Proposal for how to deal with Go/Rust/etc security bugs (was: Re: Limited security support for Go/Rust? Re ssh3)

Simon Josefsson writes: >> > My naive approach on how to fix a security problem in package X >> > which is >> > statically embedded into other packages A, B, C, ... would be to >> > rebuild >> > the transitive closure of all packages that Build-Depends on X and >> > publish a security update for

Accepted open-coarrays 2.10.2+ds-2 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 09:28:13 + Source: open-coarrays Architecture: source Version: 2.10.2+ds-2 Distribution: unstable Urgency: medium Maintainer: Alastair McKinstry Changed-By: Alastair McKinstry Changes: open-coarrays

Accepted ros2-colcon-core 0.15.2-1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 10:32:40 +0100 Source: ros2-colcon-core Architecture: source Version: 0.15.2-1 Distribution: unstable Urgency: medium Maintainer: Debian Robotics Team Changed-By: Timo Röhling Changes: ros2-colcon-core

Accepted kdiskmark 3.1.3+ds-4 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 12:41:28 +0100 Source: kdiskmark Architecture: source Version: 3.1.3+ds-4 Distribution: unstable Urgency: medium Maintainer: Dmitry Ilyich Sidorov Changed-By: Gürkan Myczko Closes: 1046455 1052266 Changes:

Accepted photoqt 4.2+ds-1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 12:16:22 +0100 Source: photoqt Architecture: source Version: 4.2+ds-1 Distribution: unstable Urgency: medium Maintainer: Debian PhotoTools Maintainers Changed-By: Gürkan Myczko Changes: photoqt (4.2+ds-1)

Re: Proposal for how to deal with Go/Rust/etc security bugs

On 24/01/24 14:01, Luca Boccassi wrote: how does that work for those applications that require rust, go and friends? Are you proposing that everything that needs them should be be distributed by a flatpak or similar mechanism instead? Those applications are not shipped in the distribution. If

Accepted libsdl3 3~git20240124~a06ee5b+ds-1 (source) into experimental

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 13:02:27 + Source: libsdl3 Architecture: source Version: 3~git20240124~a06ee5b+ds-1 Distribution: experimental Urgency: medium Maintainer: Debian SDL packages maintainers Changed-By: Simon McVittie Changes:

Accepted mistral 17.0.0-2 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 18 Dec 2023 09:13:50 +0100 Source: mistral Architecture: source Version: 17.0.0-2 Distribution: unstable Urgency: medium Maintainer: Debian OpenStack Changed-By: Thomas Goirand Closes: 1058182 Changes: mistral (17.0.0-2)

Accepted aflplusplus 4.09c-1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 14:33:34 +0100 Source: aflplusplus Architecture: source Version: 4.09c-1 Distribution: unstable Urgency: medium Maintainer: Debian Security Tools Changed-By: Sophie Brun Closes: 1053679 1061209 Changes:

Accepted knot 3.3.4-1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 14:12:36 +0100 Source: knot Architecture: source Version: 3.3.4-1 Distribution: unstable Urgency: medium Maintainer: knot packagers Changed-By: Jakub Ružička Changes: knot (3.3.4-1) unstable; urgency=medium .

Accepted ostree 2024.1-1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 10:21:50 + Source: ostree Architecture: source Version: 2024.1-1 Distribution: unstable Urgency: medium Maintainer: Utopia Maintenance Team Changed-By: Simon McVittie Changes: ostree (2024.1-1) unstable;

Accepted calamares 3.3.1-1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 14:09:30 +0200 Source: calamares Architecture: source Version: 3.3.1-1 Distribution: unstable Urgency: medium Maintainer: Jonathan Carter Changed-By: Jonathan Carter Changes: calamares (3.3.1-1) unstable;

Re: Proposal for how to deal with Go/Rust/etc security bugs (was: Re: Limited security support for Go/Rust? Re ssh3)

On Wed, 24 Jan 2024 at 12:26, Johannes Schauer Marin Rodrigues wrote: > > Hi, > > Quoting Luca Boccassi (2024-01-24 12:59:38) > > There's always option B: recognize that the Rust/Go ecosystems are not > > designed to be compatible with the Linux distributions model, and are > > instead > >

Accepted tanglet 1.6.5-1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 20 Jan 2024 18:34:02 +0200 Source: tanglet Architecture: source Version: 1.6.5-1 Distribution: unstable Urgency: medium Maintainer: Debian Games Team Changed-By: Jonathan Carter Changes: tanglet (1.6.5-1) unstable;

Accepted imapfilter 1:2.8.2+1-0.1 (source amd64) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 23 Jan 2024 14:18:54 +0100 Source: imapfilter Binary: imapfilter imapfilter-dbgsym Architecture: source amd64 Version: 1:2.8.2+1-0.1 Distribution: unstable Urgency: medium Maintainer: Francesco Paolo Lovergine Changed-By:

Accepted gsoap 2.8.132-1 (source amd64 all) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 23 Jan 2024 11:10:40 +0100 Source: gsoap Binary: gsoap gsoap-dbgsym gsoap-doc libgsoap-2.8.132 libgsoap-2.8.132-dbgsym libgsoap-dev Architecture: source amd64 all Version: 2.8.132-1 Distribution: unstable Urgency: medium

Re: Proposal for how to deal with Go/Rust/etc security bugs (was: Re: Limited security support for Go/Rust? Re ssh3)

On Wed, 24 Jan 2024 at 11:42, Simon Josefsson wrote: > > Simon Josefsson writes: > > >> > My naive approach on how to fix a security problem in package X > >> > which is > >> > statically embedded into other packages A, B, C, ... would be to > >> > rebuild > >> > the transitive closure of all

Accepted connectagram 1.3.5-1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 14:22:26 +0200 Source: connectagram Architecture: source Version: 1.3.5-1 Distribution: unstable Urgency: medium Maintainer: Debian Games Team Changed-By: Jonathan Carter Changes: connectagram (1.3.5-1)

Accepted dpkg 1.22.4 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 13:12:31 +0100 Source: dpkg Architecture: source Version: 1.22.4 Distribution: unstable Urgency: medium Maintainer: Dpkg Developers Changed-By: Guillem Jover Closes: 1061404 Changes: dpkg (1.22.4) unstable;

Re: Proposal for how to deal with Go/Rust/etc security bugs (was: Re: Limited security support for Go/Rust? Re ssh3)

Hi, Quoting Luca Boccassi (2024-01-24 12:59:38) > There's always option B: recognize that the Rust/Go ecosystems are not > designed to be compatible with the Linux distributions model, and are instead > designed to be as convenient as possible for a _single_ application developer > and its users

Re: Proposal for how to deal with Go/Rust/etc security bugs

On 24/01/24 5:59 pm, Simon Josefsson wrote: Does anyone know of a shared library in a Debian package written in Go? I've only encountered the vendored approach to ship Go libraries. libgovarnam1 is shipped as a shared library https://packages.debian.org/sid/amd64/libgovarnam1/filelist

Accepted bepasty 1.2.0-3 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 13:48:56 +0100 Source: bepasty Architecture: source Version: 1.2.0-3 Distribution: unstable Urgency: medium Maintainer: Elena Grandi Changed-By: Elena Grandi Closes: 968821 1061237 Changes: bepasty (1.2.0-3)

Bug#1061425: ITP: iamb -- Matrix chat client that uses Vim keybindings

Package: wnpp Severity: wishlist Owner: Jonas Smedegaard X-Debbugs-Cc: debian-devel@lists.debian.org -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 * Package name: iamb Version : 0.0.8 Upstream Contact: Ulyssa * URL : https://iamb.chat/ * License :

Re: Proposal for how to deal with Go/Rust/etc security bugs

Luca Boccassi writes: >> Having reflected a bit, and learned through my own experience and >> others' insights [1] that Go Build-Depends are not transitive, I'd like >> to update my proposal on how to handle a security bug in any Go/Rust/etc >> package and the resulting package rebuilds: > >

Accepted pg-stat-kcache 2.2.3-1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 17:29:41 +0800 Source: pg-stat-kcache Architecture: source Version: 2.2.3-1 Distribution: unstable Urgency: medium Maintainer: Julien Rouhaud Changed-By: Julien Rouhaud Changes: pg-stat-kcache (2.2.3-1)

Accepted gnome-shell-extension-dash-to-panel 60-1~exp1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 14:49:30 +0200 Source: gnome-shell-extension-dash-to-panel Architecture: source Version: 60-1~exp1 Distribution: unstable Urgency: medium Maintainer: Jonathan Carter Changed-By: Jonathan Carter Changes:

Re: Proposal for how to deal with Go/Rust/etc security bugs (was: Re: Limited security support for Go/Rust? Re ssh3)

On 2024-01-24 13:26:49 +0100 (+0100), Johannes Schauer Marin Rodrigues wrote: [...] > how does that work for those applications that require rust, go > and friends? Are you proposing that everything that needs them > should be be distributed by a flatpak or similar mechanism > instead? > > Just a

Accepted debconf 1.5.84 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 16:20:13 + Source: debconf Architecture: source Version: 1.5.84 Distribution: unstable Urgency: medium Maintainer: Debconf Developers Changed-By: Colin Watson Closes: 304572 682508 754123 797071 1039068

Accepted fastml 3.11-4 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 17:23:21 +0100 Source: fastml Architecture: source Version: 3.11-4 Distribution: unstable Urgency: medium Maintainer: Debian Med Packaging Team Changed-By: Andreas Tille Closes: 1044832 Changes: fastml (3.11-4)

Accepted golang-github-secure-systems-lab-go-securesystemslib 0.8.0-2 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 16:19:37 +0100 Source: golang-github-secure-systems-lab-go-securesystemslib Architecture: source Version: 0.8.0-2 Distribution: unstable Urgency: medium Maintainer: Debian Go Packaging Team Changed-By: Simon

Accepted camlidl 1.12-1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 15:25:08 +0100 Source: camlidl Architecture: source Version: 1.12-1 Distribution: unstable Urgency: medium Maintainer: Debian OCaml Maintainers Changed-By: Stéphane Glondu Changes: camlidl (1.12-1) unstable;

Accepted ocaml-obuild 0.1.11-1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 15:48:21 +0100 Source: ocaml-obuild Architecture: source Version: 0.1.11-1 Distribution: unstable Urgency: medium Maintainer: Debian OCaml Maintainers Changed-By: Stéphane Glondu Changes: ocaml-obuild (0.1.11-1)

Re: Proposal for how to deal with Go/Rust/etc security bugs

Luca Boccassi writes: > On Wed, 24 Jan 2024 at 13:34, Simon Josefsson wrote: >> >> Luca Boccassi writes: >> >> >> Having reflected a bit, and learned through my own experience and >> >> others' insights [1] that Go Build-Depends are not transitive, I'd like >> >> to update my proposal on how

Accepted golang-github-sigstore-sigstore 1.8.0-2 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 16:25:37 +0100 Source: golang-github-sigstore-sigstore Architecture: source Version: 1.8.0-2 Distribution: unstable Urgency: medium Maintainer: Debian Go Packaging Team Changed-By: Simon Josefsson Changes:

Bug#1061446: ITP: cosign -- Code signing and transparency for containers and binaries

Package: wnpp Severity: wishlist Owner: Simon Josefsson * Package name: cosign Version : 2.2.2-1 Upstream Author : The Sigstore Authors * URL : https://github.com/sigstore/cosign * License : Apache-2.0 Programming Lang: Go Description : Code signing

Re: Proposal for how to deal with Go/Rust/etc security bugs

On Wed, 24 Jan 2024 at 13:34, Simon Josefsson wrote: > > Luca Boccassi writes: > > >> Having reflected a bit, and learned through my own experience and > >> others' insights [1] that Go Build-Depends are not transitive, I'd like > >> to update my proposal on how to handle a security bug in any

Accepted fwupd 1.9.12-1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 06:56:42 -0600 Source: fwupd Built-For-Profiles: noudeb Architecture: source Version: 1.9.12-1 Distribution: unstable Urgency: medium Maintainer: Debian EFI Changed-By: Mario Limonciello Closes: 1059606 1060577

Accepted dblatex 0.3.12py3-3 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 18:51:13 +0100 Source: dblatex Architecture: source Version: 0.3.12py3-3 Distribution: unstable Urgency: medium Maintainer: Debian QA Group Changed-By: Matthias Klose Closes: 1033547 1061320 Changes: dblatex

Accepted audit 1:3.1.2-2 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 16:05:18 +0100 Source: audit Architecture: source Version: 1:3.1.2-2 Distribution: unstable Urgency: medium Maintainer: Laurent Bigonville Changed-By: Laurent Bigonville Closes: 1060167 Changes: audit

Accepted thermald 2.5.6-1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 18:14:22 + Source: thermald Architecture: source Version: 2.5.6-1 Distribution: unstable Urgency: medium Maintainer: Colin Ian King Changed-By: Colin Ian King Changes: thermald (2.5.6-1) unstable;

Accepted sdl2-compat 2.28.50~git20240124~35695bd+ds-1 (source) into experimental

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 13:51:16 + Source: sdl2-compat Architecture: source Version: 2.28.50~git20240124~35695bd+ds-1 Distribution: experimental Urgency: medium Maintainer: Debian SDL packages maintainers Changed-By: Simon McVittie

Accepted python-httpretty 1.1.4-4 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 14:24:18 +0100 Source: python-httpretty Architecture: source Version: 1.1.4-4 Distribution: unstable Urgency: medium Maintainer: Debian OpenStack Changed-By: Thomas Goirand Closes: 1060686 Changes:

Accepted photoqt 4.2+ds-2 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 14:58:36 +0100 Source: photoqt Architecture: source Version: 4.2+ds-2 Distribution: unstable Urgency: medium Maintainer: Debian PhotoTools Maintainers Changed-By: Gürkan Myczko Changes: photoqt (4.2+ds-2)

Accepted serd 0.32.2-1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 17:38:42 +0100 Source: serd Architecture: source Version: 0.32.2-1 Distribution: unstable Urgency: medium Maintainer: Debian Multimedia Maintainers Changed-By: Dennis Braun Changes: serd (0.32.2-1) unstable;

Accepted foliate 4.~really3.1.0-0.1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 10:18:35 -0500 Source: foliate Built-For-Profiles: noudeb Architecture: source Version: 4.~really3.1.0-0.1 Distribution: unstable Urgency: medium Maintainer: Jonathan Carter Changed-By: Jeremy Bícha Closes:

Accepted mozjs115 115.7.0-2 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 08:51:19 -0500 Source: mozjs115 Built-For-Profiles: noudeb Architecture: source Version: 115.7.0-2 Distribution: unstable Urgency: medium Maintainer: Debian GNOME Maintainers Changed-By: Jeremy Bícha Changes:

Accepted itcl4 4.2.4-1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 17:50:06 +0300 Source: itcl4 Architecture: source Version: 4.2.4-1 Distribution: unstable Urgency: medium Maintainer: Debian Tcl/Tk Packagers Changed-By: Sergei Golovan Changes: itcl4 (4.2.4-1) unstable;

Accepted alire 1.2.1-1.1 (source) into experimental

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 09:09:55 +0100 Source: alire Architecture: source Version: 1.2.1-1.1 Distribution: experimental Urgency: medium Maintainer: Stephane Carrez Changed-By: Nicolas Boulenguez Changes: alire (1.2.1-1.1) experimental;

Accepted fwupd 1.9.12-2 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 11:25:54 -0600 Source: fwupd Built-For-Profiles: noudeb Architecture: source Version: 1.9.12-2 Distribution: unstable Urgency: medium Maintainer: Debian EFI Changed-By: Mario Limonciello Changes: fwupd

Accepted cctbx 2023.12+ds2+~3.17.0+ds1-3 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 02:13:56 -0500 Source: cctbx Architecture: source Version: 2023.12+ds2+~3.17.0+ds1-3 Distribution: unstable Urgency: medium Maintainer: Debian Science Maintainers Changed-By: Andrius Merkys Closes: 1061405

Accepted rust-shlex 1.3.0-1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 09:54:02 + Source: rust-shlex Architecture: source Version: 1.3.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Rust Maintainers Changed-By: Alexander Kjäll Changes: rust-shlex (1.3.0-1)

Accepted promod3 3.4.0+ds-1~exp (source amd64 all) into experimental

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 22 Jan 2024 02:43:58 -0500 Source: promod3 Binary: libpromod3-core-dev libpromod3-core3.4 libpromod3-core3.4-dbgsym libpromod3-loop-dev libpromod3-loop3.4 libpromod3-loop3.4-dbgsym libpromod3-modelling-dev

Accepted gh 2.42.1-1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 23 Jan 2024 18:54:24 -0700 Source: gh Architecture: source Version: 2.42.1-1 Distribution: unstable Urgency: medium Maintainer: Debian Go Packaging Team Changed-By: Anthony Fok Changes: gh (2.42.1-1) unstable;

Accepted openjdk-21 21.0.2+13-2 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 09:11:26 +0100 Source: openjdk-21 Architecture: source Version: 21.0.2+13-2 Distribution: unstable Urgency: medium Maintainer: OpenJDK Team Changed-By: Matthias Klose Closes: 1057500 1057508 1057519 Changes:

Accepted python-jsonpath-rw-ext 1.2.2-3 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 08:42:11 +0100 Source: python-jsonpath-rw-ext Architecture: source Version: 1.2.2-3 Distribution: unstable Urgency: medium Maintainer: Debian OpenStack Changed-By: Thomas Goirand Changes: python-jsonpath-rw-ext

Accepted bacula 13.0.3-1~exp+1 (source) into experimental

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 08:42:39 +0100 Source: bacula Architecture: source Version: 13.0.3-1~exp+1 Distribution: experimental Urgency: medium Maintainer: Debian Bacula Team Changed-By: Carsten Leonhardt Closes: 997831 1009012 Changes:

Accepted nextcloud-spreed-signaling 1.2.2-3 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 10:12:19 +0100 Source: nextcloud-spreed-signaling Architecture: source Version: 1.2.2-3 Distribution: unstable Urgency: medium Maintainer: Debian Go Packaging Team Changed-By: Mike Gabriel Closes: 1060286

Accepted mstflint 4.26.0+1-1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 10:52:47 +0200 Source: mstflint Architecture: source Version: 4.26.0+1-1 Distribution: sid Urgency: medium Maintainer: Debian HPC Team Changed-By: Tzafrir Cohen Changes: mstflint (4.26.0+1-1) unstable;

Accepted golang-github-google-go-pkcs11 0.3.0+dfsg-2 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 10:54:53 +0100 Source: golang-github-google-go-pkcs11 Architecture: source Version: 0.3.0+dfsg-2 Distribution: unstable Urgency: medium Maintainer: Debian Go Packaging Team Changed-By: Drew Parsons Closes:

Accepted dt-schema 2023.11-2 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 10:58:30 +0100 Source: dt-schema Architecture: source Version: 2023.11-2 Distribution: unstable Urgency: medium Maintainer: Debian Python Team Changed-By: Agathe Porte Changes: dt-schema (2023.11-2) unstable;

Accepted nb2plots 0.7.2-1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 02:51:08 -0500 Source: nb2plots Architecture: source Version: 0.7.2-1 Distribution: unstable Urgency: medium Maintainer: Sandro Tosi Changed-By: Sandro Tosi Closes: 1035181 1036519 1053999 Changes: nb2plots

Re: Proposal for how to deal with Go/Rust/etc security bugs

On 24/01/24 2:07 pm, Simon Josefsson wrote: Yes, for a low-level Go package (e.g., golang-golang-x-net-dev), this will mean rebuilding almost all of the Go packages in Debian and publish them in a security advisory. This algorithm can be optimized (i.e., reduce the number of packages to

Accepted glib2.0 2.79.0+git20240119~62ee8bf6-1 (all amd64 source) into experimental

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sat, 20 Jan 2024 17:20:24 + Binary: gir1.2-girepository-3.0 gir1.2-girepository-3.0-dev gir1.2-glib-2.0 gir1.2-glib-2.0-dev libgirepository-2.0-0 libgirepository-2.0-0-dbgsym libgirepository-2.0-dev libglib2.0-0

Accepted poco 1.13.0-1 (source amd64) into experimental

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 23 Jan 2024 18:53:33 + Source: poco Binary: libpoco-dev libpocoactiverecord100 libpocoactiverecord100-dbgsym libpococrypto100 libpococrypto100-dbgsym libpocodata100 libpocodata100-dbgsym libpocodatamysql100

Accepted gcc-13 13.2.0-11 (source all amd64) into experimental

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 23 Jan 2024 22:00:03 +0100 Source: gcc-13 Binary: cpp-13 cpp-13-for-build cpp-13-for-host cpp-13-x86-64-linux-gnu cpp-13-x86-64-linux-gnu-dbgsym g++-13 g++-13-for-build g++-13-for-host g++-13-multilib g++-13-x86-64-linux-gnu

Accepted python-goodvibes 3.2+dfsg-1 (source all) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 17 Jan 2024 12:00:00 + Source: python-goodvibes Binary: python3-goodvibes Architecture: source all Version: 3.2+dfsg-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Team Changed-By: Yogeswaran Umasankar

Accepted ace 7.1.3+dfsg-1 (source amd64 all) into experimental

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 22 Jan 2024 11:28:32 + Source: ace Binary: ace-gperf ace-gperf-dbgsym ace-netsvcs ace-netsvcs-dbgsym libace-7.1.3 libace-7.1.3-dbgsym libace-dev libace-doc libace-flreactor-7.1.3 libace-flreactor-7.1.3-dbgsym

Accepted r-cran-nanoarrow 0.3.0.1-1 (source amd64) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 08 Jan 2024 18:54:43 +0100 Source: r-cran-nanoarrow Binary: r-cran-nanoarrow r-cran-nanoarrow-dbgsym Architecture: source amd64 Version: 0.3.0.1-1 Distribution: unstable Urgency: medium Maintainer: Debian R Packages

Accepted python-czt 0.0.7-1 (source all) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 19 Jan 2024 12:30:00 + Source: python-czt Binary: python3-czt Architecture: source all Version: 0.0.7-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Team Changed-By: Yogeswaran Umasankar Description:

Accepted rust-associative-cache 2.0.0-1 (amd64 source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 22 Jan 2024 11:54:45 CET Source: rust-associative-cache Binary: librust-associative-cache-dev Architecture: amd64 source Version: 2.0.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Rust Maintainers Changed-By:

Accepted rust-hickory-client 0.24.0-1 (amd64 source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 19 Jan 2024 14:45:36 CET Source: rust-hickory-client Binary: librust-hickory-client-dev Architecture: amd64 source Version: 0.24.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Rust Maintainers Changed-By:

Accepted rust-hickory-resolver 0.24.0-1 (amd64 source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 19 Jan 2024 15:46:55 CET Source: rust-hickory-resolver Binary: librust-hickory-resolver-dev Architecture: amd64 source Version: 0.24.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Rust Maintainers Changed-By:

Accepted lfortran 0.30.0-1 (source arm64) into experimental

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 23 Jan 2024 16:10:25 + Source: lfortran Binary: lfortran lfortran-dbgsym liblfortran-dev liblfortran-runtime0 liblfortran-runtime0-dbgsym Architecture: source arm64 Version: 0.30.0-1 Distribution: experimental Urgency:

Accepted golang-github-google-s2a-go 0.1.7-1 (source all) into experimental

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 23 Jan 2024 17:42:40 +0100 Source: golang-github-google-s2a-go Binary: golang-github-google-s2a-go-dev Architecture: source all Version: 0.1.7-1 Distribution: experimental Urgency: medium Maintainer: Debian Go Packaging Team

Accepted golang-github-spiffe-go-spiffe 2.1.7-1 (source all) into experimental

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 19 Jan 2024 00:13:44 +0100 Source: golang-github-spiffe-go-spiffe Binary: golang-github-spiffe-go-spiffe-dev Architecture: source all Version: 2.1.7-1 Distribution: experimental Urgency: medium Maintainer: Debian Go Packaging

Re: build profile proposal: nogir (second try)

As Johannes mentioned earlier in this thread, the first piece of practical advice on nogir should be: if you don't know that you need to use it, then perhaps you shouldn't. It's primarily aimed at breaking cycles, and enabling buildability in lower-level packages during bootstrapping. (Having

Accepted giara 1.1.0-0.1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 16:00:02 -0500 Source: giara Built-For-Profiles: noudeb Architecture: source Version: 1.1.0-0.1 Distribution: unstable Urgency: medium Maintainer: Federico Ceratto Changed-By: Jeremy Bícha Closes: 1036626 1051091

Accepted systemd 255.3-1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 20:03:15 + Source: systemd Architecture: source Version: 255.3-1 Distribution: sid Urgency: medium Maintainer: Debian systemd Maintainers Changed-By: Luca Boccassi Changes: systemd (255.3-1) sid;

Accepted qt6-tools 6.6.1-3 (source) into experimental

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 22:09:32 +0100 Source: qt6-tools Architecture: source Version: 6.6.1-3 Distribution: experimental Urgency: medium Maintainer: Debian Qt/KDE Maintainers Changed-By: Patrick Franz Changes: qt6-tools (6.6.1-3)

Accepted unattended-upgrades 2.9.1+nmu4 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 22 Jan 2024 16:11:59 -0400 Source: unattended-upgrades Architecture: source Version: 2.9.1+nmu4 Distribution: unstable Urgency: medium Maintainer: Michael Vogt Changed-By: Stefano Rivera Closes: 1058172 Changes:

Accepted urwid 2.4.6-0.1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 19:22:01 +0100 Source: urwid Architecture: source Version: 2.4.6-0.1 Distribution: unstable Urgency: medium Maintainer: Debian Python Team Changed-By: Matthias Klose Changes: urwid (2.4.6-0.1) unstable;

Accepted markdown-callouts 0.4.0-1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 20:20:57 +0100 Source: markdown-callouts Architecture: source Version: 0.4.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Team Changed-By: Carsten Schoenert Changes: markdown-callouts

static linking, modularity, and community (was: Proposal for how to deal with Go/Rust/etc security bugs)

[follow-ups should probably go to -project, but I'm not setting my headers to try to force that] At 2024-01-24T16:57:06+0100, Simon Josefsson wrote: > One could equally well make the argument that distributors should care > about the Go/Rust ecosystems, and make whatever changes needed in > order

Accepted xpdf 3.04+git20240124-1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 21:19:03 +0100 Source: xpdf Architecture: source Version: 3.04+git20240124-1 Distribution: unstable Urgency: medium Maintainer: Florian Schlichting Changed-By: Florian Schlichting Closes: 1061423 Changes: xpdf

Accepted gtk+2.0 2.24.33-3 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 16:02:45 -0500 Source: gtk+2.0 Built-For-Profiles: noudeb Architecture: source Version: 2.24.33-3 Distribution: unstable Urgency: medium Maintainer: Debian GNOME Maintainers Changed-By: Jeremy Bícha Changes:

Accepted usb.ids 2024.01.20-1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 21:30:29 +0100 Source: usb.ids Architecture: source Version: 2024.01.20-1 Distribution: unstable Urgency: medium Maintainer: Aurelien Jarno Changed-By: Aurelien Jarno Changes: usb.ids (2024.01.20-1) unstable;

Re: build profile proposal: nogir (second try)

On Wed, Jan 24, 2024 at 06:30:02PM +, Alberto Garcia wrote: > - Are packages that ship gobject-introspection files supposed to have >in the relevant build dependencies (gir1.2-*-dev, > gobject-introspection ?), or is the build profile handling this > automatically? This is not

Re: Proposal for how to deal with Go/Rust/etc security bugs (was: Re: Limited security support for Go/Rust? Re ssh3)

On Jan 24, Peter Pentchev wrote: > This might be a minority, optimistic, rose-tinted-glasses kind of > opinion, but I believe that the state of the Rust ecosystem today > (I have no experience with the Go one) is quite similar to what Perl and > Python modules were 25, 20, bah, even 15 years

Accepted glib2.0 2.79.1-1 (source) into experimental

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 20:11:26 + Source: glib2.0 Architecture: source Version: 2.79.1-1 Distribution: experimental Urgency: medium Maintainer: Debian GNOME Maintainers Changed-By: Simon McVittie Changes: glib2.0 (2.79.1-1)

Re: build profile proposal: nogir (second try)

On Wed, Jan 17, 2024 at 10:00:35PM +, Simon McVittie wrote: > Here is the draft text that I added to the GObject-Introspection > mini-policy in 1.78.1-11: Hi, thanks for the explanation. A couple of questions about this: - Are packages that ship gobject-introspection files supposed to have

Accepted fwupd 1.9.12-3 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 12:32:54 -0600 Source: fwupd Built-For-Profiles: noudeb Architecture: source Version: 1.9.12-3 Distribution: unstable Urgency: medium Maintainer: Debian EFI Changed-By: Mario Limonciello Changes: fwupd

Accepted flask-limiter 3.5.0-1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 20:47:38 +0100 Source: flask-limiter Architecture: source Version: 3.5.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Team Changed-By: Carsten Schoenert Closes: 1019747 Changes:

Accepted sip6 6.8.2+dfsg-1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 22:46:52 +0300 Source: sip6 Architecture: source Version: 6.8.2+dfsg-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Team Changed-By: Dmitry Shachnev Changes: sip6 (6.8.2+dfsg-1) unstable;

Accepted rust-ntp-proto 1.1.1-1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 20:39:04 +0100 Source: rust-ntp-proto Architecture: source Version: 1.1.1-1 Distribution: unstable Urgency: medium Maintainer: Debian Rust Maintainers Changed-By: Sylvestre Ledru Changes: rust-ntp-proto

Accepted python-webdavclient 3.14.6-2 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 22:31:29 +0100 Source: python-webdavclient Architecture: source Version: 3.14.6-2 Distribution: unstable Urgency: medium Maintainer: Debian Python Team Changed-By: Alexandre Detiste Changes: python-webdavclient

Accepted django-maintenancemode 0.11.7+git221001-3 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 13:24:05 -0500 Source: django-maintenancemode Architecture: source Version: 0.11.7+git221001-3 Distribution: unstable Urgency: medium Maintainer: Debian QA Group Changed-By: Scott Kitterman Closes: 1044286

Accepted libselinux 3.5-2 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 21:23:37 +0100 Source: libselinux Architecture: source Version: 3.5-2 Distribution: unstable Urgency: medium Maintainer: Debian SELinux maintainers Changed-By: Laurent Bigonville Closes: 914247 1029095 Changes:

Accepted firehol 3.1.7+ds-3 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 21:34:39 + Source: firehol Architecture: source Version: 3.1.7+ds-3 Distribution: unstable Urgency: medium Maintainer: Jerome Benoit Changed-By: Jerome Benoit Closes: 309198 536362 976014 993322 1050664

Accepted onionshare 2.6-6 (source) into experimental

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jan 2024 22:33:15 +0100 Source: onionshare Architecture: source Version: 2.6-6 Distribution: experimental Urgency: medium Maintainer: Debian Privacy Tools Maintainers Changed-By: Sandro Knauß Closes: 1061360 Changes:

Accepted bpftrace 0.20.0-1 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 22:50:01 +0100 Source: bpftrace Architecture: source Version: 0.20.0-1 Distribution: unstable Urgency: medium Maintainer: Vincent Bernat Changed-By: Vincent Bernat Changes: bpftrace (0.20.0-1) unstable;

  1   2   >