Hi all, I've prepared an update the release notes on request of the security team. The text is *nearly* the same as in the buster release notes, with two tweaks. Feedback appreciated. Paul
From 09c562e45c09776891801bae6425adb773fc044c Mon Sep 17 00:00:00 2001 From: Paul Gevers <elbrus@debian.org> Date: Thu, 27 May 2021 21:09:57 +0200 Subject: [PATCH] issues.dbk: add security warning about golang again --- en/issues.dbk | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/en/issues.dbk b/en/issues.dbk index 70a48dc7..7165267e 100644 --- a/en/issues.dbk +++ b/en/issues.dbk @@ -513,6 +513,24 @@ data = ${lookup{$local_part}lsearch{/some/path/$domain_data/aliases}} for every quarterly upstream security update. </para> </section> + <section id="golang-static-linking"> + <!-- Check if this still matches the view of the security team --> + <title>Go based packages</title> + <para> + The Debian infrastructure currently doesn't properly enable + rebuilding packages that statically link parts of other + packages on a large scale. Until buster that hasn't been a + problem in practice, but with the growth of the Go ecosystem + it means that Go based packages will be covered by limited + security support until the infrastructure is improved to + deal with them maintainably. + </para> + <para> + If updates for Go <quote>libaries</quote> are warranted, + they can only come via regular point releases, which may be + slow in arriving. + </para> + </section> </section> <section id="g-c-c-and-orca"> -- 2.30.2
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature