Re: Go issues wrt. Debian infrastructure: moving forward
On Mon, Aug 31, 2020 at 08:37:05PM +0200, Emilio Pozuelo Monfort wrote:
> On 31/08/2020 20:29, Moritz Mühlenhoff wrote:
> > On Sat, Aug 29, 2020 at 10:18:57PM +0200, Clément Hermann wrote:
> >> Other than that, I don't think there are, my understanding was that the
> >> missing orig.tar.gz when dealing with a lot of new packages in the
> >> security archive was the main blocker on ftp-master plate.
> >
> > I think so, too. That should resolve the tooling issues and only leave
> > the implementation of how to detect what needs to be rebuilt.
>
> For that, take a look at the tool generating the haskell and ocaml binNMU list,
> see [1] and [2] and the source in [3]. You may want to contribute and extend
> that tool to support golang, or at least reuse the output format (both the
> wanna-build and the json one).
The packages that do *not* get rebuilt during transitions of ecosystems
that are based on static libraries like Haskell are the actual programs
like git-annex. Transitions only handle dependencies between static
libraries.
And the problem is a bit different for ecosystems where libraries are
static libraries, and ecosystems where "libraries" are binary-all
packages like Go.
For a security fix in code shipped by the Haskell compiler a 26 level
transition involving 1k package is necessary in stable.
For a security fix in the package shipped with Go compiler[1] it is
sufficient to just binNMU the 100 leaf packages containing programs
written in Go.
> Cheers,
> Emilio
>
> [1] https://people.debian.org/~nomeata/binNMUs-haskell.txt
> [2] https://people.debian.org/~nomeata/binNMUs-ocaml.txt
> [3] https://salsa.debian.org/haskell-team/tools/-/tree/master/binnmus
cu
Adrian
[1] think of it like glibc and OpenSSL shipped with gcc
and statically linked into all applications
Reply to: