| 13 Jul 2023 |
 @qbit:tapenet.org | probably would be tough though.. because the db is remote | 15:50:25 |
| @qbit:tapenet.org | oh
An experimental tool to generate your own vulnerability database index is provided at golang.org/x/vulndb/cmd/indexdb.
maybe not :D
| 15:50:43 |
 j-k | oh, 1.0.0, time to update | 15:51:21 |
| @qbit:tapenet.org | j-k i created a pr already :D | 15:51:34 |
| j-k | ty | 15:51:42 |
| @qbit:tapenet.org | https://github.com/NixOS/nixpkgs/pull/243297 | 15:52:14 |
 eyJhb | In reply to @qbit:tapenet.org
https://go.dev/blog/govulncheck - it would be neat if we had some sorta integration with this.. like a checkphase or something Thanks for sharing, didn't even know about this | 15:55:08 |
| j-k | I was very excited when it was announced. I was fed up of explaining no this critical k8s vuln doesn't affect my linter that transitively imports k8s stuff. pretty much every single week. | 15:57:42 |
| @qbit:tapenet.org | heh | 15:58:30 |
| @qbit:tapenet.org | i have been using it for a bit now, it seems to do a really good job | 15:58:48 |
| @qbit:tapenet.org | really low false positive rate (not sure i have seen one.. ) | 15:59:07 |
| j-k | I'm surprised they didn't bump the modules for 1.0.0, I doubt none of these have updated since | 15:59:52 |
| @qbit:tapenet.org | oh, hah - i didn't even notice the vendorHash didn't change | 16:02:47 |
| @qbit:tapenet.org | https://github.com/golang/vuln/compare/v0.2.0...v1.0.0.patch i had to double check (make sure i didn't mess up :D) | 16:05:48 |
| @qbit:tapenet.org | (also ... and .diff/.patch are one of my fav features of gh) | 16:06:39 |
| eyJhb | Whops https://pkg.go.dev/vuln/GO-2023-1878 | 18:09:03 |
| eyJhb | Found in my code | 18:09:06 |
| 15 Jul 2023 |
|  @jarkad:tchncs.de joined the room. | 19:27:28 |
| 18 Jul 2023 |
|  kirillrdy set a profile picture. | 12:22:39 |
| 22 Jul 2023 |
| @jarkad:tchncs.de left the room. | 02:13:30 |
| 23 Jul 2023 |
|  vcunat joined the room. | 11:52:46 |
 Artturin | https://github.com/NixOS/nixpkgs/pull/242905#issuecomment-1646877937 | 16:17:05 |
| Artturin | the last message from go mod vendor is
k2tf> go: replacement path ./vendor/k8s.io/cli-runtime/pkg/kustomize/k8sdeps/transformer inside vendor directory
| 16:19:10 |
| Artturin | tinygo.goModules
error: illegal path references in fixed-output derivation '/nix/store/06v7rn03bgsnzvv89dn8i2a6kap1fijl-tinygo-0.26.0-goModules.drv'
| 16:28:47 |
| Artturin | These modules built correctly on older go versions but not on newer go versions | 16:29:11 |
| Artturin | How can vendoring break version to version, Go damn | 16:29:49 |
| Artturin | * How can vendoring break in multiple ways version to version, Go damn | 16:30:43 |
| @qbit:tapenet.org | Is there a rewrite in the go.mod? | 17:17:55 |
|  @atalii:matrix.org joined the room. | 17:58:44 |
| @atalii:matrix.org | is it okay if i ask a quick question about buildGoModule here? i'm reading through the sourcue to get an idea of how to handle deps for a different language and build system, and it seems that the buildPhase of buildGoModule calls go mod vendor or go mod package. that seems to require the network, but it also seems to work in the sandbox. would anyone be able to tell me what i'm missing here? thanks :) | 18:00:56 |
