Re: golang-go.crypto / CVE-2019-11841
- To: Emilio Pozuelo Monfort <pochu@debian.org>, Utkarsh Gupta <utkarsh@debian.org>
- Cc: Ola Lundqvist <ola@inguza.com>, Debian LTS <debian-lts@lists.debian.org>
- Subject: Re: golang-go.crypto / CVE-2019-11841
- From: Brian May <bam@debian.org>
- Date: Tue, 10 Nov 2020 09:33:13 +1100
- Message-id: <[🔎] 878sbaf9ee.fsf@canidae.wired.pri>
- In-reply-to: <[🔎] 87blg7fpjk.fsf@canidae.wired.pri>
- References: <87k0xes8kr.fsf@canidae.wired.pri> <CABY6=0nbk71vcgXX3yHeKmm1kYZi=+PduFCbiyNCDx8WXDwEQA@mail.gmail.com> <871rjbq50z.fsf@canidae.wired.pri> <CABY6=0mSxsXpjhz-X+=p2wSSeXFuffVf=7X3AQ0GEyy1YRF9-A@mail.gmail.com> <87k0x2edaf.fsf@canidae.wired.pri> <CABY6=0=xDdOo1RH9iJiG=xS0T=GaQ48k+w-RSoLPSbTDcZxCUA@mail.gmail.com> <871rj6m8jr.fsf@canidae.wired.pri> <CABY6=0ku8-9tztUoYS_nU=jX_aUP_VVhyGyZefS+a3jh=tv--A@mail.gmail.com> <87a6x1ism5.fsf@canidae.wired.pri> <CAPP0f95wioPcjGJcdr5-asTvnF2Wfq-JC+fhL=7ORiKnr1P97A@mail.gmail.com> <877ds5ir5a.fsf@canidae.wired.pri> <CAPP0f95oKvN+F2mZrscoGx-Ji+=PUcGopL+HusTd47gp6oakQQ@mail.gmail.com> <87y2kjghen.fsf@canidae.wired.pri> <0f05e2e5-a26d-179f-18d4-c4abdddc5fec@debian.org> <87k0w15edd.fsf@silverfish.pri> <3722204c-542e-7be2-f4a5-49c1cfbcc472@debian.org> <87h7r55dd9.fsf@silverfish.pri> <3388c95b-f3dc-f63c-a927-453c3380c088@debian.org> <87lfgggxw5.fsf@canidae.wired.pri> <[🔎] 87k0v0g3y6.fsf@canidae.wired.pri> <[🔎] 87blg7fpjk.fsf@canidae.wired.pri>
Brian May <bam@debian.org> writes:
> What is the process for rebuilding these in stretch LTS? Do I need to
> add entries to dla-needed.txt and claim these entries?
I might need help here:
=== cut ===
Debian FTP Masters <ftpmaster@ftp-master.debian.org> (28 mins. ago) ()
Subject: rclone_1.35-1+deb8u1_amd64.changes REJECTED
To: dak@security.debian.org, bam@debian.org
Date: Mon, 09 Nov 2020 21:50:14 +0000
golang-github-ncw-rclone-dev_1.35-1+deb8u1_all.deb: Built-Using refers to non-existing source package go-md2man (= 1.0.6+ds-1)
===
Please feel free to respond to this email if you don't understand why
your files were rejected, or if you upload new files which address our
concerns.
=== cut ===
go-md2man is in stretch, not stretch-security. But I don't see any
reference to the package in the source:
=== cut ===
$ grep -r go-md2man
Godeps/Godeps.json: "ImportPath": "github.com/cpuguy83/go-md2man/md2man",
=== cut ===
If I look at the binary package however, I have this "Built-Using"
header:
=== cut ===
root@a852fb6a8d37:/tmp/brian/tmphbdhga9l/build/amd64# dpkg -I golang-github-ncw-rclone-dev_1.35-1+deb8u1_all.deb
new debian package, version 2.0.
size 177936 bytes: control archive=6263 bytes.
