[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Golang packages

Hi,
For golang-gogoprotobuf, given that (AFAIK) the Go maintainers didn't answer your request for comment, given that the vulnerability includes 2 levels of rdeps (statically generated library sources + static library linking) implying dozens of DLAs, given that buster doesn't have an update, and given that the conversation died 2 months ago, I think we can mark it as no-dsa now. 

Cheers!
Sylvain

On 17/05/2021 11:57, Ola Lundqvist wrote:

Hi

Ok, thanks for the clarification.
But we should then generally mark golang updates as no-dsa unless they are critical, right? For example golang-gogoprotobuf are rather questionable whether we should fix at all. 

// Ola
On Mon, 17 May 2021 at 11:44, Sylvain Beucler <beuc@beuc.net <mailto:beuc@beuc.net>> wrote: 

    Hi,

    According to debian-security-support, golang packages are not
    "unsupported" but with "limited support".
    Currently some packages are updated in stable and rdeps are manually
    bin-num'd (e.g. #946467), see also
    https://www.debian.org/News/2020/20200718
    <https://www.debian.org/News/2020/20200718> for stretch-before-LTS.
    It looks like golang will be fully supported in bullseye, so IMHO we'd
    rather prepare to handle some critical golang updates and not mass-EOL
    these packages.

    Cheers!
    Sylvain

    On 17/05/2021 09:20, Ola Lundqvist wrote:
     > Hi fellow LTS contributors
     >
     > I have a question about go package support.
     >
     > The question is whether we should try to support it in LTS or not:
     > According to this we do not give security support for go packages in
     > buster.
     >
    https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#golang-static-linking
    <https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#golang-static-linking>

     >
    <https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#golang-static-linking
    <https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#golang-static-linking>>
     >
     > There is also a discussion thread about adding this kind of
    information
     > to debian-security-support package, but there are concerns about
     > wildcards being a little too noisy.
     >
     > I can also see a note in dla-needed for Thorsten working on
    automating
     > go updates.
     >
     > My thinking is that we should remove these packages from
    dla-needed.txt
     > file and mark the CVE entries as EOL.
     >
     > Alternatively make some statement that we do in fact intend to make
     > these updates even though they are not done for buster. Buf in that
     > case, what is the motivation for making such updates for
    oldstable when
     > there is no plan to do is for stable.
     >
     > What do you think?



--
  --- Inguza Technology AB --- MSc in Information Technology ----
| ola@inguza.com <mailto:ola@inguza.com>opal@debian.org <mailto:opal@debian.org>            | | http://inguza.com/ <http://inguza.com/>                Mobile: +46 (0)70-332 1551 | 
  ---------------------------------------------------------------
Reply to: