[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#990825: [pre-approval] unblock: golang-1.15/1.15.9-6

On Wed, Jul 14, 2021 at 03:13:13AM +0000, Paul Wise wrote:
> On Tue, Jul 13, 2021 at 6:12 AM Shengjing Zhu wrote:
> 
> > Sadly the std library are statically embedded in all packages built by Go compiler.
> > So if there's security issue in std library, bunch of packages need to be rebuild.
> >
> > It may be possible to disassemble all Go binaries to see how many std libraries
> > are embedded, but currently we don't have such tool to go through all unpacked binary
> > packages.
> 
> An alternative more brute-force approach might be to rebuild all
> packages locally twice, once without the patched std library and once
> with the patched std library, then use diffoscope to compare the
> binaries and if there are any changes then request a binNMU for the
> package. Packages that don't use the crypto library should not have it
> linked in and should see no changes after rebuilding with the patch.

That feels over-engineering/energy-wasting.

But if someone can offer the compute resource, I can offer some time to write
the scripts to do the work.
Reply to: