[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#928026: security support for golang packages in Buster

On Wed, May 8, 2019 at 2:45 PM Paul Gevers wrote:

> With respect to binNMU'ing, static linking is not a problem, only
> arch:all is. Most haskell (4 vs 1048) and ocaml (21 vs 233) aren't
> arch:all. haskell and ocaml have a framework in place to at least know
> the status in unstable/testing. See e.g. the "permanent trackers" at
> https://release.debian.org/transitions/ I don't know yet what this means
> for security support. Neither do I know what it means for rust.

I think there is something that the release/security teams might be
missing here:

The Go/Rust arch:all packages (the golang-*-dev ones) contain only
source code (ideally things would support build-deps on foo:src, the
current Go/Rust binary packages are a workaround for that being
missing), so they do not need to be changed after a security upload.
Only the packages containing statically linked Go/Rust code need to be
binNMUed and those ones should be arch:any since they contain
architecture-specific binaries. In addition the arch:all packages do
not have Built-Using, only the statically linked ones do.

So the workflow seems to be quite manageable, modulo the
security-master binNMU issue: fix the security issue where it
originated, then binNMU anything that has Built-Using on any version
less than the fixed version.



Reply to: