Bug#928026: security support for golang packages in Buster

To: Shengjing Zhu <zhsj@debian.org>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, team@security.debian.org, Paul Gevers <elbrus@debian.org>, 928026@bugs.debian.org, debian-release@lists.debian.org, debian-go@lists.debian.org, 928027@bugs.debian.org, 928227@bugs.debian.org
Subject: Bug#928026: security support for golang packages in Buster
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 10 May 2019 08:58:42 +0200
Message-id: <[🔎] 20190510065842.GB15353@eldamar.local>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 928026@bugs.debian.org
In-reply-to: <[🔎] CAFyCLW-zYffgNc7vbdMQPBBSuj44zFXoR0cTiV6sRqwWrV_+HQ@mail.gmail.com>
References: <f1a737f3-b0d9-1111-f42e-bb10196b63f6@debian.org> <20190420210734.GA22183@pisco.westfalen.local> <20190426102958.c3h22jetcdn2s4ov@layer-acht.org> <20190427073148.GA7478@debian> <[🔎] 1ee63955-8db2-5f1f-7174-9dfd293f306e@debian.org> <[🔎] 20190508175317.emqld4kpnfvqit3x@inutil.org> <[🔎] CAFyCLW-zYffgNc7vbdMQPBBSuj44zFXoR0cTiV6sRqwWrV_+HQ@mail.gmail.com> <20190426102958.c3h22jetcdn2s4ov@layer-acht.org>

Hi,

On Fri, May 10, 2019 at 10:44:13AM +0800, Shengjing Zhu wrote:
> Hi the security team,
> 
> On Thu, May 9, 2019 at 1:53 AM Moritz Muehlenhoff <jmm@inutil.org> wrote:
> [...]
> >
> > There's the additional issue that ftp-master and security-master don't
> > share tarballs; binNMUs are only possible for packages which are on
> > security-master, so we'd need to do manual source uploads for every
> > affected go package.
> >
> 
> I probably lack of some historical background, have you ever think of
> merging ftp-master and security-master?

The security team does not manage dak on security-master, this is
actually ftp-masters domain. The separation has as disadantages and
advantages, one which comes to my mind idepenently on the aspect of
the one beeing security-master is to have a fallback updateing channel
in case one or the other cannot be used.

But okay that's not the point.

There is #823820 for one Built-Using aspect, but the idea might be
possible to generalize to have on every time orig tarballs from
main archive available on security-master as well.

Regards,
Salvatore

Reply to:

References:
- Bug#928026: security support for golang packages in Buster
  - From: Paul Gevers <elbrus@debian.org>
- Bug#928026: security support for golang packages in Buster
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Bug#928026: security support for golang packages in Buster
  - From: Shengjing Zhu <zhsj@debian.org>

Prev by Date: Bug#928026: security support for golang packages in Buster
Next by Date: Bug#928956: Document removal of ecryptfs-utils from Buster
Previous by thread: Bug#928026: security support for golang packages in Buster
Next by thread: Bug#928026: security support for golang packages in Buster
Index(es):
- Date
- Thread