Hi, On Sun, Apr 24, 2022 at 8:12 PM Shengjing Zhu <[email protected]> wrote: > > Hi, > > On Sun, Apr 24, 2022 at 7:30 PM Thorsten Alteholz <[email protected]> wrote: > > > > Hi everybody, > > > > some time ago, before the release of Buster, the Release Team and the > > Security Team critizied the missing tooling for security updates of Golang > > packages[1]. > > I would like to improve the situation here and try to develop some scripts > > to automatically rebuild/upload affected packages (they are basically > > based on the reverse dependencies detected by ratt). So I hope you don't > > mind if I upload seemingly random packages. The corresponding changelog > > entry should explain what CVE triggered the upload. > > If you notice a missing or a superfluous upload, please don't hesitate to > > tell me. > > > > Do you want to > > 1. Rebuild package to carry fixed CVE in dependencies > 2. Fix CVE in library and then go through 1 > > For 1, I think you don't need to use the Build-Depends field which is > used by ratt, or build-rdeps tool. > We use Built-Using field, which records the static linked package. (We > will move to a new field called Static-Built-Using, but it hasn't > happened yet). > > For 1, do you want to no-change rebuild upload like Ubuntu, or do you > want to give a list of packages to Release Team to schedule binMNU? >
Forget to mention that if you want to do binNMU, there are problems to do it on security-master. IIRC, it's because security-master doesn't have all the source tarballs. And this needs ftp-master to help. I heard that for bullseye, ftp-master will copy all source tarballs to security-master by hand. But I also heard that the server for security-master lacks disk space. I'm not sure what's the current situation. > For 2, I think it's just like normal team upload, it's not special for > security fix or not. Please just go ahead. > > And thanks for doing this! -- Shengjing Zhu
