Hi, On 27-04-2019 09:31, Shengjing Zhu wrote: > Please CC debian-go@lists.debian.org and me. Done. [...] > IIUC, there're two concerns for Go packages. [...] > 2. binNMU without full source upload for security-master. > > It's still not possible, and I don't know there's any effort to > change the dak. > > But I want to know how security team handles other static linked > languages, like rust, haskell, ocaml, etc. With respect to binNMU'ing, static linking is not a problem, only arch:all is. Most haskell (4 vs 1048) and ocaml (21 vs 233) aren't arch:all. haskell and ocaml have a framework in place to at least know the status in unstable/testing. See e.g. the "permanent trackers" at https://release.debian.org/transitions/ I don't know yet what this means for security support. Neither do I know what it means for rust. > It's not the issue for only Go packages. But most haskell and ocaml packages can be binNMU'd. > The easiest probably is to binNMU in stable-pu. I don't understand what you mean by this last sentence. You mean to not do a binNMU but a full NMU for all the arch:all packages? I think the problem of the security team is that they don't want to commit to that. [bug 928227] On 05-05-2019 18:00, Shengjing Zhu wrote:> Hi, [...] >> On Tue, Apr 30, 2019 at 05:07:57PM +0800, Drew Parsons wrote: >>> Please unblock package golang-golang-x-net-dev >>> >>> Upstream has provided patches addressing security issues >>> CVE-2018-17846 / CVE-2018-17847 / CVE-2018-17848 >>> (Debian bug #911795). >> >> How will unblocking this fix these issues? golang-golang-x-net-dev is embedded >> in a number of packages in buster. If they are not updated, the unblock will >> not fix anything. How will this be handled? >> > > All the reverse depends need binNMU. > Since the Go packages are using(abusing) Built-Using tag, probably the > release team will binNMU all outdated Built-Using packages at this > period(before release)? I think the rebuild (or at least a big chunk of it) has already been done. And, as noted above, that we can't binNMU arch:all yet. Will you source upload those and add the list to bug 928227 and tell us which additional packages need to be scheduled for a binNMU? Just wondering, does anybody already have tooling/scripts/urls do check the current status? If not, I'll cook up something to assess the situation for myself. I'll update bug 928227 when I have some data. > Maybe we can keep the conversation at > https://lists.debian.org/msgid-search/20190427073148.GA7478@debian ? Done. Paul
Attachment:
signature.asc
Description: OpenPGP digital signature