Re: security updates of Golang packages

To: Thorsten Alteholz <debian@alteholz.de>, debian-go@lists.debian.org
Subject: Re: security updates of Golang packages
From: Shengjing Zhu <zhsj@debian.org>
Date: Mon, 25 Apr 2022 11:05:24 +0800
Message-id: <[🔎] CAFyCLW-dmPoPaeGRieksyCnS9+cv1MJ0LOV_puimjuQLkPr+Mg@mail.gmail.com>
In-reply-to: <[🔎] alpine.DEB.2.21.2204242131290.25768@postfach.intern.alteholz.me>
References: <[🔎] alpine.DEB.2.21.2204241118000.30232@postfach.intern.alteholz.me> <[🔎] CAFyCLW9=m19etDyxMi8=o9XkwSgHxBoJPPxd1tvGfEym6MK+zw@mail.gmail.com> <[🔎] CAFyCLW9tJ7JvfhqGM5LE6EoAmzX3r+SWF--3XPmH1u6=EGNEng@mail.gmail.com> <[🔎] 08eac6e7-a743-9942-f218-28250bde3903@alteholz.de> <[🔎] CAFyCLW8PFhT0PAdRRgmZBv6_Wq-AvwZfOsqO8gipUAa0c1onOg@mail.gmail.com> <[🔎] alpine.DEB.2.21.2204242131290.25768@postfach.intern.alteholz.me>

On Mon, Apr 25, 2022 at 6:30 AM Thorsten Alteholz <debian@alteholz.de> wrote:
>
>
>
> On Mon, 25 Apr 2022, Shengjing Zhu wrote:
> > For binNMU, it's also possible to add Dep-Wait.
>
> Hmm, but that would be some manually work, wouldn't it?
>
> > I don't have a preference for it. And I think binNMU is not friendly
> > to Debian derivatives.
>
> Ok, that is a good point.
>
> > For ratt and other packages focusing on Build-Depends, they ensure
> > other packages won't FTBFS.
> > For tools focusing on (Static-)Built-Using, they ensure the embedded
> > libraries are up to date.
>
> I would like to object here.
>
> If you look at package crowdsec, you find no dependency on
> golang-github-tidwall-gjson in its Built-Using:, but only an entry for
> golang-github-appleboy-gin-jwt.
>
> golang-github-appleboy-gin-jwt for its part depends on
> golang-github-tidwall-gjson-dev.
>
> So wouldn't be crowdsec affected by a CVE in golang-github-tidwall-gjson,
> which is not detected when using Built-Using: but only by Build-Depends:?
>
> At least I got more packages to be rebuilt when using ratt than with
> Built-Using: ...

This is exactly the case for false positives of Build-Depends.

For golang-github-appleboy-gin-jwt, golang-github-tidwall-gjson is
only used in its tests.
Ref: https://codesearch.debian.net/search?q=github.com%2Ftidwall%2Fgjson+filetype%3Ago+package%3A%5CQgolang-github-appleboy-gin-jwt%5CE&literal=1

-- 
Shengjing Zhu

Reply to:

Follow-Ups:
- Re: security updates of Golang packages
  - From: Thorsten Alteholz <debian@alteholz.de>

References:
- security updates of Golang packages
  - From: Thorsten Alteholz <debian@alteholz.de>
- Re: security updates of Golang packages
  - From: Shengjing Zhu <zhsj@debian.org>
- Re: security updates of Golang packages
  - From: Shengjing Zhu <zhsj@debian.org>
- Re: security updates of Golang packages
  - From: Thorsten Alteholz <debian@alteholz.de>
- Re: security updates of Golang packages
  - From: Shengjing Zhu <zhsj@debian.org>
- Re: security updates of Golang packages
  - From: Thorsten Alteholz <debian@alteholz.de>

Prev by Date: Re: security updates of Golang packages
Next by Date: Re: Updating golang-golang-x-sys in unstable
Previous by thread: Re: security updates of Golang packages
Next by thread: Re: security updates of Golang packages
Index(es):
- Date
- Thread