[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#928026: security support for golang packages in Buster


On 27-04-2019 09:31, Shengjing Zhu wrote:
> Please CC debian-go@lists.debian.org and me.



> IIUC, there're two concerns for Go packages.


> 2. binNMU without full source upload for security-master.
>    It's still not possible, and I don't know there's any effort to
>    change the dak.
>    But I want to know how security team handles other static linked
>    languages, like rust, haskell, ocaml, etc.

With respect to binNMU'ing, static linking is not a problem, only
arch:all is. Most haskell (4 vs 1048) and ocaml (21 vs 233) aren't
arch:all. haskell and ocaml have a framework in place to at least know
the status in unstable/testing. See e.g. the "permanent trackers" at
https://release.debian.org/transitions/ I don't know yet what this means
for security support. Neither do I know what it means for rust.

>    It's not the issue for only Go packages.

But most haskell and ocaml packages can be binNMU'd.

>    The easiest probably is to binNMU in stable-pu.

I don't understand what you mean by this last sentence. You mean to not
do a binNMU but a full NMU for all the arch:all packages? I think the
problem of the security team is that they don't want to commit to that.

[bug 928227]
On 05-05-2019 18:00, Shengjing Zhu wrote:> Hi,


>> On Tue, Apr 30, 2019 at 05:07:57PM +0800, Drew Parsons wrote:
>>> Please unblock package golang-golang-x-net-dev
>>> Upstream has provided patches addressing security issues
>>> CVE-2018-17846 / CVE-2018-17847 / CVE-2018-17848
>>> (Debian bug #911795).
>> How will unblocking this fix these issues? golang-golang-x-net-dev is
>> in a number of packages in buster. If they are not updated, the
unblock will
>> not fix anything. How will this be handled?
> All the reverse depends need binNMU.
> Since the Go packages are using(abusing) Built-Using tag, probably the
> release team will binNMU all outdated Built-Using packages at this
> period(before release)?

I think the rebuild (or at least a big chunk of it) has already been
done. And, as noted above, that we can't binNMU arch:all yet. Will you
source upload those and add the list to bug 928227 and tell us which
additional packages need to be scheduled for a binNMU?

Just wondering, does anybody already have tooling/scripts/urls do check
the current status? If not, I'll cook up something to assess the
situation for myself. I'll update bug 928227 when I have some data.

> Maybe we can keep the conversation at
> https://lists.debian.org/msgid-search/20190427073148.GA7478@debian ?



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: