File go1.13.changes of Package go1.13.16029

-------------------------------------------------------------------
Thu Aug  6 19:23:18 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13.15 (released 2020/08/06) includes security fixes to the
  encoding/binary package.
  CVE-2020-16845
  Refs boo#1149259 go1.13 release tracking
  * boo#1174977 CVE-2020-16845
  * go#40620 encoding/binary: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs

-------------------------------------------------------------------
Fri Jul 17 07:33:25 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13.14 (released 2020/07/16) includes fixes to the compiler,
  vet, and the database/sql, net/http, and reflect packages
  Refs boo#1149259 go1.13 release tracking
  * go#39925 net/http: panic on misformed If-None-Match Header with http.ServeContent
  * go#39848 cmd/compile: internal compile error when using sync.Pool: mismatched zero/store sizes
  * go#39823 cmd/go: TestBuildIDContainsArchModeEnv/386 fails on linux/386 in Go 1.14 and 1.13, not 1.15
  * go#39697 reflect: panic from malloc after MakeFunc function returns value that is also stored globally
  * go#39561 cmd/compile/internal/ssa: TestNexting/dlv-dbg-hist failing on linux-386-longtest builder because it tries to use an older version of dlv which only supports linux/amd64
  * go#39538 net: TestDialParallel is flaky on windows-amd64-longtest
  * go#39287 cmd/vet: update for new number formats

-------------------------------------------------------------------
Wed Jul 14 00:24:08 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13.13 (released 2020/07/14) includes security fixes to the
  crypto/x509 and net/http packages addressing the following CVE:
  CVE-2020-15586 CVE-2020-14039
  Refs boo#1174153 boo#1174191
  Refs boo#1149259 go1.13 release tracking
  * boo#1174153 CVE-2020-15586
  * boo#1174191 CVE-2020-14039 (Windows only)
  * go#40211 net/http: Expect 100-continue panics in httputil.ReverseProxy
  * go#40209 crypto/x509: Certificate.Verify method seemingly ignoring EKU requirements on Windows

-------------------------------------------------------------------
Mon Jun 29 13:46:47 UTC 2020 - Dirk Mueller <dmueller@suse.com>

- Packaging improvements for update-alternatives priority,
  %license tag, and permissions in %files macro section.
  * update-alternatives increment priority on this and subsequent
    go1.x versions using priority = 20 + (minor version) i.e.
    go1.13 = 33, go1.14 = 34, etc.
  * Use %license tag for LICENSE keep %doc for suse_version < 1500
  * Remove %defattr(-,root,root,-) in %files

-------------------------------------------------------------------
Fri Jun 12 12:34:48 UTC 2020 - Richard Brown <rbrown@suse.com>

- Add patch to ensure /etc/hosts is used if /etc/nsswitch.conf is
  not present boo#1172868 gh#golang/go#35305
  * add go1.x-prefer-etc-hosts-over-dns.patch
  * Patch renamed and fields added per packaging guidelines
    on 2020-07-15 by Jeff Kowalczyk <jkowalczyk@suse.com>
  * Patch can likely be dropped for go1.16 in February 2021

-------------------------------------------------------------------
Mon Jun  8 08:22:07 UTC 2020 - Guillaume GARDET <guillaume.gardet@opensuse.org>

- Ensure ARM arch is set properly - boo#1169832

-------------------------------------------------------------------
Sat Jun  6 01:46:13 UTC 2020 - Aleksa Sarai <asarai@suse.com>

- Document (and clean up) LLVM snapshotting for go-race.
- Update _service to no longer fetch Go from git.

-------------------------------------------------------------------
Fri Jun  5 22:56:00 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13.12 (released 2020/06/01) includes fixes to the runtime,
  and the go/types and math/big packages.
  Refs boo#1149259.
  * go#38932 runtime: preemption in startTemplateThread may cause infinite hang
  * go#36689 go/types, math/big: data race in go/types due to math/big.Rat accessors unsafe for concurrent use

-------------------------------------------------------------------
Fri May 15 19:42:01 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13.11 (released 2020/05/14) includes fixes to the compiler.
  Refs boo#1149259.
  * go#38442 cmd/compile: unexpected nil dereference on s390x

-------------------------------------------------------------------
Wed Apr 29 13:19:09 UTC 2020 - Guillaume GARDET <guillaume.gardet@opensuse.org>

- Requires binutils-gold for %arm and aarch64 - boo#1170826

-------------------------------------------------------------------
Thu Apr  9 03:49:17 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13.10 (released 2020/04/08) includes fixes to the go command,
  the runtime, os/exec, and time packages.
  Refs boo#1149259.
  * go#38236 time: NewTicker will not emit ticks at a frequency greater than 1/sec on qemu user mode ppc64le
  * go#38082 cmd/go/internal/test: data race in (*runCache).builderRunTest
  * go#37901 cmd/compile/internal/syntax: TestStdLib verbosely broken on Windows
  * go#37895 os: TestRemoveAllWithMoreErrorThanReqSize is failing on Plan 9 and Windows
  * go#37892 net/http: TestCancelRequestWithChannelBeforeDo_Cancel failure on Windows long test
  * go#37802 cmd/go: 'Access is denied' when renaming module cache directory
  * go#37483 runtime: "fatal error: unexpected signal" 0xC0000005 on Windows for a small program with a large allocation
  * go#37433 os/exec: environForSysProcAttr is never called as sysattr.Env is never nil
  * go#37230 PowerRegisterSuspendResumeNotification error on Azure App Services with go 1.13.7

-------------------------------------------------------------------
Fri Mar 20 04:30:47 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13.9 (released 2020/03/19) includes fixes to the go command,
  tools, the runtime, the toolchain, and the crypto/cypher package.
  Refs boo#1149259.
  * go#37826 internal/syscall/windows/registry: TestWalkFullRegistry failing on windows-amd64-longtest
  * go#37821 cmd/go: module's "go" version should be included in cache key
  * go#37417 crypto/cipher: NewGCMWithNonceSize allows zero-length nonce
  * go#37342 cmd/trace: requires HTML imports, which doesn't work on any major browser anymore
  * go#36846 cmd/link: system linker warnings on macOS 10.14 when using cgo

-------------------------------------------------------------------
Tue Mar  3 00:09:02 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- Packaging sync accumulated changes from go1.12
  Refs boo#1149259.
- Use gcc9 by default by updating define gcc_go_version 9 (was 8)
  * drop unneeded patch gcc8-go.patch
- Fix broken go_api evaluation (1.12 < 1.5, when evaluated as floats),
  let RPM evaluate the expression, drop no longer required bc.
- Own the gdbinit.d directory, avoid the build dependency on gdb.
- Add %ifarch %arm aarch64 BuildRequires: binutils-gold to fix
  /usr/lib64/go/{version}/pkg/tool/linux_arm64/link: running gcc failed: exit status 1
  collect2: fatal error: cannot find 'ld'-

-------------------------------------------------------------------
Thu Feb 13 19:45:43 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13.8 (released 2020/02/12) includes fixes to the runtime, the
  crypto/x509, and net/http packages.
  Refs boo#1149259.
  * go#37067 crypto/x509: MarshalPKCS8PrivateKey doc says RSA private key while it supports more than that
  * go#36583 net/http: HTTP/2 with MaxConnsPerHost hangs or crashes
  * go#36575 runtime: "PowerRegisterSuspendResumeNotification failed with errno= 87" when running in Windows docker containers
  * Truncate changelog for versions older than go1.13

-------------------------------------------------------------------
Wed Jan 29 00:18:21 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13.7 (released 2020/01/28) includes two security fixes to
  the crypto/x509 package.
  Refs boo#1149259.
  * go#36838 crypto/x509, x/crypto/cryptobyte: panic in certificate parsing
  * go#36835 crypto/x509: certificate validation bypass on Windows 10

-------------------------------------------------------------------
Fri Jan 10 08:25:35 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13.6 (released 2020/01/09) includes fixes to the runtime
  and the net/http package
  Refs boo#1149259.
  * go#36434 net/http: racing write to t.ProxyConnectHeader in dialConn when proxy URL includes auth credentials
  * go#36361 runtime: sweep increased allocation count crash on arm64
  * go#36127 runtime: "attempt to execute system stack code on user stack" during heap scavenging
  * go#36003 doc: release history webpage contains suboptimal links
  * go#35746 runtime: "fatal error: PowerRegisterSuspendResumeNotification failure" when running in Windows docker containers

-------------------------------------------------------------------
Fri Dec  6 04:38:50 UTC 2019 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13.5 (released 2019/12/04) includes fixes to the go command,
  the runtime, the linker, and the net/http package.
  Refs boo#1149259.
  * go#35765 net/http: Server.ConnContext accidentally modifies context for all connections
  * go#35748 ensure that Go toolchain meets Apple’s notarization requirements
  * go#35408 runtime: panic when using errors.As with validation errors from github.com/go-ozzo/ozzo-validation
  * go#35318 cmd/go: "fatal error: concurrent map writes" during go get
  * go#35211 runtime: function textOff returns incorrect value if multiple text sections are present
  * go#34825 cmd/link: nil pointer dereference crash when building with an Android NDK toolchain
  * go#34642 syscall: (*LazyProc).Call does not keep arguments alive (anymore)

-------------------------------------------------------------------
Fri Nov  1 04:38:50 UTC 2019 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13.4 (released 2019/10/31) includes fixes to the net/http and
  syscall packages. It also fixes an issue on macOS 10.15 Catalina
  where the non-notarized installer and binaries were being rejected
  by Gatekeeper.
  Refs boo#1149259.
  * go#35119 cmd/go: incorrectly rejects '@' character in directory names
  * go#35105 syscall: the wrong sysctl was gimped on iOS
  * go#35087 net/http: transport caches permanently broken persistent connections if write error happens during h2 handshake

-------------------------------------------------------------------
Wed Oct 23 20:52:04 UTC 2019 - Jeff Kowalczyk <jkowalczyk@suse.com>

- Prevent stripping of go .a archives to fix invalid binaries
  produced by build that runs successfully to completion.
  Indication which can be found in build logs is:
  objcopy a(__.PKGDEF): Unable to recognise the format of file
  objcopy a(_go_.o): Unable to recognise the format of file
  * boo#1149638 NO_BRP_STRIP_DEBUG NO_BRP_AR to prevent stripping go .a archives

-------------------------------------------------------------------
Sat Oct 19 20:25:46 UTC 2019 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13.3 (released 2019/10/17) includes fixes to the go command,
  the toolchain, the runtime, syscall, net, net/http, and
  crypto/ecdsa packages.
  Refs boo#1149259.
  * go#34928 crypto/ecdsa: revert ECDSA assembly on s390x
  * go#34922 cmd/vet: go vet -vettool=$(which shadow) errors in go1.13 only (flag provided but not defined: -unsafeptr)
  * go#34884 net/http: Client.Do() panics when URL includes HTTP basic auth
  * go#34882 net/http: Client.Do() panics when URL includes HTTP basic auth
  * go#34800 cmd/go: newlines inconsistently preserved in go.mod rewriting
  * go#34747 cmd/go: 'go get […]/v2@v2.X.Y' fails when the repo root contains the go.mod file for […]/v2 but no .go source files
  * go#34714 runtime, internal/poll: darwin: ensure that no thread is consumed, nor a syscall.Read if FD isn't yet ready for I/O
  * go#34712 runtime: "program exceeds 50-thread limit" in test of os package on darwin-arm-mg912baios
  * go#34694 cmd/go: loading dependencies with `go test -i` does not correctly handle `*.go` import paths
  * go#34679 cmd/go: `go mod download -json` is a lot slower with go1.13
  * go#34662 net: infinite loop in LookupAddr()
  * go#34636 x/net/http2: window updates on randomWriteScheduler after stream closed cause memory leaks
  * go#34579 net/http: TestTimeoutHandlerAndFlusher flaky on darwin-arm64-corellium
  * go#34560 net/http: Flush in TimeoutHandler for Go1.13 is broken and might need a revert
  * go#34556 runtime: high-percentile latency of memory allocations has regressed significantly
  * go#34498 net/http: Connection to HTTP/2 site with IdleConnTimeout hangs
  * go#34497 cmd/go: 'go get […]/v2@v2.X.Y' fails when the go.mod file for […]/v2 is at the repo root
  * go#34477 cmd/go: 'go get cloud.google.com/go@master' chooses a v0.0.0- pseudo-version
  * go#34388 syscall: memory corruption in *bool types generated by mksyscall_windows.go
  * go#34328 cmd/go: 'go list -test' prints main package twice
  * go#34326 cmd/go: working directory affects binaries even with -trimpath
  * go#34321 cmd/go: 'go list -test' prints main package twice NeedsFix Testing Tools
  * go#34285 net/http/httptrace: panic on GotConn
  * go#34243 cmd/go: `go get` fails when repository ends with `.go`
  * go#34223 cmd/go: Duplicate symbols with more than one main package in -coverpkg
  * go#34215 cmd/go: get fails on gitlab subgroups
  * go#34170 x/mobile: apps built with go 1.13, still rejected by Apple app store
  * go#34150 runtime: potential deadlock cycle caused by scavenge.lock
  * go#34149 runtime: scavenger pacing fails to account for fragmentation
  * go#34130 runtime: Timer buckets may get "stuck" for long periods of time after Windows 8/10 systems wake from sleep
  * go#34118 cmd/go: "found, but does not contain package" error refers to replaced version instead of its replacement
  * go#34083 cmd/go: 'go test' adds test.timeout flag after positional arguments
  * go#34082 doc: errors: wrong unwrap example
  * go#34081 cmd/go: go get panics in GOPATH mode on custom import path with an insecure redirect
  * go#33984 cmd/cover: cannot run in directory with no .go files
  * go#33761 cmd/compile: "only supported as of -lang=go1.13" error is misleading

-------------------------------------------------------------------
Fri Oct 18 05:41:03 UTC 2019 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13.2 (released 2019/10/17) includes security fixes to
  the compiler and crypto/dsa addressing the following CVE:
  CVE-2019-17596
  Refs boo#1149259.
  * boo#1154402 CVE-2019-17596
  * go#34962 crypto/dsa: invalid public key causes panic in dsa.Verify
  * go#34807 cmd/compile: access to negative slice indices improperly permitted

-------------------------------------------------------------------
Thu Sep 26 04:10:20 UTC 2019 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13.1 (released 2019/09/25) includes security fixes to the
  net/http package addressing the following CVE:
  CVE-2019-16276
  Refs boo#1149259.
  * boo#1152082 CVE-2019-16276
  * go#34540 net/http: invalid headers are normalized, allowing request smuggling

-------------------------------------------------------------------
Tue Sep  3 18:43:11 UTC 2019 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13 (released 2019-09-03) is a major release of Go.
  Minor releases of go1.13.x will be provided through August 2020.
  Most go1.13 changes are in the implementation of the toolchain,
  runtime, and libraries. As always, the release maintains the Go 1
  promise of compatibility. Upstream expects almost all Go programs
  to continue to compile and run as before. Changes relevant to
  packaging and the OBS build environment are summarized below,
  see https://golang.org/doc/go1.13 for additional details.
  Refs boo#1149259.
  * As of Go 1.13, the go command by default downloads and
    authenticates modules using the Go module mirror and Go
    checksum database run by Google.
  * Default GO111MODULE="auto" now activates the module-aware mode
    when the current or parent directory contains a go.mod file.
  * Default GOPROXY="https://proxy.golang.org,direct" can contain a
    comma-separated list of proxy URLs or the special token direct.
  * Default GOSUMDB="sum.golang.org" verifies checksums of present
    in go.sum as well as checksums of dependency modules not
    present in go.sum.
  * Build environments which do not have network access should set
    GOPROXY to direct, and/or GOSUMDB to off.
  * If GOSUMDB is set to off, the checksum database is not
    consulted and only the existing checksums in the go.sum file
    are verified.
  * If your code uses modules and your go.mod files specifies a
    language version, be sure it is set to at least 1.13 to get
    access to go1.13 language changes. You can do this by editing
    the go.mod file directly, or you can run go mod edit -go=1.13.
  * As announced in Go 1.12, Go 1.13 enables support for TLS 1.3 in
    the crypto/tls package by default. It can be disabled by adding
    the value tls13=0 to the GODEBUG environment variable. The
    opt-out will be removed in Go 1.14.
  * The new crypto/ed25519 package implements the Ed25519 signature
    scheme. This functionality was previously provided by the
    golang.org/x/crypto/ed25519 package, which becomes a wrapper
    for crypto/ed25519 when used with Go 1.13+.
  * The runtime is now more aggressive at returning memory to the
    operating system to make it available to co-tenant
    applications. Previously, the runtime could retain memory for
    five or more minutes following a spike in the heap size. It
    will now begin returning it promptly after the heap
    shrinks. However, on many OSes, including Linux, the OS itself
    reclaims memory lazily, so process RSS will not decrease until
    the system is under memory pressure.
  * The compiler has a new implementation of escape analysis that
    is more precise. For most Go code should be an improvement (in
    other words, more Go variables and expressions allocated on the
    stack instead of heap). However, this increased precision may
    also break invalid code that happened to work before (for
    example, code that violates the unsafe.Pointer safety
    rules). If you notice any regressions that appear related, the
    old escape analysis pass can be re-enabled with
    go build -gcflags=all=-newescape=false. The option to use the
    old escape analysis will be removed in a future release.
  * The compiler no longer emits floating point or complex
    constants to go_asm.h files. These have always been emitted in
    a form that could not be used as numeric constant in assembly
    code.
- Drop patch allow-binary-only-packages.patch
  * This change was applied as of go1.13beta1 packaging
  * As announced in the Go 1.12 release notes, binary-only packages
    are no longer supported. Building a binary-only package (marked
    with a //go:binary-only-package comment) now results in an
    error.
  * In go1.12 and earlier, it was possible to distribute packages in
    binary form without including the source code used for compiling
    the package. "go build" and other commands no longer support
    binary-only-packages.
    https://tip.golang.org/pkg/go/build/#hdr-Binary_Only_Packages
  * Go applications are statically compiled from collected sources
    and compiled go modules are not commonly deployed as binary-only
    dependency packages.
  * Support for binary-only packages has been narrowing since
    go1.10. Context noted here for historical purposes:
    * https://tip.golang.org/doc/go1.10: Many details of the go
      build implementation have changed to support these
      improvements. One new requirement implied by these changes is
      that binary-only packages must now declare accurate import
      blocks in their stub source code, so that those imports can
      be made available when linking a program using the
      binary-only package. For more details, see go help filetype.
    * go help filetype: Non-test Go source files can also include a
      //go:binary-only-package comment, indicating that the package
      sources are included for documentation only and must not be
      used to build the package binary. This enables distribution
      of Go packages in their compiled form alone. Even binary-only
      packages require accurate import blocks listing required
      dependencies, so that those dependencies can be supplied when
      linking the resulting command.
    * go#23473 cmd/go: can't link programs that depend on transitive binary only packages
    * go#24318 cmd/go: go:binary-only-package not working in go 1.10
- Regenerate gcc6 go bootstrap patch gcc6-go.patch to include recent
  GO111MODULE=off argument in go (patch to go-6) build commands

