On 24/01/24 2:07 pm, Simon Josefsson wrote:
Yes, for a low-level Go package (e.g., golang-golang-x-net-dev), this
will mean rebuilding almost all of the Go packages in Debian and publish
them in a security advisory.
This algorithm can be optimized (i.e., reduce the number of packages to
publish in an advisory) by either of:
     1) using information from Built-Using: (which was not designed for
        this purpose, so this is fragile) or *.buildinfo.
     2) by dropping all 'Architecture: all' packages that does not embedd
        the buggy code.
The last optimization 2) would reduce the number of Go packages to
publish significantly, as it would drop most golang-*-dev packages.  I
think this actually makes this process feasible in practice, as there
are relatively few binary packages written in Go.
I was also wondering about this, the actual number of arch:any go packages is much smaller if we skip arch:all *-dev packages so this should be a smaller number of rebuilds than what is currently considered. We can make this even smaller by choosing a limited number of packages for security support, for example caddy, soh etc, which would already be better than not providing any security update at all.
Attachment:
OpenPGP_0x8F53E0193B294B75.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature