Hi Security team, We stumbled upon golang...
On 12-01-2023 16:50, Shengjing Zhu wrote:
But this bug report triggered me: did the golang security situation already improved during this release cycle. I may be misremembering, but I recall the problems on the security archive side haven't been fixed, have they?For some reference, I did several security updates for golang-1.15 for bullseye, but we didn't rebuild other packages. These security updates are not urgent enough anyway. And others also update some Go packages for bullseye. In general, we just do the usual update for stable release. As for the security archive, IIRC, for bullseye, the security team did need to ask ftp-master to copy some individual packages manually. I'm not sure how it is going now. But given the low update frequency I overseved for bullseye, probably that works.
Do you agree with this view for bookworm? I know you want the situation improved, but as far as I am aware nobody (from either side) has been pushing this forward so it feels a bit late to make this blocking.
Paul
OpenPGP_signature
Description: OpenPGP digital signature
