Re: security updates of Golang packages
Hi,
On Sun, Apr 24, 2022 at 7:30 PM Thorsten Alteholz <debian@alteholz.de> wrote:
>
> Hi everybody,
>
> some time ago, before the release of Buster, the Release Team and the
> Security Team critizied the missing tooling for security updates of Golang
> packages[1].
> I would like to improve the situation here and try to develop some scripts
> to automatically rebuild/upload affected packages (they are basically
> based on the reverse dependencies detected by ratt). So I hope you don't
> mind if I upload seemingly random packages. The corresponding changelog
> entry should explain what CVE triggered the upload.
> If you notice a missing or a superfluous upload, please don't hesitate to
> tell me.
>
Do you want to
1. Rebuild package to carry fixed CVE in dependencies
2. Fix CVE in library and then go through 1
For 1, I think you don't need to use the Build-Depends field which is
used by ratt, or build-rdeps tool.
We use Built-Using field, which records the static linked package. (We
will move to a new field called Static-Built-Using, but it hasn't
happened yet).
For 1, do you want to no-change rebuild upload like Ubuntu, or do you
want to give a list of packages to Release Team to schedule binMNU?
For 2, I think it's just like normal team upload, it's not special for
security fix or not. Please just go ahead.
And thanks for doing this!
--
Shengjing Zhu
Reply to: