Please CC debian-go@lists.debian.org and me. Hi the security team and release team, On Sat, Apr 20, 2019 at 11:07:34PM +0200, Moritz Mühlenhoff wrote: > There has been no visible movement on the issues with Go as mentioned in > https://lists.debian.org/debian-release/2018/07/msg00002.html (and > this dates back much further, initial discussions were from 2016 or > earlier). > > This is already an issue in Stretch (e.g. #922170), but will be much > worse in Buster, so unless someone reliably commits to work on > this ASAP the available options are to drop everything Go apart > from the toolchain packages from buster or exclude of all that mess > from security updates so that people know what they can expect. > IIUC, there're two concerns for Go packages. 1. the way to detect what packages need to be rebuilt if a Go package has been fixed. It should be easy in Buster. All the Go binary program packages (which are not arch:all) have a Built-Using filed. This filed records all the static linked libraries(include direct and indirect). So a similar sql script like https://ftp-master.debian.org/users/ansgar/outdated-built-using.txt should work, to filter the packages which need rebuild. And yes, we are aware the use of Built-Using filed is against policy now... #921284. IMHO, this cloud be transited to other filed in next release. 2. binNMU without full source upload for security-master. It's still not possible, and I don't know there's any effort to change the dak. But I want to know how security team handles other static linked languages, like rust, haskell, ocaml, etc. It's not the issue for only Go packages. The easiest probably is to binNMU in stable-pu. -- Shengjing Zhu
Attachment:
signature.asc
Description: PGP signature