Bug#990825: [pre-approval] unblock: golang-1.15/1.15.9-6

[Paul Wise <pabs@debian.org>]

On Tue, Jul 13, 2021 at 6:12 AM Shengjing Zhu wrote:

> Sadly the std library are statically embedded in all packages built by Go compiler.
> So if there's security issue in std library, bunch of packages need to be rebuild.
>
> It may be possible to disassemble all Go binaries to see how many std libraries
> are embedded, but currently we don't have such tool to go through all unpacked binary
> packages.

An alternative more brute-force approach might be to rebuild all
packages locally twice, once without the patched std library and once
with the patched std library, then use diffoscope to compare the
binaries and if there are any changes then request a binNMU for the
package. Packages that don't use the crypto library should not have it
linked in and should see no changes after rebuilding with the patch.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise