[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DLA 1664-1] golang security update

On 06/02/2019 23:47, Antoine Beaupré wrote:
> On 2019-02-06 23:42:12, Chris Lamb wrote:
>> Hi Antoine,
>>> all golang Debian packages are (as elsewhere) statically compiled
>>> and linked so we'd need to rebuild all the rdeps
>> Hm. Can we avoid /all/ the rdeps? I mean, grep the rdeps for ones
>> that use this library?
> Yeah, that's what I was implying, sorry if that was unclear... I'm not
> actually sure how that works. I assume it's a bunch of binNMUs,

Note that due to the fact the security archive is a separate dak instance, it
doesn't contain all the sources from the main archive, only those that were
specifically uploaded to -security. Meaning: we can't binNMU packages that are
not in the security archive, they will need sourceful uploads instead (unless an
ftp-master uses some magic to copy packages to -security, I know there are plans
to make -security synced with the main archive but it hasn't happened yet).

See how Markus handled the agg (header-only lib) security update by following up
with no change uploads of the two rdeps.

> but we
> first need to figure out which packages actually use that specific lib.

The golang maintainers use the Built-Using field to keep track of what is using
what and what packages need to be rebuilt (e.g. when golang-defaults is
updated). But that may not be good enough in this case if only a part of golang
is affected. Better ask the golang or the security team to see how they handled it.


Reply to: