Re: [SECURITY] [DLA 1664-1] golang security update
- To: Holger Levsen <holger@layer-acht.org>
- Cc: pkg-golang-devel@lists.alioth.debian.org, Antoine Beaupré <anarcat@orangeseeds.org>, debian-lts@lists.debian.org, Chris Lamb <lamby@debian.org>, team@security.debian.org
- Subject: Re: [SECURITY] [DLA 1664-1] golang security update
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Fri, 8 Feb 2019 09:02:49 +0100
- Message-id: <[🔎] 20190208080249.GA1565@eldamar.local>
- Mail-followup-to: Holger Levsen <holger@layer-acht.org>, pkg-golang-devel@lists.alioth.debian.org, Antoine Beaupré <anarcat@orangeseeds.org>, debian-lts@lists.debian.org, Chris Lamb <lamby@debian.org>, team@security.debian.org
- In-reply-to: <[🔎] 20190206232434.kkewmke2k4nvzchc@layer-acht.org>
- References: <1549487846.1383386.1652418456.3E7F3504@webmail.messagingengine.com> <[🔎] 87sgx0czxg.fsf@curie.anarc.at> <[🔎] 1549492932.1416963.1652472560.7AF26085@webmail.messagingengine.com> <[🔎] 20190206232434.kkewmke2k4nvzchc@layer-acht.org>
Hi Holger,
On Wed, Feb 06, 2019 at 11:24:34PM +0000, Holger Levsen wrote:
> Dear golang maintainers and security team,
>
> this came up on the LTS mailing list...
>
> On Wed, Feb 06, 2019 at 11:42:12PM +0100, Chris Lamb wrote:
> > > all golang Debian packages are (as elsewhere) statically compiled
> > > and linked so we'd need to rebuild all the rdeps
> > Hm. Can we avoid /all/ the rdeps? I mean, grep the rdeps for ones
> > that use this library?
>
> how was this handled for DSA-4379 and 4380?
The point we discussed with Tobias Quathamer was boiling down to:
> But if there are any Go-based applications in stretch which are affected by
> the ECC issue, we could schedule binNMUs by the next stretch point release.
There is no sensible way to schedule binnmu's via security. So far none
appeared AFAIK.
Regards,
Salvatore
Reply to: