Re: golang-go.crypto / CVE-2019-11841
On 09/10/2020 00:23, Brian May wrote:
We probably need someway of keeping track of what packages have already
been looked at and their status with respect to this rebuild. Not really
convinced data/dla-needed.txt is up to this task.
I would look for an automated way to do this. E.g. by downloading and inspecting
the binaries to see if they have the affected code.
I think Adrian handled a go update and its rdeps in the past. Adding him to Cc
in case he has any ideas.
However now I also realise another limitation in the above list. It
probably won't mention, for example, packages that build depend on
golang-github-pkg-sftp-dev which depends on golang-golang-x-crypto-dev.
IIRC there was a tool that would help you with recursive deps of build-deps.
Indeed, at least reverse-build-depends has a --recursive switch. So you could
combine this with an automated check for the above to find what needs to be built.
You could also talk to the Go team. They may already have tools to find what
packages need to be rebuilt after a module is updated, or at least some feedback
on how to look for them.