Hi,
According to debian-security-support, golang packages are not
"unsupported" but with "limited support".
Currently some packages are updated in stable and rdeps are manually
bin-num'd (e.g. #946467), see also
https://www.debian.org/News/2020/20200718 for stretch-before-LTS.
It looks like golang will be fully supported in bullseye, so IMHO we'd
rather prepare to handle some critical golang updates and not mass-EOL
these packages.
Cheers!
Sylvain
On 17/05/2021 09:20, Ola Lundqvist wrote:
> Hi fellow LTS contributors
>
> I have a question about go package support.
>
> The question is whether we should try to support it in LTS or not:
> According to this we do not give security support for go packages in
> buster.
> https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#golang-static-linking
> <https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#golang-static-linking>
>
> There is also a discussion thread about adding this kind of information
> to debian-security-support package, but there are concerns about
> wildcards being a little too noisy.
>
> I can also see a note in dla-needed for Thorsten working on automating
> go updates.
>
> My thinking is that we should remove these packages from dla-needed.txt
> file and mark the CVE entries as EOL.
>
> Alternatively make some statement that we do in fact intend to make
> these updates even though they are not done for buster. Buf in that
> case, what is the motivation for making such updates for oldstable when
> there is no plan to do is for stable.
>
> What do you think?