2753 bytes, 16 lines control
17449 bytes, 177 lines md5sums
Package: golang-github-ncw-rclone-dev
Source: rclone
Version: 1.35-1+deb8u1
Architecture: all
Maintainer: Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>
Installed-Size: 1059
Depends: golang-bazil-fuse-dev, golang-github-aws-aws-sdk-go-dev, golang-github-mreiferson-go-httpclient-dev, golang-github-ncw-go-acd-dev, golang-github-ncw-swift-dev, golang-github-pkg-errors-dev, golang-github-rfjakob-eme-dev, golang-github-skratchdot-open-golang-dev, golang-github-spf13-cobra-dev, golang-github-spf13-pflag-dev, golang-github-stacktic-dropbox-dev, golang-github-stretchr-testify-dev, golang-github-tsenart-tb-dev, golang-github-unknwon-goconfig-dev, golang-github-vividcortex-ewma-dev, golang-golang-x-crypto-dev, golang-golang-x-net-dev, golang-golang-x-oauth2-google-dev, golang-golang-x-sys-dev, golang-golang-x-text-dev, golang-google-api-dev
Built-Using: go-md2man (= 1.0.6+ds-1), golang-1.7 (= 1.7.4-2+deb9u1), golang-bazil-fuse (= 0.0~git20160811.0.371fbbd-2), golang-blackfriday (= 1.4+git20161003.40.5f33e7b-1), golang-github-aws-aws-sdk-go (= 1.1.14+dfsg-2), golang-github-davecgh-go-spew (= 1.1.0-1), golang-github-go-ini-ini (= 1.8.6-2), golang-github-google-go-querystring (= 0.0~git20151028.0.2a60fc2-1), golang-github-jmespath-go-jmespath (= 0.2.2-2), golang-github-ncw-go-acd (= 0.0~git20161119.0.7954f1f-1), golang-github-ncw-swift (= 0.0~git20160617.0.b964f2c-2), golang-github-pkg-errors (= 0.8.0-1), golang-github-pmezard-go-difflib (= 1.0.0-1), golang-github-rfjakob-eme (= 1.0-2), golang-github-shurcool-sanitized-anchor-name (= 0.0~git20160918.0.1dba4b3-1), golang-github-skratchdot-open-golang (= 0.0~git20160302.0.75fb7ed-2), golang-github-spf13-cobra (= 0.0~git20161229.0.1dd5ff2-1), golang-github-spf13-pflag (= 0.0~git20161024.0.5ccb023-1), golang-github-stacktic-dropbox (= 0.0~git20160424.0.58f839b-2), golang-github-tsenart-tb (= 0.0~git20151208.0.19f4c3d-2), golang-github-unknwon-goconfig (= 0.0~git20160828.0.5aa4f8c-3), golang-github-vividcortex-ewma (= 0.0~git20160822.20.c595cd8-3), golang-go.crypto (= 1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1), golang-golang-x-net-dev (= 1:0.0+git20161013.8b4af36+dfsg-3), golang-golang-x-oauth2 (= 0.0~git20161103.0.36bc617-4), golang-golang-x-sys (= 0.0~git20161122.0.30237cf-1), golang-google-api (= 0.0~git20161128.3cc2e59-2), golang-google-cloud (= 0.5.0-2), golang-testify (= 1.1.4+ds-1), golang-x-text (= 0.0~git20161013.0.c745997-2)
Section: devel
Priority: extra
Homepage: https://github.com/ncw/rclone
Description: go source code of rclone
Rclone is a program to sync files and directories between the local
file system and a variety of commercial cloud storage providers.
.
This package contains rclone's source code.
=== cut ===
What is this "Built-Using" header? Where does it come from? Do I have to
upload everything in "Built-Using" to stretch-security first? Why?
How do I resolve this in a sane and sensible manner?
--
Brian May <bam@debian.org>
Reply to: