Re: Golang packages
Ola Lundqvist <ola@inguza.com> writes:
> I can also see a note in dla-needed for Thorsten working on automating go
> updates.
I did a bit of work trying to automate go updates on my system:
* Identifying what packages need to be updated.
* Downloading said packages.
* Rebuilding.
* Uploading.
But there is still a lot of manual steps:
* Confirm that it is OK at add dependencies to dla-needed.txt
* Adding list of dependencies to dla-needed.txt, ensuring no conflicts.
* Reserve DLA for each package uploaded.
* Create DLA email for each package uploaded.
* Add DLA to website.
* Ping ftp-master when the upload fails.
* etc
And then what could happen (at least in theory) is that now I have
resolved this vulnerability, I start investigating another security
vulnerability that has a similar set of dependencies that require
rebuilding. Uploading these again is not a good outcome. It would be
better to fix all the root packages at once, and then upload the all the
dependencies.
Maybe we need a way of identifying all the dependencies at triage time,
and somehow(?) manage them better at triage time. Although my gut
feeling is we might be coming to the limits of what we can manage with a
simple text based dla-needed.txt file.
I am also a bit uneasy with the requirement for a separate DLA for each
and every package that needs to be uploaded. Could create a lot of
noise. Not sure I see any solutions though.
I think in the future (if we are not already there) we could easily have
a similar situation with rust - which I also believe likes to embed code
also.
--
Brian May <bam@debian.org>
Reply to: