changes are listed below in changelog entries for go1.13beta1,
  see https://tip.golang.org/doc/go1.13#modules for details
  * See https://tip.golang.org/doc/go1.13 for WIP documentation
  * Full changelog against go1.12.x generated upon go1.13 release

-------------------------------------------------------------------
Fri Jul  5 16:17:47 UTC 2019 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13beta1 (released 2019/06/26) is packaged before stable
  release of go1.13 to provide a preview of the new default
  behavior for go modules. This early access is primarily intended
  to test OBS use with upstream go proxy infrastructure. Relevant
  changes are listed below, see
  https://tip.golang.org/doc/go1.13#modules for details
  * The go command by default downloads and authenticates modules
    modules using the Go module mirror and Go checksum database run
    by Google.
  * Default GO111MODULE="auto" now activates the module-aware mode
    when the current or parent directory contains a go.mod file.
  * Default GOPROXY="https://proxy.golang.org,direct" can contain a
    comma-separated list of proxy URLs or the special token direct.
  * Default GOSUMDB="sum.golang.org" verifies checksums of present
    in go.sum as well as checksums of dependency modules not
    present in go.sum.
  * Build environments which do not have network access should set
    GOPROXY to direct, and/or GOSUMDB to off.
  * If GOSUMDB is set to off, the checksum database is not
    consulted and only the existing checksums in the go.sum file
    are verified.
- Drop patch allow-binary-only-packages.patch
  * In go1.12 and earlier, it was possible to distribute packages in
    binary form without including the source code used for compiling
    the package. "go build" and other commands no longer support
    binary-only-packages.
    https://tip.golang.org/pkg/go/build/#hdr-Binary_Only_Packages
  * Go applications are statically compiled from collected sources
    and compiled go modules are not commonly deployed as binary-only
    dependency packages.
  * Dropping the patch in this 1.13beta release to align with
    upstream will allow packagers to identify any existing users of
    binary-only dependency packages, of which none are expected.
  * Support for binary-only packages has been narrowing since
    go1.10. Context noted here for historical purposes:
    * https://tip.golang.org/doc/go1.10: Many details of the go
      build implementation have changed to support these
      improvements. One new requirement implied by these changes is
      that binary-only packages must now declare accurate import
      blocks in their stub source code, so that those imports can
      be made available when linking a program using the
      binary-only package. For more details, see go help filetype.
    * go help filetype: Non-test Go source files can also include a
      //go:binary-only-package comment, indicating that the package
      sources are included for documentation only and must not be
      used to build the package binary. This enables distribution
      of Go packages in their compiled form alone. Even binary-only
      packages require accurate import blocks listing required
      dependencies, so that those dependencies can be supplied when
      linking the resulting command.
    * go#23473 cmd/go: can't link programs that depend on transitive binary only packages
    * go#24318 cmd/go: go:binary-only-package not working in go 1.10