Re: Revert some Go packages in unstable to align with testing/buster

To: Shengjing Zhu <zhsj@debian.org>, debian-go@lists.debian.org
Cc: Debian release team <debian-release@lists.debian.org>, Debian Security <security@debian.org>
Subject: Re: Revert some Go packages in unstable to align with testing/buster
From: Paul Gevers <elbrus@debian.org>
Date: Sat, 1 Jun 2019 14:14:54 +0200
Message-id: <[🔎] 81f3ec9f-2af7-2efd-50c9-e51f41019512@debian.org>
In-reply-to: <CAFyCLW8-juk1Y3W-41=AgRKiWyPrk_2Ar7JvZFrc1R_qUZ4DQg@mail.gmail.com>
References: <20190526180015.GA12374@debian> <CAFyCLW8-juk1Y3W-41=AgRKiWyPrk_2Ar7JvZFrc1R_qUZ4DQg@mail.gmail.com>

Hi Shengjing, golang maintainers,

On 27-05-2019 05:25, Shengjing Zhu wrote:
> On Mon, May 27, 2019 at 2:04 AM Shengjing Zhu <zhsj@debian.org> wrote:
> [...]
>> The following are all the affected packages, generated by [2]:
>>
> 
> This list is now at
> https://wiki.debian.org/Teams/DebianGoTeam/AlignUnstableWithBuster

This list hasn't been updated since. Does that mean that also no uploads
happened? When are you planning to do that?

Just for your information, the golang security situation is the major
reason why we don't have a release date for buster yet. I hope the
Debian golang community is taking the situation very seriously.

On that topic, I'd like to take this opportunity to say that soon after
the release of buster we will most likely remove Go and it's reverse
dependencies from testing and prevent them from entering again until the
infrastructure issues are solved. We may release buster with the golang
ecosystem, but Go based packages will be marked without support via
security.debian.org until that moment as well. Updates can only go via
point releases. When the infrastructure issues are solve during the
buster life cycle, Go based packages in buster can be supported from
that moment on.

I realize that the underlying problem isn't perfectly clear. I
understand from various people that the situation is complex with all
kind of subtleties. Making sure the problem is well understood and the
path(s) to the solution(s) is clear is an extremely useful contribution
to solving the support issue.

And for the avoidance of doubt, yes, other static linking languages have
the same fundamental issue. The security team claims that these
languages haven't seen many security issues yet so there is no worry yet
to support those. Hence most involved teams and people expect initiative
from the golang community to fix the situation in cooperation with the
involved teams.

Paul
PS: I am still seeing new upstream version uploads to unstable. I would
have expected that it is clear by now that probably isn't smart. At the
very least, it doesn't send a good message.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: Revert some Go packages in unstable to align with testing/buster
  - From: Shengjing Zhu <zhsj@debian.org>
- Re: Revert some Go packages in unstable to align with testing/buster
  - From: Thorsten Alteholz <debian@alteholz.de>
- Re: Revert some Go packages in unstable to align with testing/buster
  - From: Martín Ferrari <tincho@tincho.org>

Prev by Date: Bug#929832: RM: simpleid/0.8.1-15
Next by Date: Re: Revert some Go packages in unstable to align with testing/buster
Previous by thread: Bug#929832: marked as done (RM: simpleid/0.8.1-15)
Next by thread: Re: Revert some Go packages in unstable to align with testing/buster
Index(es):
- Date
- Thread