Hi Holger, On Wed, Feb 06, 2019 at 11:24:34PM +0000, Holger Levsen wrote: > Dear golang maintainers and security team, > > this came up on the LTS mailing list... > > On Wed, Feb 06, 2019 at 11:42:12PM +0100, Chris Lamb wrote: > > > all golang Debian packages are (as elsewhere) statically compiled > > > and linked so we'd need to rebuild all the rdeps > > Hm. Can we avoid /all/ the rdeps? I mean, grep the rdeps for ones > > that use this library? > > how was this handled for DSA-4379 and 4380?
The point we discussed with Tobias Quathamer was boiling down to: > But if there are any Go-based applications in stretch which are affected by > the ECC issue, we could schedule binNMUs by the next stretch point release. There is no sensible way to schedule binnmu's via security. So far none appeared AFAIK. Regards, Salvatore