-------------------------------------------------------------------
Thu Aug 29 16:46:13 UTC 2019 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13rc2 (released 2019/08/29) is packaged before stable
  release of go1.13 to provide a preview of the new default
  behavior for go modules. This early access is primarily intended
  to test OBS use with upstream go proxy infrastructure. Relevant
  changes are listed below in changelog entries for go1.13beta1,
  see https://tip.golang.org/doc/go1.13#modules for details
  * See https://tip.golang.org/doc/go1.13 for WIP documentation
  * Full changelog against go1.12.x generated upon go1.13 release

-------------------------------------------------------------------
Wed Aug 21 21:56:14 UTC 2019 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13rc1 (released 2019/08/21) is packaged before stable
  release of go1.13 to provide a preview of the new default
  behavior for go modules. This early access is primarily intended
  to test OBS use with upstream go proxy infrastructure. Relevant
  changes are listed below in changelog entries for go1.13beta1,
  see https://tip.golang.org/doc/go1.13#modules for details
  * See https://tip.golang.org/doc/go1.13 for WIP documentation
  * Full changelog against go1.12.x generated upon go1.13 release

-------------------------------------------------------------------
Fri Jul  5 16:17:47 UTC 2019 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.13beta1 (released 2019/06/26) is packaged before stable
  release of go1.13 to provide a preview of the new default
  behavior for go modules. This early access is primarily intended
  to test OBS use with upstream go proxy infrastructure. Relevant
  changes are listed below, see
  https://tip.golang.org/doc/go1.13#modules for details
  * The go command by default downloads and authenticates modules
    modules using the Go module mirror and Go checksum database run
    by Google.
  * Default GO111MODULE="auto" now activates the module-aware mode
    when the current or parent directory contains a go.mod file.
  * Default GOPROXY="https://proxy.golang.org,direct" can contain a
    comma-separated list of proxy URLs or the special token direct.
  * Default GOSUMDB="sum.golang.org" verifies checksums of present
    in go.sum as well as checksums of dependency modules not
    present in go.sum.
  * Build environments which do not have network access should set
    GOPROXY to direct, and/or GOSUMDB to off.
  * If GOSUMDB is set to off, the checksum database is not
    consulted and only the existing checksums in the go.sum file
    are verified.
- Drop patch allow-binary-only-packages.patch
  * In go1.12 and earlier, it was possible to distribute packages in
    binary form without including the source code used for compiling
    the package. "go build" and other commands no longer support
    binary-only-packages.
    https://tip.golang.org/pkg/go/build/#hdr-Binary_Only_Packages
  * Go applications are statically compiled from collected sources
    and compiled go modules are not commonly deployed as binary-only
    dependency packages.
  * Dropping the patch in this 1.13beta release to align with
    upstream will allow packagers to identify any existing users of
    binary-only dependency packages, of which none are expected.
  * Support for binary-only packages has been narrowing since
    go1.10. Context noted here for historical purposes:
    * https://tip.golang.org/doc/go1.10: Many details of the go
      build implementation have changed to support these
      improvements. One new requirement implied by these changes is
      that binary-only packages must now declare accurate import
      blocks in their stub source code, so that those imports can
      be made available when linking a program using the
      binary-only package. For more details, see go help filetype.
    * go help filetype: Non-test Go source files can also include a
      //go:binary-only-package comment, indicating that the package
      sources are included for documentation only and must not be
      used to build the package binary. This enables distribution
      of Go packages in their compiled form alone. Even binary-only
      packages require accurate import blocks listing required
      dependencies, so that those dependencies can be supplied when
      linking the resulting command.
    * go#23473 cmd/go: can't link programs that depend on transitive binary only packages
    * go#24318 cmd/go: go:binary-only-package not working in go 1.10
openSUSE Build Service is sponsored by