I was just looking into building the istio/istio 1.3.4 binaries from source, and noticed that while the Wiki mentions that Go language version 1.13 is being used (for pre-built binaries I presume), the go.mod file in the repository still refers to Go 1.12.
Could anyone comment and advise on the proper use of Go language versions for building, if all we care for is making use of the latest security fixes shipped with 1.13?
If we use Go 1.13 to build but do not make any changes to the go.mod file, will we already get the security fixes and only miss out on the new language features?
Or is it necessary that we run go mod edit -go=1.13 before starting the build?
How were official Istio binaries generated if, as I mentioned the Wiki proclaims, 1.13 has been used?
If your code uses modules and your go.mod files specifies a language version, be sure
it is set to at least 1.13 to get access to these language changes.
You can do this by editing the go.mod file directly, or you can run go mod edit -go=1.13.
The go directive in a go.mod file now indicates the
version of the language used by the files within that module.
It will be set to the current release
(go1.12 ) if no existing version is
present.
If the go directive for a module specifies a
version newer than the toolchain in use, the go command
will attempt to build the packages regardless, and will note the mismatch only if
that build fails.
So, we are safe, building with go 1.13.4. Nevertheless, I’ve updated go.mod to include 1.13.
Could you provide a comment whether when compiling (specifically) Istio 1.3.4 using the latest Go build binaries, ie without the latest commit to change the Go version in go.mod, we would be benefiting from Go (CVE) security fixes introduced with 1.13?
The docs which you also quoted don’t seem to be very clear on that, only talking about “getting access to the language changes”, which I take to mean the number literal prefix changes described in the “changes to the language” sub-chapter.
Appreciate any pointers on that topic!
