Debian Go package release schedule

I have multiple servers running Debian 12 stable, which currently provides version 1.19 of the golang package. This is a bit of a nuisance because (the latest version of) many packages out there only support the last two Go minor versions. When should I expect the next minor version of Go to show up in the Debian stable release?
I suppose I could switch to the testing release to get a newer version, but what are the broader security implications of doing so?

hi,

this for sure not a topic for a Go forum, but somethig to ask directly to debian maintainers.

But in general you don’t need to have Go installed on server in order to run Go programs: the runtime is embedded in the executable

1 Like

True, but I have it set up so it builds the server code on the server.

From what I am reading on the Debian website, it seems like there are not generally new versions of packages available in any given release (bullseye, bookworm, etc). Is that correct? In that case I have to wait for the next release to become stable.

no idea. question for Debian maintainers

can’t you just install go yourself on the servers?

I develop and compile on Mac (GOOS=linux go build) and then upload the binary to the Debian server using Webmin (or other server “admin desktop”). Then use systemd for starting/stopping/autostart the Go server. Works good for me…

I suppose I could, but it would take more configuring to automate the installation. Currently I am using Salt Stack to manage my servers, which makes it as easy as pkg.installed -name: golang and I have a usable go installation.

I have my code and accompanying configuration in a git repo, so what I do using Salt Stack is like this (on the server itself):

  1. git pull
  2. If there were any changes, run go build.
  3. Restart the systemd service which runs the built binary.

So it seems like I either need to go to the work of installing the package semi-manually or just be content not using the latest version of everything, go dependencies included.

This seems to be common practice in most Linux distros indeed, for stability reasons.

If you find automating the installation of newest Go problematic, perhaps you could seek help in Debian forums, as others suggested.

Here’s how I decided to do it (a Salt state declaration):

{% set go_version = '1.22.2' %}
Go installed:
  cmd.run:
    - name: wget -q -O go.tar.gz https://go.dev/dl/go{{ go_version }}.linux-amd64.tar.gz && rm -rf /usr/local/go && tar -C /usr/local -xzf go.tar.gz
    - unless: /usr/local/go/bin/go version | grep {{ go_version }}
    - cwd: /root

A bit less simple but more up-to-date.

This is correct. The “stable” in Debian stable refers to not changing rather than not breaking. Not breaking is the side effect of not changing. The Debian team will only provide security updates for packages and new version upgrades are rare. You will only have the updated go package in the next version.

Debian has the concept of backports, where packages are taken from the next Debian release and compiled for the current stable release. You can read more about it here: https://backports.debian.org/. Backports for Debian 12 seem to have go version 1.21.

I would suggest you install using the instructions from the golang website rather than switch to Debian testing for your servers.

1 Like