security: fixes EOL runtime vulnerabilities. Go 1.21 → 1.26, blst v0.3.11 → v0.3.16#10
Open
chris-mercer wants to merge 5 commits into
Open
Conversation
Go 1.21 reached end-of-life in August 2024 with no security patches. This is the primary ETC client — cannot ship on EOL toolchain. Changes: - go.mod: Go 1.21 → 1.24 - Dockerfiles: golang:1.22-alpine → golang:1.24-alpine - CI workflows: all 8 workflow files updated to Go 1.24 - Remove fjl/memsize dependency (incompatible with Go 1.23+ due to runtime.stopTheWorld linkname restriction, no upstream fix available) - Fix Go 1.24 non-constant format string vet errors in 7 test files Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
blst v0.3.11 used `typedef _Bool bool` which C23-aware GCC in golang:1.24-alpine rejects (bool is a keyword in C23). v0.3.14 includes explicit C23 harmonization and Go 1.24 support. Also added -std=gnu11 to gotool.go CGO_CFLAGS as defense-in-depth against future C23 typedef issues from any CGO dependency. The Dockerfile ENV approach was ineffective because gotool.go unconditionally overrides CGO_CFLAGS. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Go 1.24 reached end-of-life on 2026-02-11. Go 1.26.1 is the current stable release. The x/tools package required updating for Go 1.26 compatibility, which cascaded to x/crypto, x/net, x/sys, x/sync, x/text, and x/mod. Changes: - go.mod: Go 1.24 → 1.26 - golang.org/x/tools v0.21 → v0.43 (Go 1.26 compat) - golang.org/x/crypto v0.31 → v0.49 (cascading dep) - golang.org/x/net v0.33 → v0.52 (cascading dep) - golang.org/x/sys v0.28 → v0.42 (cascading dep) - golang.org/x/sync v0.10 → v0.20 (cascading dep) - golang.org/x/text v0.21 → v0.35 (cascading dep) - golang.org/x/mod v0.17 → v0.34 (cascading dep) - All 8 CI workflows: go-version 1.24 → 1.26 - Both Dockerfiles: golang:1.24-alpine → golang:1.26-alpine Verified: go build ./..., go vet ./..., go mod tidy (clean) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Latest stable release (Sep 2024). Includes lifted limitation for 384-bit modular inversion and hardened operations. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
chris-mercer
changed the title
chris-mercer
changed the title
Brings x/time to current release. Used in p2p/dnsdisc rate limiting. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Upgrades the project toolchain and crypto/build dependencies to address EOL Go runtime risk and update cryptographic library baselines, plus small code/test tweaks to keep go vet clean under the newer toolchain.
Changes:
- Bump Go toolchain target to 1.26 and update CI + Docker builder images accordingly.
- Upgrade blst and
golang.org/x/*dependencies; removefjl/memsizeintegration. - Fix vet failures by using constant format strings in tests and a few output helpers; add
-std=gnu11to CGO flags in the internal build toolchain.
Reviewed changes
Copilot reviewed 20 out of 21 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| metrics/json_test.go | Fixes t.Fatalf usage to avoid non-constant format string vet errors. |
| internal/debug/flags.go | Removes memsize UI handler and /memsize HTTP handler registration from pprof server. |
| internal/build/gotool.go | Updates CGO flags (portable blst + -std=gnu11) for the internal Go tool invocations. |
| go.mod | Bumps go version to 1.26; updates blst and x/ dependencies; removes fjl/memsize. |
| go.sum | Syncs sums with updated/removed dependencies (blst, x/*, etc.). |
| core/rawdb/accessors_chain_test.go | Fixes vet failures by using constant format strings in t.Fatalf. |
| cmd/rlpdump/main.go | Fixes non-constant fmt.Fprintf format string vet issue. |
| cmd/geth/main.go | Removes debug.Memsize.Add usage (memsize dependency removal). |
| cmd/geth/logging_test.go | Fixes vet failures by using constant format strings in t.Logf. |
| cmd/evm/t8n_test.go | Fixes vet failures by using constant format strings in t.Logf. |
| accounts/abi/unpack_test.go | Fixes a broken t.Fatalf format string concatenation. |
| Dockerfile.alltools | Updates builder image to golang:1.26-alpine. |
| Dockerfile | Updates builder image to golang:1.26-alpine. |
| .github/workflows/test-linux.yml | Updates actions/setup-go to use Go 1.26. |
| .github/workflows/release-packages.yml | Updates actions/setup-go to use Go 1.26. |
| .github/workflows/go-generate-check.yml | Updates actions/setup-go to use Go 1.26. |
| .github/workflows/evmc.yml | Updates actions/setup-go to use Go 1.26. |
| .github/workflows/bench-vm.yml | Updates actions/setup-go to use Go 1.26. |
| .github/workflows/bench-trie.yml | Updates actions/setup-go to use Go 1.26. |
| .github/workflows/bench-core.yml | Updates actions/setup-go to use Go 1.26. |
| .github/workflows/audit-bootnodes.yml | Updates actions/setup-go to use Go 1.26. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
chris-mercer
force-pushed
the
security/go-1.24-upgrade
branch
from
ecbeccc to
cf3e9bd
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security: Upgrade Go runtime, blst cryptographic library, and x/ dependencies
Go 1.21 reached end-of-life in August 2024 with no further security patches. This PR upgrades to Go 1.26 (current stable). This is the primary ETC client — it cannot ship on an EOL toolchain.
Changes
Go 1.21 → 1.26:
go.mod: Go version bumpgolang:1.21-alpine→golang:1.26-alpinefjl/memsizedependency (incompatible with Go 1.23+ due toruntime.stopTheWorldlinkname restriction — no upstream fix available)blst v0.3.11 → v0.3.16:
-std=gnu11tointernal/build/gotool.goCGO_CFLAGS as defense-in-depthx/ dependency cascade (required for Go 1.26 compatibility):
golang.org/x/toolsv0.15 → v0.43golang.org/x/cryptov0.17 → v0.49golang.org/x/netv0.18 → v0.52golang.org/x/sysv0.16 → v0.42golang.org/x/syncv0.5 → v0.20golang.org/x/textv0.14 → v0.35golang.org/x/modv0.14 → v0.34golang.org/x/timev0.3 → v0.15Verification
go build ./...✅go vet ./...✅go mod tidy— no changes (deps are clean)References
Road to Olympia — Core-Geth Modernization March
Developed by White B0x Inc. for Ethereum Classic DAO LLC
🤖 Generated with Claude Code
Merge Order