Re: security updates of Golang packages

[Shengjing Zhu <zhsj@debian.org>]

Hi,

On Sun, Apr 24, 2022 at 8:12 PM Shengjing Zhu <zhsj@debian.org> wrote:
>
> Hi,
>
> On Sun, Apr 24, 2022 at 7:30 PM Thorsten Alteholz <debian@alteholz.de> wrote:
> >
> > Hi everybody,
> >
> > some time ago, before the release of Buster, the Release Team and the
> > Security Team critizied the missing tooling for security updates of Golang
> > packages[1].
> > I would like to improve the situation here and try to develop some scripts
> > to automatically rebuild/upload affected packages (they are basically
> > based on the reverse dependencies detected by ratt). So I hope you don't
> > mind if I upload seemingly random packages. The corresponding changelog
> > entry should explain what CVE triggered the upload.
> > If you notice a missing or a superfluous upload, please don't hesitate to
> > tell me.
> >
>
> Do you want to
>
> 1. Rebuild package to carry fixed CVE in dependencies
> 2. Fix CVE in library and then go through 1
>
> For 1, I think you don't need to use the Build-Depends field which is
> used by ratt, or build-rdeps tool.
> We use Built-Using field, which records the static linked package. (We
> will move to a new field called Static-Built-Using, but it hasn't
> happened yet).
>
> For 1, do you want to no-change rebuild upload like Ubuntu, or do you
> want to give a list of packages to Release Team to schedule binMNU?
>

Forget to mention that if you want to do binNMU, there are problems to
do it on security-master.
IIRC, it's because security-master doesn't have all the source tarballs.

And this needs ftp-master to help.

I heard that for bullseye, ftp-master will copy all source tarballs to
security-master by hand.
But I also heard that the server for security-master lacks disk space.
I'm not sure what's the current situation.

> For 2, I think it's just like normal team upload, it's not special for
> security fix or not. Please just go ahead.
>
> And thanks for doing this!

-- 
Shengjing Zhu