[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [pkg-golang-devel] [SECURITY] [DLA 1664-1] golang security update

Am 08.02.2019 um 17:31 schrieb Chris Lamb:
> Hi Tobias,
>> $ grep-dctrl -FBuild-Depends golang-go -w -sPackage
>> /var/lib/apt/lists/*Sources
> [..]
>> Please note that there are probably a lot of false positives in this
>> list, because not every package uses crypto/elliptic.
> Indeed. So how reliable would it be to look for "crypto/elliptic"
> and skip those? I fear that might accidentally exclude packages due
> to transitive imports / Build-Depends or similar?
> Or: should I just save effort and upload the lot?

Hi Chris,

I've just recently joined the go compiler team, so I'm not an expert --
but from my understanding, there should be no transitive imports in this
specific case.

If I understand you correctly, you mean that package "A" does not use
crypto/elliptic itself, but Build-Depends on package "B", which *does*
use crypto/elliptic, right?

The golang compiler itself is affected, so any package ("A" in the
example) which Build-Depends on a -dev package which uses
crypto/elliptic ("B" in the example) should also have a Build-Depends on
golang-go. Therefore, I think it would be save to skip all packages
which only produce a -dev package.

With that in mind, the list gets much shorter. Is there an easy way to
find out if a source package produces only the -dev binary package? One
hint at finding the right packages would be that the -dev packages are
arch:all, while other binary packages are arch:any.

Does this help and/or makes sense? :-)

>> Please note that I was not able to get build-rdeps to run in a
>> jessie chroot
> (Ah, not just me then; I needed to hack the "sid|unstable" bit in
> the code but didn't want to yak-shave that at the time!)

:-) Nice to know, I was at a loss in that chroot, only wondering how the
hell you got that command to run ...


Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: