Hi Thorsten, [I'm not one of the acting Stable Release Managers, but nevertheless] On 24-04-2022 13:46, Thorsten Alteholz wrote:
I would like to improve the situation of security support for Golang packages (as already criticised long time ago[1]).
Great.
Uploads to Unstable should be no problem, but how would you like to handle stable/oldstable updates for CVEs that are marked as no-dsa from the security team?
If I understand correctly, if this is only about rebuilds, just request an binNMU with the usual process (reportbug recommended). Your link [1] points at the issues we have with security support *via the security archive*. Regular point releases are not ideal due to the amount that needs rebuilding, but less of an issue.
For example the fix of CVE-2021-42836 in golang-github-tidwall-gjson for Bullseye requires eight uploads of reverse dependencies. Do you want to handle each of them with different PU-bugs?
I think plain binNMU bugs (with the right tag, such that they show up in the tools of the SRM) will do just fine. One per source please in this case, but if the amount of packages grows, maybe confirm again with SRM.
[1] https://lists.debian.org/debian-release/2018/06/msg00725.html
Paul
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature