Re: [SECURITY] [DLA 1664-1] golang security update
On 06/02/2019 23:47, Antoine Beaupré wrote:
> On 2019-02-06 23:42:12, Chris Lamb wrote:
>> Hi Antoine,
>>> all golang Debian packages are (as elsewhere) statically compiled
>>> and linked so we'd need to rebuild all the rdeps
>> Hm. Can we avoid /all/ the rdeps? I mean, grep the rdeps for ones
>> that use this library?
> Yeah, that's what I was implying, sorry if that was unclear... I'm not
> actually sure how that works. I assume it's a bunch of binNMUs,
Note that due to the fact the security archive is a separate dak instance, it
doesn't contain all the sources from the main archive, only those that were
specifically uploaded to -security. Meaning: we can't binNMU packages that are
not in the security archive, they will need sourceful uploads instead (unless an
ftp-master uses some magic to copy packages to -security, I know there are plans
to make -security synced with the main archive but it hasn't happened yet).
See how Markus handled the agg (header-only lib) security update by following up
with no change uploads of the two rdeps.
> but we
> first need to figure out which packages actually use that specific lib.
The golang maintainers use the Built-Using field to keep track of what is using
what and what packages need to be rebuilt (e.g. when golang-defaults is
updated). But that may not be good enough in this case if only a part of golang
is affected. Better ask the golang or the security team to see how they handled it.