[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: security support for golang packages in Buster

Please CC debian-go@lists.debian.org and me.

Hi the security team and release team,

On Sat, Apr 20, 2019 at 11:07:34PM +0200, Moritz Mühlenhoff wrote:
> There has been no visible movement on the issues with Go as mentioned in
> https://lists.debian.org/debian-release/2018/07/msg00002.html (and
> this dates back much further, initial discussions were from 2016 or
> earlier).
> This is already an issue in Stretch (e.g. #922170), but will be much
> worse in Buster, so unless someone reliably commits to work on
> this ASAP the available options are to drop everything Go apart
> from the toolchain packages from buster or exclude of all that mess
> from security updates so that people know what they can expect.

IIUC, there're two concerns for Go packages.

1. the way to detect what packages need to be rebuilt if a Go package
   has been fixed.

   It should be easy in Buster. All the Go binary program packages (which
   are not arch:all) have a Built-Using filed. This filed records all
   the static linked libraries(include direct and indirect).

   So a similar sql script like
   should work, to filter the packages which need rebuild.

   And yes, we are aware the use of Built-Using filed is against policy
   now... #921284. IMHO, this cloud be transited to other filed in next

2. binNMU without full source upload for security-master.

   It's still not possible, and I don't know there's any effort to
   change the dak.

   But I want to know how security team handles other static linked
   languages, like rust, haskell, ocaml, etc.

   It's not the issue for only Go packages.

   The easiest probably is to binNMU in stable-pu.

Shengjing Zhu

Attachment: signature.asc
Description: PGP signature

Reply to: