File go1.18.changes of Package go1.18.26295

Tue Oct  4 18:21:57 UTC 2022 - Jeff Kowalczyk <>

- go1.18.7 (released 2022-10-04) includes security fixes to the
  archive/tar, net/http/httputil, and regexp packages, as well as
  bug fixes to the compiler, the linker, and the go/types package.
  Refs boo#1193742 go1.18 release tracking
  CVE-2022-41715 CVE-2022-2879 CVE-2022-2880
  * go#55950 boo#1204023 security: fix CVE-2022-41715 regexp/syntax: limit memory used by parsing regexps
  * go#55925 boo#1204024 security: fix CVE-2022-2879 archive/tar: unbounded memory consumption when reading headers
  * go#55842 boo#1204025 security: fix CVE-2022-2880 net/http/httputil: ReverseProxy should not forward unparseable query parameters
  * go#55151 fatal error: bulkBarrierPreWrite: unaligned arguments
  * go#55148 go/types: no way to construct the signature of append(s, "string"...) via the API
  * go#55113 cmd/link: new darwin linker warning on -pagezero_size and -no_pie deprecation
  * go#54918 cmd/compile: Value live at entry

Tue Sep  6 19:24:28 UTC 2022 - Jeff Kowalczyk <>

- go1.18.6 (released 2022-09-06) includes security fixes to the
  net/http package, as well as bug fixes to the compiler, the go
  command, the pprof command, the runtime, and the crypto/tls,
  encoding/xml, and net packages.
  Refs boo#1193742 go1.18 release tracking
  * go#53977 bsc#1203185 CVE-2022-27664 net/http: handle server errors after sending GOAWAY
  * go#54733 cmd/go: git fetch errors dropped when producing pseudo-versions for commits
  * go#54725 cmd/compile: compile failed with "Value live at entry"
  * go#54674 runtime: morestack_noctxt missing SPWRITE, causes "traceback stuck" assert
  * go#54664 runtime: segfault running ppc64/linux binaries with kernel 5.18
  * go#54659 cmd/go: go test -race does not set implicit race build tag
  * go#54642 crypto/tls: support ECDHE key exchanges when ec_point_formats is missing in ClientHello extension
  * go#54636 cmd/go: data race in TestScript
  * go#54603 cmd/compile: miscompilation of partially-overlapping array assignments
  * go#54502 cmd/link: Trampoline insertion breaks DWARF Line Program Table output on Darwin/ARM64
  * go#54464 cmd/pprof: graphviz node names are funny with generics
  * go#54128 encoding/xml: crash on android/arm64 due to
  * go#54074 net: WriteMsgUDPAddrPort should accept IPv4 destination addresses on IPv6 UDP sockets
  * go#54056 misc/cgo: TestSignalForwardingExternal sometimes fails with wrong signal SIGINT
  * go#53397 go/reflect: Incorrect behavior on arm64 when using MakeFunc / Call

Mon Aug 22 20:44:19 UTC 2022 - Jeff Kowalczyk <>

- Define go_bootstrap_version go1.16 without suse_version checks
- Simplify conditional gcc_go_version 12 on Tumbleweed, 11 elsewhere

Fri Aug 19 15:47:43 UTC 2022 - Dirk Müller <>

- Bootstrap using go1.16 on SLE-15 and newer. go1.16 is
  bootstrapped using gcc-go 11 or 12. This allows dropping older
  versions of Go from Factory.

Mon Aug  1 15:40:03 UTC 2022 - Jeff Kowalczyk <>

- go1.18.5 (released 2022-08-01) includes security fixes to the
  encoding/gob and math/big packages, as well as bug fixes to the
  compiler, the go command, the runtime, and the testing package.
  Refs boo#1193742 go1.18 release tracking
  * boo#1202035 CVE-2022-32189 go#53871
  * go#54095 math/big: index out of range in Float.GobDecode
  * go#53883 cmd/compile: interface conversion with generics reports "types from different scopes"
  * go#53875 cmd/go: livelock when computing module graph in a workspace with GOPROXY=off
  * go#53852 cmd/compile: internal compiler error: assertion failed
  * go#53847 runtime: modified timer results in extreme cpu load
  * go#53119 cmd/go: Build information embedded by Go 1.18 impairs build reproducibility with cgo flags
  * go#53112 runtime: gentraceback() dead loop on arm64 casued the process hang
  * go#52986 testing: TempDir RemoveAll cleanup failures with "The process cannot access the file because it is being used by another process."
  * go#52961 cmd/compile: miscompilation in pointer operations

Tue Jul 12 20:28:01 UTC 2022 - Jeff Kowalczyk <>

- go1.18.4 (released 2022-07-12) includes security fixes to the
  compress/gzip, encoding/gob, encoding/xml, go/parser, io/fs,
  net/http, and path/filepath packages, as well as bug fixes to the
  compiler, the go command, the linker, the runtime, and the
  runtime/metrics package.
  Refs boo#1193742 go1.18 release tracking
  CVE-2022-1705 CVE-2022-32148 CVE-2022-30631 CVE-2022-30633 CVE-2022-28131 CVE-2022-30635 CVE-2022-30632 CVE-2022-30630 CVE-2022-1962
  * boo#1201434 CVE-2022-1705 go#53188
  * go#53433 net/http: improper sanitization of Transfer-Encoding header
  * boo#1201436 CVE-2022-32148 go#53423
  * go#53621 net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
  * boo#1201437 CVE-2022-30631 go#53168
  * go#53718 compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
  * boo#1201440 CVE-2022-30633 go#53611
  * go#53716 encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
  * boo#1201443 CVE-2022-28131 go#53614
  * go#53712 encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
  * boo#1201444 CVE-2022-30635 go#53615
  * go#53710 encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
  * boo#1201445 CVE-2022-30632 go#53416
  * go#53714 path/filepath: stack exhaustion in Glob (CVE-2022-30632)
  * boo#1201447 CVE-2022-30630 go#53415
  * go#53720 io/fs: stack exhaustion in Glob (CVE-2022-30630)
  * boo#1201448 CVE-2022-1962 go#53616
  * go#53708 go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)
  * go#53723 cmd/compile: ambiguous selector with generic interface & embedded types
  * go#53618 cmd/compile: condition in for loop body is incorrectly optimised away
  * go#53613 syscall: NewCallback triggers data race on Windows when used from different goroutine
  * go#53590 runtime/metrics: data race detected in Read
  * go#53588 cmd/go: "v1.x.y is not a tag" when .gitconfig sets log.decorate to full
  * go#53587 cmd/compile: miscompilation of value switch involving generic interface types
  * go#53471 cmd/compile: internal compiler error: width not calculated: int128
  * go#53357 cmd/compile: type assertion on generic type fails incorrectly
  * go#53159 cmd/compile: unsafe.Offsetof returns incorrect value in embedded struct with type parameters
  * go#53107 cmd/link: unexpected trampoline error on ppc64le musl with -buildmode=pie
  * go#52689 runtime: total allocation stats are managed in a uintptr which can quickly wrap around on 32-bit architectures

Wed Jun  1 17:51:26 UTC 2022 - Jeff Kowalczyk <>

- go1.18.3 (released 2022-06-01) includes security fixes to the
  crypto/rand, crypto/tls, os/exec, and path/filepath packages, as
  well as bug fixes to the compiler, and the crypto/tls and
  text/template/parse packages.
  Refs boo#1193742 go1.18 release tracking
  CVE-2022-30634 CVE-2022-30629 CVE-2022-30580 CVE-2022-29804
  * boo#1200134 go#52561 CVE-2022-30634
  * go#52933 crypto/rand: Read hangs when passed buffer larger than 1<<32 - 1
  * boo#1200135 go#52814 CVE-2022-30629
  * go#52833 crypto/tls: randomly generate ticket_age_add
  * boo#1200136 go#52574 CVE-2022-30580
  * go#53057 os/exec: Cmd.{Run,Start} should fail if Cmd.Path is unset
  * boo#1200137 go#52476 CVE-2022-29804
  * go#52479 path/filepath: Clean(.\c:) returns c: on Windows
  * go#51849 cmd/compile: crash on pointer conversion in call to mapaccess2
  * go#52242 cmd/compile: compiler crash on valid code
  * go#52286 cmd/compile: compiler crash with "Dictionary should have already been generated"
  * go#52791 crypto/tls: 500% increase in allocations from (*tls.Conn).Read in go 1.17
  * go#52878 text/template: break/continue require no whitespace around them
  * go#53043 misc/cgo/testsanitizers: occasional hangs in TestTSAN/tsan12
  * go#53115 misc/cgo/testsanitizers: deadlock in TestTSAN/tsan11

Tue May 10 22:25:54 UTC 2022 - Jeff Kowalczyk <>

- go1.18.2 (released 2022-05-10) includes security fixes to the
  syscall package, as well as bug fixes to the compiler, runtime,
  the go command, and the crypto/x509, go/types, net/http/httptest,
  reflect, and sync/atomic packages.
  Refs boo#1193742 go1.18 release tracking
  * boo#1199413 go#52313 CVE-2022-29526
  * go#52440 syscall: Faccessat checks wrong group
  * go#51738 runtime: wrong type assertion result when using generic types
  * go#51798 cmd/go: add (and default to) -buildvcs=auto
  * go#51859 crypto/x509: x509 certificate with issuerUniqueID and/or subjectUniqueID parse error
  * go#51897 net/http/httptest: race in Close
  * go#52028 go/types: documentation on instance de-duplication is unclear about guarantees
  * go#52149 syscall: TestGroupCleanupUserNamespace failure on linux-s390x-ibm
  * go#52244 go/types, types2: go generic assert compile escape
  * go#52305 runtime: doAllThreadsSyscall has an unaligned atomic load on 32-bit architectures
  * go#52366 cmd/compile/internal/ssa: occurred the wrong rewrite cycle detection
  * go#52375 runtime: executable compiled under Go 1.17.7 will occasionally wedge
  * go#52386 reflect: can set map elem with string key of a different string type
  * go#52441 cmd/compile: incorrect handling of iota in 1.18
  * go#52468 cmd/go: go run -mod=mod [files...] does not update go.mod and go.sum
  * go#52558 cmd/compile: cannot convert v (variable of type *Bar[T]) to type *Foo[T]
  * go#52606 cmd/compile: internal compiler error: weird package in name: .dict0 => .dict0 from "", not "test/p"
  * go#52615 sync/atomic: compare and swap of inconsistently typed values with uninitialized Value
  * go#52691 cmd/compile: generic function appears to use incorrect type descriptor
  * go#52699 runtime: support debugCall on arm64
  * go#52706 net: TestDialCancel is not compatible with new macOS ARM64 builders
  * go#52804 go/types: NewMethodSet doesn't terminate for recursively embedded generics

Mon May  2 08:43:22 UTC 2022 - Martin Liška <>

- Remove remaining use of gold linker when bootstrapping with
  gccgo. The binutils-gold package will be removed in the future.
  * History: go1.8.3 2017-06-18 added conditional if gccgo defined
    BuildRequires: binutils-gold for arches other than s390x
  * No information available why binutils-gold was used initially
  * Unrelated to upstream recent hardcoded gold dependency for ARM

Tue Apr 12 17:42:46 UTC 2022 - Jeff Kowalczyk <>

- go1.18.1 (released 2022-04-12) includes security fixes to the
  crypto/elliptic, crypto/x509, and encoding/pem packages, as well
  as bug fixes to the compiler, linker, runtime, the go command,
  vet, and the bytes, crypto/x509, and go/types packages.
  Refs boo#1193742 go1.18 release tracking
  CVE-2022-24675 CVE-2022-28327 CVE-2022-27536
  * boo#1198423 go#51853 CVE-2022-24675
  * go#52037 encoding/pem: stack overflow
    boo#1198424 go#52075 CVE-2022-28327
  * go#52077 crypto/elliptic: generic P-256 panic when scalar has too many leading zeroes
  * boo#1198427 go#51759 CVE-2022-27536
  * go#51763 crypto/x509: Certificate.Verify crash on macOS with Go 1.18
  * go#52140 cmd/go: go work use -r panics when given a directory that does not exist
  * go#52119 go/types, cmd/compile: type set overlapping implementation for interface types might be not correct
  * go#52032 go/types: spurious diagnostics for untyped shift operands with GoVersion < go1.13
  * go#52007 go/types, types2: scope is unset on receivers of instantiated methods
  * go#51874 cmd/go: Segfault on ppc64le during Go 1.18 build on Alpine Linux
  * go#51855 cmd/compile: internal compiler error: panic: runtime error: index out of range [0] with length 0
  * go#51852 crypto/x509: reject SHA-1 signatures in Verify
  * go#51847 cmd/compile: cannot import "package" (type parameter bound more than once)
  * go#51846 cmd/compile: internal compiler error: walkExpr: switch 1 unknown op RECOVER
  * go#51796 bytes: Trim returns empty slice instead of nil in 1.18
  * go#51767 cmd/go: "go test" seems to now require git due to -buildvcs
  * go#51764 cmd/go: go work use panics when given a file
  * go#51741 cmd/cgo: pointer to incomplete C type is mangled when passed through interface type and generic type assert
  * go#51737 plugin: tls handshake panic: unreachable method called. linker bug?
  * go#51727 cmd/vet, go/types: go vet crash when using self-recursive anonymous types in constraints
  * go#51697 runtime: some tests fails on Windows with CGO_ENABLED=0
  * go#51669 cmd/compile: irgen uses wrong dict param to generate code for getting dict type
  * go#51665 go/types, types2: gopls crash in recordTypeAndValue

Thu Apr  7 23:57:47 UTC 2022 - Jeff Kowalczyk <>

- Template gcc-go.patch to substitute gcc_go_version and eliminate
  multiple similar patches each with hardcoded gcc go binary name.
  gcc-go.patch inserts gcc-go binary name e.g. go-8 to compensate
  for current lack of gcc-go update-alternatives usage.
  * add gcc-go.patch
  * drop gcc6-go.patch
  * drop gcc7-go.patch

Thu Apr  7 17:51:56 UTC 2022 - Jeff Kowalczyk <>

- For SLE-12 set gcc_go_version to 8 to bootstrap using gcc8-go.
  gcc6-go and gcc7-go no longer successfully bootstrap go1.17 or
  go1.18 on SLE-12 aarch64 ppc64le or s390x.
  * gcc6-go fails with errors e.g. libnoder.a(_go_.o):(.toc+0x0):
    undefined reference to `__go_pimt__I4_DiagFrN4_boolee3

Tue Mar 19 21:05:53 UTC 2022 - Jeff Kowalczyk <>

- Add %define go_label as a configurable Go toolchain directory
  * go_label can be used to package multiple Go toolchains with
    the same go_api
  * go_label should be defined as go_api with an optional suffix
    e.g. %{go_api} or %{go_api}-foo
  * Default go_label = go_api makes no changes to package layout

Tue Mar 15 17:42:07 UTC 2022 - Jeff Kowalczyk <>

- go1.18 (released 2022-03-15) is a major release of Go.
  go1.18.x minor releases will be provided through February 2023.
  Go 1.18 is a significant release, including changes to the
  language, implementation of the toolchain, runtime, and
  libraries. Go 1.18 arrives seven months after Go 1.17. As always,
  the release maintains the Go 1 promise of compatibility. We
  expect almost all Go programs to continue to compile and run as
  Refs boo#1193742 go1.18 release tracking
  * See release notes Excerpts
    relevant to OBS environment and for SUSE/openSUSE follow:
  * Go 1.18 includes an implementation of generic features as
    described by the Type Parameters Proposal. This includes major
    but fully backward-compatible changes to the language.
  * The Go 1.18 compiler now correctly reports declared but not
    used errors for variables that are set inside a function
    literal but are never used. Before Go 1.18, the compiler did
    not report an error in such cases. This fixes long-outstanding
    compiler issue go#8560.
  * The Go 1.18 compiler now reports an overflow when passing a
    rune constant expression such as '1' << 32 as an argument to
    the predeclared functions print and println, consistent with
    the behavior of user-defined functions. Before Go 1.18, the
    compiler did not report an error in such cases but silently
    accepted such constant arguments if they fit into an
    int64. Since go vet always pointed out this error, the number
    of affected programs is likely very small.
  * AMD64: Go 1.18 introduces the new GOAMD64 environment variable,
    which selects at compile time a minimum target version of the
    AMD64 architecture. Allowed values are v1, v2, v3, or v4. Each
    higher level requires, and takes advantage of, additional
    processor features. A detailed description can be found
    here. The GOAMD64 environment variable defaults to v1.
  * RISC-V: The 64-bit RISC-V architecture on Linux (the
    linux/riscv64 port) now supports the c-archive and c-shared
    build modes.
  * Linux: Go 1.18 requires Linux kernel version 2.6.32 or later.
  * Fuzzing: Go 1.18 includes an implementation of fuzzing as
    described by the fuzzing proposal. See the fuzzing landing page
    to get started. Please be aware that fuzzing can consume a lot
    of memory and may impact your machine’s performance while it
  * go get: go get no longer builds or installs packages in
    module-aware mode. go get is now dedicated to adjusting
    dependencies in go.mod. Effectively, the -d flag is always
    enabled. To install the latest version of an executable outside
    the context of the current module, use go install Any version query may be used instead
    of latest. This form of go install was added in Go 1.16, so
    projects supporting older versions may need to provide install
    instructions for both go install and go get. go get now reports
    an error when used outside a module, since there is no go.mod
    file to update. In GOPATH mode (with GO111MODULE=off), go get
    still builds and installs packages, as before.
  * Automatic go.mod and go.sum updates: The go mod graph, go mod
    vendor, go mod verify, and go mod why subcommands no longer
    automatically update the go.mod and go.sum files. (Those files
    can be updated explicitly using go get, go mod tidy, or go mod
  * go version: The go command now embeds version control
    information in binaries. It includes the currently checked-out
    revision, commit time, and a flag indicating whether edited or
    untracked files are present. Version control information is
    embedded if the go command is invoked in a directory within a
    Git, Mercurial, Fossil, or Bazaar repository, and the main
    package and its containing main module are in the same
    repository. This information may be omitted using the flag
    -buildvcs=false. Additionally, the go command embeds
    information about the build, including build and tool tags (set
    with -tags), compiler, assembler, and linker flags (like
    -gcflags), whether cgo was enabled, and if it was, the values
    of the cgo environment variables (like CGO_CFLAGS). Both VCS
    and build information may be read together with module
    information using go version -m file or
    runtime/debug.ReadBuildInfo (for the currently running binary)
    or the new debug/buildinfo package. The underlying data format
    of the embedded build information can change with new go
    releases, so an older version of go may not handle the build
    information produced with a newer version of go. To read the
    version information from a binary built with go 1.18, use the
    go version command and the debug/buildinfo package from go
  * go mod download: If the main module's go.mod file specifies go
    1.17 or higher, go mod download without arguments now downloads
    source code for only the modules explicitly required in the
    main module's go.mod file. (In a go 1.17 or higher module, that
    set already includes all dependencies needed to build the
    packages and tests in the main module.) To also download source
    code for transitive dependencies, use go mod download all.
  * go mod vendor: The go mod vendor subcommand now supports a -o
    flag to set the output directory. (Other go commands still read
    from the vendor directory at the module root when loading
    packages with -mod=vendor, so the main use for this flag is for
    third-party tools that need to collect package source code.)
  * go mod tidy: The go mod tidy command now retains additional
    checksums in the go.sum file for modules whose source code is
    needed to verify that each imported package is provided by only
    one module in the build list. Because this condition is rare
    and failure to apply it results in a build error, this change
    is not conditioned on the go version in the main module's
    go.mod file.
  * go work: The go command now supports a "Workspace" mode. If a file is found in the working directory or a parent
    directory, or one is specified using the GOWORK environment
    variable, it will put the go command into workspace mode. In
    workspace mode, the file will be used to determine the
    set of main modules used as the roots for module resolution,
    instead of using the normally-found go.mod file to specify the
    single main module. For more information see the go work
  * go build -asan: The go build command and related commands now
    support an -asan flag that enables interoperation with C (or
    C++) code compiled with the address sanitizer (C compiler
    option -fsanitize=address).
  * //go:build lines: Go 1.17 introduced //go:build lines as a more
    readable way to write build constraints, instead of // +build
    lines. As of Go 1.17, gofmt adds //go:build lines to match
    existing +build lines and keeps them in sync, while go vet
    diagnoses when they are out of sync. Since the release of Go
    1.18 marks the end of support for Go 1.16, all supported
    versions of Go now understand //go:build lines. In Go 1.18, go
    fix now removes the now-obsolete // +build lines in modules
    declaring go 1.17 or later in their go.mod files. For more
    information, see
  * go vet: The vet tool is updated to support generic code. In
    most cases, it reports an error in generic code whenever it
    would report an error in the equivalent non-generic code after
    substituting for type parameters with a type from their type
  * go vet: The cmd/vet checkers copylock, printf, sortslice,
    testinggoroutine, and tests have all had moderate precision
    improvements to handle additional code patterns. This may lead
    to newly reported errors in existing packages.
  * Runtime: The garbage collector now includes non-heap sources of
    garbage collector work (e.g., stack scanning) when determining
    how frequently to run. As a result, garbage collector overhead
    is more predictable when these sources are significant. For
    most applications these changes will be negligible; however,
    some Go applications may now use less memory and spend more
    time on garbage collection, or vice versa, than before. The
    intended workaround is to tweak GOGC where necessary. The
    runtime now returns memory to the operating system more
    efficiently and has been tuned to work more aggressively as a
  * Compiler: Go 1.17 implemented a new way of passing function
    arguments and results using registers instead of the stack on
    64-bit x86 architecture on selected operating systems. Go 1.18
    expands the supported platforms to include 64-bit ARM
    (GOARCH=arm64), big- and little-endian 64-bit PowerPC
    (GOARCH=ppc64, ppc64le), as well as 64-bit x86 architecture
    (GOARCH=amd64) on all operating systems. On 64-bit ARM and
    64-bit PowerPC systems, benchmarking shows typical performance
    improvements of 10% or more. As mentioned in the Go 1.17
    release notes, this change does not affect the functionality of
    any safe Go code and is designed to have no impact on most
    assembly code. See the Go 1.17 release notes for more details.
  * Compiler: The compiler now can inline functions that contain
    range loops or labeled for loops.
  * Compiler: The new -asan compiler option supports the new go
    command -asan option.
  * Compiler: Because the compiler's type checker was replaced in
    its entirety to support generics, some error messages now may
    use different wording than before. In some cases, pre-Go 1.18
    error messages provided more detail or were phrased in a more
    helpful way. We intend to address these cases in Go
    1.19. Because of changes in the compiler related to supporting
    generics, the Go 1.18 compile speed can be roughly 15% slower
    than the Go 1.17 compile speed. The execution time of the
    compiled code is not affected. We intend to improve the speed
    of the compiler in Go 1.19.
  * Linker: The linker emits far fewer relocations. As a result,
    most codebases will link faster, require less memory to link,
    and generate smaller binaries. Tools that process Go binaries
    should use Go 1.18's debug/gosym package to transparently
    handle both old and new binaries.
  * Linker: The new -asan linker option supports the new go command
    -asan option.
  * Bootstrap: When building a Go release from source and
    GOROOT_BOOTSTRAP is not set, previous versions of Go looked for
    a Go 1.4 or later bootstrap toolchain in the directory
    $HOME/go1.4 (%HOMEDRIVE%%HOMEPATH%\go1.4 on Windows). Go now
    looks first for $HOME/go1.17 or $HOME/sdk/go1.17 before falling
    back to $HOME/go1.4. We intend for Go 1.19 to require Go 1.17
    or later for bootstrap, and this change should make the
    transition smoother. For more details, see go#44505.
  * The new debug/buildinfo package provides access to module
    versions, version control information, and build flags embedded
    in executable files built by the go command. The same
    information is also available via runtime/debug.ReadBuildInfo
    for the currently running binary and via go version -m on the
    command line.
  * The new net/netip package defines a new IP address type,
    Addr. Compared to the existing net.IP type, the netip.Addr type
    takes less memory, is immutable, and is comparable so it
    supports == and can be used as a map key.
  * TLS 1.0 and 1.1 disabled by default client-side: If
    Config.MinVersion is not set, it now defaults to TLS 1.2 for
    client connections. Any safely up-to-date server is expected to
    support TLS 1.2, and browsers have required it since 2020. TLS
    1.0 and 1.1 are still supported by setting Config.MinVersion to
    VersionTLS10. The server-side default is unchanged at TLS
    1.0. The default can be temporarily reverted to TLS 1.0 by
    setting the GODEBUG=tls10default=1 environment variable. This
    option will be removed in Go 1.19.
  * Rejecting SHA-1 certificates: crypto/x509 will now reject
    certificates signed with the SHA-1 hash function. This doesn't
    apply to self-signed root certificates. Practical attacks
    against SHA-1 have been demonstrated since 2017 and publicly
    trusted Certificate Authorities have not issued SHA-1
    certificates since 2015. This can be temporarily reverted by
    setting the GODEBUG=x509sha1=1 environment variable. This
    option will be removed in Go 1.19.
  * crypto/elliptic The P224, P384, and P521 curve implementations
    are now all backed by code generated by the addchain and
    fiat-crypto projects, the latter of which is based on a
    formally-verified model of the arithmetic operations. They now
    use safer complete formulas and internal APIs. P-224 and P-384
    are now approximately four times faster. All specific curve
    implementations are now constant-time. Operating on invalid
    curve points (those for which the IsOnCurve method returns
    false, and which are never returned by Unmarshal or a Curve
    method operating on a valid point) has always been undefined
    behavior, can lead to key recovery attacks, and is now
    unsupported by the new backend. If an invalid point is supplied
    to a P224, P384, or P521 method, that method will now return a
    random point. The behavior might change to an explicit panic in
    a future release.
  * crypto/tls: The new Conn.NetConn method allows access to the
    underlying net.Conn.
  * crypto/x509: Certificate.Verify now uses platform APIs to
    verify certificate validity on macOS and iOS when it is called
    with a nil VerifyOpts.Roots or when using the root pool
    returned from SystemCertPool. SystemCertPool is now available
    on Windows.
  * crypto/x509: CertPool.Subjects is deprecated. On Windows,
    macOS, and iOS the CertPool returned by SystemCertPool will
    return a pool which does not include system roots in the slice
    returned by Subjects, as a static list can't appropriately
    represent the platform policies and might not be available at
    all from the platform APIs.
  * crypto/x509: Support for signing certificates using signature
    algorithms that depend on the MD5 and SHA-1 hashes (MD5WithRSA,
    SHA1WithRSA, and ECDSAWithSHA1) may be removed in Go 1.19.
  * net/http: When looking up a domain name containing non-ASCII
    characters, the Unicode-to-ASCII conversion is now done in
    accordance with Nontransitional Processing as defined in the
    Unicode IDNA Compatibility Processing standard (UTS #46). The
    interpretation of four distinct runes are changed: ß, ς,
    zero-width joiner U+200D, and zero-width non-joiner
    U+200C. Nontransitional Processing is consistent with most
    applications and web browsers.
  * os/user: User.GroupIds now uses a Go native implementation when
    cgo is not available.
  * runtime/debug: The BuildInfo struct has two new fields,
    containing additional information about how the binary was
    built: GoVersion holds the version of Go used to build the
    binary. Settings is a slice of BuildSettings structs holding
    key/value pairs describing the build.
  * runtime/pprof: The CPU profiler now uses per-thread timers on
    Linux. This increases the maximum CPU usage that a profile can
    observe, and reduces some forms of bias.
  * syscall: The new function SyscallN has been introduced for
    Windows, allowing for calls with arbitrary number of arguments.
    As a result, Syscall, Syscall6, Syscall9, Syscall12, Syscall15,
    and Syscall18 are deprecated in favor of SyscallN.

Wed Mar  9 17:03:28 UTC 2022 - Dirk Müller <>

- add dont-force-gold-on-arm64.patch (bsc#1183043)
- drop binutils-gold dependency

Fri Feb 18 02:10:17 UTC 2022 - Jeff Kowalczyk <>

- Add .bin assembler pattern table file and test data to packaging.
  * Error manifests building some Go applications as:
    pattern p256_asm_table.bin: no matching files found
  * A Quick Guide to Go's Assembler
  * New assembler pattern file added to packaging with mode 644:
  * Existing test data files added to packaging with mode 644:

Thu Feb 17 07:38:54 UTC 2022 - Jeff Kowalczyk <>

- go1.18rc1 (released 2022-02-16) is a release candidate version of
  go1.18 cut from the master branch at the revision tagged
  Refs boo#1193742 go1.18 release tracking

Mon Jan 31 19:25:36 UTC 2022 - Jeff Kowalczyk <>

- go1.18beta2 (released 2022-01-31) is a beta version of go1.18 cut
  from the master branch at the revision tagged go1.18beta2.
  Refs boo#1193742 go1.18 release tracking

Tue Dec 14 20:06:19 UTC 2021 - Jeff Kowalczyk <>

- go1.18beta1 (released 2021-12-14) is a beta version of go1.18 cut
  from the master branch at the revision tagged go1.18beta1.
  Refs boo#1193742 go1.18 release tracking
openSUSE Build Service is sponsored by