Bug#799019: jessie-pu: package golang/2:1.3.3-1+deb8u1

[Tianon Gravi <admwiggin@gmail.com>]

On 5 November 2015 at 06:23, Adam D. Barratt <adam@adam-barratt.org.uk> wrote:
> Do you have an estimate of how many packages that would be? I looked at
> the output of "dak rm -Rn -s stable golang" and made various sad faces.

That sad face is 100% warranted. :(  I don't know the number off-hand,
but I imagine it's pretty large by now.

> (Also, do -dev packages that are architecture-dependent also need
> rebuilding? I wasn't clear from your description, but for instance:
>
> golang-websocket-dev | 0.0~git20140119-1           | stable          | amd64, armel, armhf, i386
> golang-websocket-dev | 0.0~git20150811.0.b6ab76f-1 | testing         | all
> golang-websocket-dev | 0.0~git20150811.0.b6ab76f-1 | unstable        | all
> )

Right -- I meant -dev packages which are arch:all, since they're going
to just be full of .go files.  Any that aren't _probably_ contain a
binary, and thus would need a rebuild (or a maintainer made a mistake
and it's really supposed to be an arch:all package, but I don't think
we've got many of those left).

>> To Salvatore's comment, I'd be happy to update to include the fix for
>> that too if RT is OK with it. :)  (Meanwhile will work on getting a
>> fix for it into unstable.)
>
> It doesn't look like that happened yet? (Or the Security Tracker hasn't
> been updated.)

I think this is a case of the security tracker not being updated:

| golang (2:1.4.3-1) unstable; urgency=medium
|
|  * New upstream version
(https://golang.org/doc/devel/release.html#go1.4.minor)
|    - includes previous CVE and non-CVE security fixes, especially
|      TEMP-0000000-1C4729
|
|  -- Tianon Gravi <tianon@debian.org>  Fri, 25 Sep 2015 00:02:31 -0700

(Upstream made a 1.4.3 release that is 1.4.2 + CVE and security fixes.)

♥,
- Tianon
  4096R / B42F 6819 007F 00F8 8E36  4FD4 036A 9C25 BF35 7DD4