Go Backports for Debian and Ubuntu
Published on 2024-05-20
Debian and Ubuntu include the Go compiler as Debian package, which is the easiest way to install the Go compiler. However, the Go compiler, and software built with it, is only receiving limited security support in Debian and, we assume, Ubuntu.
This means, that after a while, the Go version included can become quite outdated. For example, at the time of writing the latest version of Go is 1.22.3. Below a list of Go versions included in the various Debian and Ubuntu distributions:
OS | Version |
---|---|
Debian 11 | 1.15.15 |
Debian 12 | 1.19.8 |
Ubuntu 20.04 | 1.13.8 |
Ubuntu 22.04 | 1.18.1 |
Ubuntu 24.04 | 1.22.2 |
For Debian, backports of Go are available to mitigate this situation somewhat:
OS | Version |
---|---|
Debian 11 | 1.19.8 |
Debian 12 | 1.21.8 |
However, for building and deploying software written in Go, especially when it is exposed to the Internet, it is critical to use a compiler version that is still receiving security updates.
On Ubuntu there are two ways to upgrade Go, as there are no Go backports available for Ubuntu:
As our projects need to support both Debian and Ubuntu, we prefer to have a single solution for both. We probably could have gotten away with using the PPA on Ubuntu, and the backports on Debian, but especially when targeting Debian 11, the Go version started to lag behind considerably.
What we were looking for:
- Ability to use an officially supported Go version on all targets we support, that means (as of this moment) Go 1.21 or Go 1.22;
- Allow for using this Go version in our Debian/Ubuntu package builder, which uses sbuild;
- Allow using this Go version on our development machine(s) to allow having the exact same version as is used by our build servers;
- Have all software and instructions available for anyone interested to fully replicate all steps resulting in a usable repository with up-to-date Go for all targets.
We accomplished this through:
- Use the official Debian source packages for Go, i.e. golang and golang-defaults which are also used by the Debian project to get the latest version of Go in sid (unstable);
- Write documentation on how to use this repository with sbuild;
- Provide instructions on how to enable the package repository in Debian and Ubuntu so it can be used during development as well;
- Have full documentation on how to set up the builder yourself and create a Debian / Ubuntu package repository with the latest version of Go in it.
If you want to use this for building your own software, please make sure you are familiar with how this builder works and that you are confident you could take over maintenance of it yourself if ever needed. There is NO GUARANTEE we will maintain this indefinitely, only as long as we have use for it ourselves, which is exactly why we provide everything needed for doing it yourself.
For convenience, we also provide the instructions for (3) as an easy copy/paste snippet:
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/go+repo@tuxed.net.gpg] https://repo.tuxed.net/golang/v1/deb $(lsb_release -c -s) main" | sudo tee /etc/apt/sources.list.d/golang_v1.list >/dev/null
wget -O- https://repo.tuxed.net/golang/v1/deb/go+repo@tuxed.net.gpg | sudo tee /usr/share/keyrings/go+repo@tuxed.net.gpg >/dev/null
sudo apt update
sudo apt -y dist-upgrade
sudo apt autoremove