[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [pkg-golang-devel] [SECURITY] [DLA 1664-1] golang security update

Am 08.02.2019 um 20:46 schrieb Dr. Tobias Quathamer:
> With that in mind, the list gets much shorter. Is there an easy way to
> find out if a source package produces only the -dev binary package? One
> hint at finding the right packages would be that the -dev packages are
> arch:all, while other binary packages are arch:any.

It's surely not the most elegant approach, but I've taken the list from
build-rdeps and saved it in a file called "packages.txt". Then I've used
the following commandline to find all source packages which produce a
binary package which is not arch:all.

$ for i in `cat packages.txt`; do grep-dctrl --regex -FPackage ^$i --and
--not -FArchitecture all -sPackage -n /var/lib/apt/lists/*Sources; done

This gets you a list with some false positives, because those false
positive packages are wrongly marked as arch:any instead of arch:all.
They only contain go source code and are not compiled, so they don't
need a rebuild with the fixed golang compiler.

The remaining packages on the list maybe need a rebuild for jessie:


If you'd like, you could probably boil this list further down by
grepping for crypto/elliptic in the package's source code.

>>> Please note that I was not able to get build-rdeps to run in a
>>> jessie chroot
>> (Ah, not just me then; I needed to hack the "sid|unstable" bit in
>> the code but didn't want to yak-shave that at the time!)
> :-) Nice to know, I was at a loss in that chroot, only wondering how the
> hell you got that command to run ...

Oh well, just RTFM. I've discovered a helpful option:
$ build-rdeps --distribution jessie golang-go



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: