Re: security updates of Golang packages

To: debian-go@lists.debian.org
Subject: Re: security updates of Golang packages
From: Thorsten Alteholz <debian@alteholz.de>
Date: Sun, 24 Apr 2022 21:46:20 +0000 (UTC)
Message-id: <[🔎] alpine.DEB.2.21.2204242131290.25768@postfach.intern.alteholz.me>
In-reply-to: <[🔎] CAFyCLW8PFhT0PAdRRgmZBv6_Wq-AvwZfOsqO8gipUAa0c1onOg@mail.gmail.com>
References: <[🔎] alpine.DEB.2.21.2204241118000.30232@postfach.intern.alteholz.me> <[🔎] CAFyCLW9=m19etDyxMi8=o9XkwSgHxBoJPPxd1tvGfEym6MK+zw@mail.gmail.com> <[🔎] CAFyCLW9tJ7JvfhqGM5LE6EoAmzX3r+SWF--3XPmH1u6=EGNEng@mail.gmail.com> <[🔎] 08eac6e7-a743-9942-f218-28250bde3903@alteholz.de> <[🔎] CAFyCLW8PFhT0PAdRRgmZBv6_Wq-AvwZfOsqO8gipUAa0c1onOg@mail.gmail.com>



On Mon, 25 Apr 2022, Shengjing Zhu wrote:

For binNMU, it's also possible to add Dep-Wait.


Hmm, but that would be some manually work, wouldn't it?

I don't have a preference for it. And I think binNMU is not friendly
to Debian derivatives.


Ok, that is a good point.

For ratt and other packages focusing on Build-Depends, they ensure
other packages won't FTBFS.
For tools focusing on (Static-)Built-Using, they ensure the embedded
libraries are up to date.


I would like to object here.

If you look at package crowdsec, you find no dependency ongolang-github-tidwall-gjson in its Built-Using:, but only an entry forgolang-github-appleboy-gin-jwt.

golang-github-appleboy-gin-jwt for its part depends ongolang-github-tidwall-gjson-dev.

So wouldn't be crowdsec affected by a CVE in golang-github-tidwall-gjson,which is not detected when using Built-Using: but only by Build-Depends:?

At least I got more packages to be rebuilt when using ratt than withBuilt-Using: ...


  Thorsten

Reply to:

Follow-Ups:
- Re: security updates of Golang packages
  - From: Shengjing Zhu <zhsj@debian.org>

References:
- security updates of Golang packages
  - From: Thorsten Alteholz <debian@alteholz.de>
- Re: security updates of Golang packages
  - From: Shengjing Zhu <zhsj@debian.org>
- Re: security updates of Golang packages
  - From: Shengjing Zhu <zhsj@debian.org>
- Re: security updates of Golang packages
  - From: Thorsten Alteholz <debian@alteholz.de>
- Re: security updates of Golang packages
  - From: Shengjing Zhu <zhsj@debian.org>

Prev by Date: RFS: golang-github-canonical-candid
Next by Date: Re: security updates of Golang packages
Previous by thread: Re: security updates of Golang packages
Next by thread: Re: security updates of Golang packages
Index(es):
- Date
- Thread