Re: security updates of Golang packages

To: Thorsten Alteholz <debian@alteholz.de>, debian-go@lists.debian.org
Subject: Re: security updates of Golang packages
From: Shengjing Zhu <zhsj@debian.org>
Date: Tue, 26 Apr 2022 10:55:25 +0800
Message-id: <[🔎] CAFyCLW9oVYJes8YpSX3Wvpb4-WGG-mUpQCWab00kob3zy44idw@mail.gmail.com>
In-reply-to: <[🔎] alpine.DEB.2.21.2204252148040.9076@postfach.intern.alteholz.me>
References: <[🔎] alpine.DEB.2.21.2204241118000.30232@postfach.intern.alteholz.me> <[🔎] CAFyCLW9=m19etDyxMi8=o9XkwSgHxBoJPPxd1tvGfEym6MK+zw@mail.gmail.com> <[🔎] CAFyCLW9tJ7JvfhqGM5LE6EoAmzX3r+SWF--3XPmH1u6=EGNEng@mail.gmail.com> <[🔎] 08eac6e7-a743-9942-f218-28250bde3903@alteholz.de> <[🔎] CAFyCLW8PFhT0PAdRRgmZBv6_Wq-AvwZfOsqO8gipUAa0c1onOg@mail.gmail.com> <[🔎] alpine.DEB.2.21.2204242131290.25768@postfach.intern.alteholz.me> <[🔎] CAFyCLW-dmPoPaeGRieksyCnS9+cv1MJ0LOV_puimjuQLkPr+Mg@mail.gmail.com> <[🔎] alpine.DEB.2.21.2204252148040.9076@postfach.intern.alteholz.me>

Hi,

On Tue, Apr 26, 2022 at 6:30 AM Thorsten Alteholz <debian@alteholz.de> wrote:
> On Mon, 25 Apr 2022, Shengjing Zhu wrote:
> >> If you look at package crowdsec, you find no dependency on
> >> golang-github-tidwall-gjson in its Built-Using:, but only an entry for
> >> golang-github-appleboy-gin-jwt.
> >>
> >> golang-github-appleboy-gin-jwt for its part depends on
> >> golang-github-tidwall-gjson-dev.
> >>
> >> So wouldn't be crowdsec affected by a CVE in golang-github-tidwall-gjson,
> >> which is not detected when using Built-Using: but only by Build-Depends:?
> >>
> >> At least I got more packages to be rebuilt when using ratt than with
> >> Built-Using: ...
> >
> > This is exactly the case for false positives of Build-Depends.
>
> Ah, ok, do you have an example with a similar dependency chain with
> packages not only used for tests and a correct Built-Using:-entry?
>
> Otherwise a false positive would be much better than an unfixed package,
> wouldn't it.

We can still take the crowdsec and golang-github-appleboy-gin-jwt examples.

golang-github-appleboy-gin-jwt-dev Depends golang-github-dgrijalva-jwt-go-dev,
but crowdsec doesn't Build-Depends golang-github-dgrijalva-jwt-go-dev.

However  golang-github-dgrijalva-jwt-go is in crowdsec's Built-Using.

-- 
Shengjing Zhu

Reply to:

References:
- security updates of Golang packages
  - From: Thorsten Alteholz <debian@alteholz.de>
- Re: security updates of Golang packages
  - From: Shengjing Zhu <zhsj@debian.org>
- Re: security updates of Golang packages
  - From: Shengjing Zhu <zhsj@debian.org>
- Re: security updates of Golang packages
  - From: Thorsten Alteholz <debian@alteholz.de>
- Re: security updates of Golang packages
  - From: Shengjing Zhu <zhsj@debian.org>
- Re: security updates of Golang packages
  - From: Thorsten Alteholz <debian@alteholz.de>
- Re: security updates of Golang packages
  - From: Shengjing Zhu <zhsj@debian.org>
- Re: security updates of Golang packages
  - From: Thorsten Alteholz <debian@alteholz.de>

Prev by Date: Re: RFS: golang-github-mdlayher-socket
Next by Date: Re: RFS: golang-github-mdlayher-socket
Previous by thread: Re: security updates of Golang packages
Next by thread: Updating golang-golang-x-sys in unstable
Index(es):
- Date
- Thread