Re: [pkg-golang-devel] [SECURITY] [DLA 1664-1] golang security update

To: "Dr. Tobias Quathamer" <toddy@debian.org>, pkg-golang-devel@lists.alioth.debian.org, debian-lts@lists.debian.org, team@security.debian.org
Subject: Re: [pkg-golang-devel] [SECURITY] [DLA 1664-1] golang security update
From: Chris Lamb <lamby@debian.org>
Date: Fri, 08 Feb 2019 17:31:05 +0100
Message-id: <[🔎] 1549643465.1570497.1653807240.011EC3B6@webmail.messagingengine.com>
In-reply-to: <[🔎] af840525-22d9-63c8-a227-bd9273042ef6@debian.org>
References: <1549487846.1383386.1652418456.3E7F3504@webmail.messagingengine.com> <[🔎] 87sgx0czxg.fsf@curie.anarc.at> <[🔎] 1549492932.1416963.1652472560.7AF26085@webmail.messagingengine.com> <[🔎] 20190206232434.kkewmke2k4nvzchc@layer-acht.org> <[🔎] 20190208080249.GA1565@eldamar.local> <[🔎] 20190208112430.asu5lh3alyb7ze43@layer-acht.org> <[🔎] 1549639248.842811.1653755776.05F5FF4D@webmail.messagingengine.com> <[🔎] af840525-22d9-63c8-a227-bd9273042ef6@debian.org>

Hi Tobias,

> $ grep-dctrl -FBuild-Depends golang-go -w -sPackage
> /var/lib/apt/lists/*Sources
[..]
> 
> Please note that there are probably a lot of false positives in this
> list, because not every package uses crypto/elliptic.

Indeed. So how reliable would it be to look for "crypto/elliptic"
and skip those? I fear that might accidentally exclude packages due
to transitive imports / Build-Depends or similar?

Or: should I just save effort and upload the lot?

> Please note that I was not able to get build-rdeps to run in a
> jessie chroot

(Ah, not just me then; I needed to hack the "sid|unstable" bit in
the code but didn't want to yak-shave that at the time!)


Best wishes,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-

Reply to:

Follow-Ups:
- Re: [pkg-golang-devel] [SECURITY] [DLA 1664-1] golang security update
  - From: "Dr. Tobias Quathamer" <toddy@debian.org>

References:
- Re: [SECURITY] [DLA 1664-1] golang security update
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: [SECURITY] [DLA 1664-1] golang security update
  - From: Chris Lamb <lamby@debian.org>
- Re: [SECURITY] [DLA 1664-1] golang security update
  - From: Holger Levsen <holger@layer-acht.org>
- Re: [SECURITY] [DLA 1664-1] golang security update
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: [SECURITY] [DLA 1664-1] golang security update
  - From: Holger Levsen <holger@layer-acht.org>
- Re: [SECURITY] [DLA 1664-1] golang security update
  - From: Chris Lamb <lamby@debian.org>
- Re: [pkg-golang-devel] [SECURITY] [DLA 1664-1] golang security update
  - From: "Dr. Tobias Quathamer" <toddy@debian.org>

Prev by Date: Re: [pkg-golang-devel] [SECURITY] [DLA 1664-1] golang security update
Next by Date: Re: [pkg-golang-devel] [SECURITY] [DLA 1664-1] golang security update
Previous by thread: Re: [pkg-golang-devel] [SECURITY] [DLA 1664-1] golang security update
Next by thread: Re: [pkg-golang-devel] [SECURITY] [DLA 1664-1] golang security update
Index(es):
- Date
- Thread