Hi all, I've prepared an update the release notes on request of the security team. The text is *nearly* the same as in the buster release notes, with two tweaks. Feedback appreciated. Paul
From 09c562e45c09776891801bae6425adb773fc044c Mon Sep 17 00:00:00 2001
From: Paul Gevers <elbrus@debian.org>
Date: Thu, 27 May 2021 21:09:57 +0200
Subject: [PATCH] issues.dbk: add security warning about golang again
---
en/issues.dbk | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/en/issues.dbk b/en/issues.dbk
index 70a48dc7..7165267e 100644
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -513,6 +513,24 @@ data = ${lookup{$local_part}lsearch{/some/path/$domain_data/aliases}}
for every quarterly upstream security update.
</para>
</section>
+ <section id="golang-static-linking">
+ <!-- Check if this still matches the view of the security team -->
+ <title>Go based packages</title>
+ <para>
+ The Debian infrastructure currently doesn't properly enable
+ rebuilding packages that statically link parts of other
+ packages on a large scale. Until buster that hasn't been a
+ problem in practice, but with the growth of the Go ecosystem
+ it means that Go based packages will be covered by limited
+ security support until the infrastructure is improved to
+ deal with them maintainably.
+ </para>
+ <para>
+ If updates for Go <quote>libaries</quote> are warranted,
+ they can only come via regular point releases, which may be
+ slow in arriving.
+ </para>
+ </section>
</section>
<section id="g-c-c-and-orca">
--
2.30.2
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature