Hi Simon,
My heads-up concerns a change in `crypto/x509`, which is part of the Go standard library and distributed with the `golang` compiler.
The package you are working on, `golang-go.crypto 0.43.0`, refers to `
golang.org/x/crypto`. These are related but distinct packages.
Best regards,
Reinhard
regards,
Reinhard
Thanks for heads-up! I am working on golang-go.crypto 0.43.0, that
wouldn't really be a problem related to this, right? Presumable the
change below is for some good reason, in which case we ought to fix the
breakage rather than holding back package updates.
/Simon
Reinhard Tartler <siretart@gmail.com> writes:
> Dear fellow Debian Golang Packagers,
>
> I am writing to give you a heads-up about a subtle change in Golang 1.25.2
> that makes X.509 certificate verification more strict in the `crypto/x509`
> package, which is part of the standard library. The change in question is
> https://github.com/golang/go/commit/3fc4c79fdbb17b9b29ea9f8c29dd780df075d4c4
> and I expect it to break rebuilds of several golang packages in Debian.
>
> Specifically, the DNS in the X.509v3 Subject Alternative Name can no longer
> be empty (cf.
> https://github.com/etcd-io/etcd/pull/20775#issuecomment-3385325872). This
> change caused #1117747. I have also seen a similar issue when rebuilding
> `sigstore-go`, and I plan to file a proper bug report later.
>
> I hope this heads-up saves valuable time for others who are surprised by
> test failures containing the error: "x509: SAN rfc822Name is malformed".
>
>
>
> Best regards,
> Reinhard