Hi. We have version 0.25.0 in unstable now. I noticed that there are vulnerabilities in <= 0.35.0: https://pkg.go.dev/vuln/GO-2025-3487 This affects packages like go-git which fix this in their 5.14.0 release and needs the x-crypto >= 0.35.0 bump. What is the status of this migration? I know it is late, but low-level crypto vulnerabilities seems serious, and maybe we can get an exception to upload 0.36.0 if we make sure all reverse dependencies build and work?! I did not look into if it is possible to back-port any small fix for this, and I suspect there are many other security-related fixes that happened in Go x-crypto between 0.25 and 0.36. Santiago, you uploaded 0.33 to experimental a month ago, did you perform any reverse builds of all packages in Debian using it? How about uploading 0.36 to experimental now and test using latest release? I can do that, it seems safe regardless of what will happen in unstable. /Simon
Attachment:
signature.asc
Description: PGP signature