Request for guidance on recent golang-yaml.v2 update (DLA-3479-1)
Greetings Security Team and Go Team members,
(Note that I am not subscribed to the debian-go mailing list and I
appreciated to be kept in the CC of replies.)
Last month I updated golang-yaml.v2 in buster LTS (DLA-3479-1). This was
work that I took over from another LTS contributor, and since I am not
familiar with updates of Go packages, it seems that I may have
overlooked the need to rebuild rdeps.
A member of the LTS team has prepared a page regarding updates of Go
packages [0], which I only found out about out quite recently. However,
in speaking with Sylvain (the author of the page) he noted that the page
has not been reviewed by members of the Go Team or the Security Team.
So, he recommended that I seek specific guidance in this case.
I prepared the update of golang-yaml.v2 and uploaded it. When I found
out about the page I mentioned, I executed the command below (in a
buster chroot):
dose-ceve --deb-native-arch=amd64 -r golang-yaml.v2 -T debsrc debsrc:///var/lib/apt/lists/deb.debian.org_debian_dists_buster_main_source_Sources deb:///var/lib/apt/lists/deb.debian.org_debian_dists_buster_main_binary-amd64_Packages | grep-dctrl -n -s Package '' | sort -u
The resulting list of packages (attached) showed that there were 101
rdeps. I would like to request some guidance about how to handle the
situation.
I am aware that Go based packages have limited support, as per [1].
Thus, I am wondering what, even with limited support, would be
reasonable for us to do.
Do all 101 of the rdeps need to be rebuilt in order for the update I
prepared to be considered complete? Is there something subset that
can/should/must be rebuilt? Is there anything else that I need to do in
relation to this?
Regards,
-Roberto
[0] https://lts-team.pages.debian.net/wiki/TestSuites/golang.html
[1] https://www.debian.org/releases/{buster,bullseye,bookworm}/amd64/release-notes/ch-information.en.html#golang-static-linking
--
Roberto C. Sánchez
acmetool
balboa
burrow
consul
consulfs
continuity
debos
dnscrypt-proxy
dnss
docker-libkv
docker-registry
docker.io
etcd
fever
g10k
git-lfs
gitlab-workhorse
go-exploitdb
goiardi
golang-github-aanand-compose-file
golang-github-aelsabbahy-gonetstat
golang-github-appc-cni
golang-github-appc-docker2aci
golang-github-armon-go-metrics
golang-github-blevesearch-bleve
golang-github-canonicalltd-raft-membership
golang-github-canonicalltd-raft-test
golang-github-cloudflare-cfssl
golang-github-cloudflare-redoctober
golang-github-containerd-cgroups
golang-github-coreos-go-systemd
golang-github-coreos-pkg
golang-github-couchbase-moss
golang-github-dnaeon-go-vcr
golang-github-dnephin-cobra
golang-github-docker-engine-api
golang-github-docker-go-connections
golang-github-docker-go-metrics
golang-github-docker-leadership
golang-github-fsouza-go-dockerclient
golang-github-getkin-kin-openapi
golang-github-ghodss-yaml
golang-github-go-chef-chef
golang-github-googleapis-gnostic
golang-github-grpc-ecosystem-go-grpc-prometheus
golang-github-grpc-ecosystem-grpc-gateway
golang-github-hashicorp-memberlist
golang-github-hashicorp-raft
golang-github-hashicorp-raft-boltdb
golang-github-hashicorp-scada-client
golang-github-hashicorp-serf
golang-github-hlandau-dexlogconfig
golang-github-juju-utils
golang-github-juju-version
golang-github-mwitkow-go-conntrack
golang-github-natefinch-lumberjack
golang-github-opencontainers-image-spec
golang-github-prometheus-client-golang
golang-github-prometheus-common
golang-github-prometheus-tsdb
golang-github-samalba-dockerclient
golang-github-spf13-cobra
golang-github-spf13-viper
golang-github-xordataexchange-crypt
golang-go.opencensus
golang-gopkg-natefinch-lumberjack.v2
google-cloud-print-connector
gost
gosu
hugo
influxdb
mender-cli
notary
prometheus
prometheus-alertmanager
prometheus-apache-exporter
prometheus-bind-exporter
prometheus-bird-exporter
prometheus-blackbox-exporter
prometheus-haproxy-exporter
prometheus-mailexporter
prometheus-mongodb-exporter
prometheus-mysqld-exporter
prometheus-nginx-exporter
prometheus-node-exporter
prometheus-postgres-exporter
prometheus-process-exporter
prometheus-pushgateway
prometheus-snmp-exporter
prometheus-sql-exporter
prometheus-squid-exporter
prometheus-varnish-exporter
rclone
restic
runc
sia
slinkwatch
snapd
syncthing
umoci
vuls
Reply to: