[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DLA 1664-1] golang security update

Hi Holger,

On Wed, Feb 06, 2019 at 11:24:34PM +0000, Holger Levsen wrote:
> Dear golang maintainers and security team,
> this came up on the LTS mailing list...
> On Wed, Feb 06, 2019 at 11:42:12PM +0100, Chris Lamb wrote:
> > > all golang Debian packages are (as elsewhere) statically compiled
> > > and linked so we'd need to rebuild all the rdeps
> > Hm. Can we avoid /all/ the rdeps? I mean, grep the rdeps for ones
> > that use this library?
> how was this handled for DSA-4379 and 4380?

The point we discussed with Tobias Quathamer was boiling down to:

> But if there are any Go-based applications in stretch which are affected by
> the ECC issue, we could schedule binNMUs by the next stretch point release.

There is no sensible way to schedule binnmu's via security. So far none
appeared AFAIK.


Reply to: