I'm the maintainer of the FreeBSD port, so we build from source. The v3.93.0+ version now requires a newer version of the go toolchain, and tries to auto-download this from Go website.
- this is not ideal from a security perspective, even if you have a lot of trust for Google, it requires allowing all code to fetch additional data over the network
- generally we enforce that no additional code is fetched during builds, so users are 100% sure that what was shipped, is what was built, and the toolchain also has a secure provenance
Anyway! Can you mention any future changes in GOTOOLCHAIN version in release notes or changelog please? Ideally, this would be something that buildkite specifically validates in releases, so that a single new dependency doesn't require a new toolchain unless that is really required.
As go 1.24 is not yet available in FreeBSD, we are stuck on v3.92.1 which is not too bad, until that's available to us.
I'm the maintainer of the FreeBSD port, so we build from source. The v3.93.0+ version now requires a newer version of the go toolchain, and tries to auto-download this from Go website.
Anyway! Can you mention any future changes in GOTOOLCHAIN version in release notes or changelog please? Ideally, this would be something that buildkite specifically validates in releases, so that a single new dependency doesn't require a new toolchain unless that is really required.
As go 1.24 is not yet available in FreeBSD, we are stuck on v3.92.1 which is not too bad, until that's available to us.