Am 08.02.2019 um 17:31 schrieb Chris Lamb: > Hi Tobias, > >> $ grep-dctrl -FBuild-Depends golang-go -w -sPackage >> /var/lib/apt/lists/*Sources > [..] >> >> Please note that there are probably a lot of false positives in this >> list, because not every package uses crypto/elliptic. > > Indeed. So how reliable would it be to look for "crypto/elliptic" > and skip those? I fear that might accidentally exclude packages due > to transitive imports / Build-Depends or similar? > > Or: should I just save effort and upload the lot?
Hi Chris, I've just recently joined the go compiler team, so I'm not an expert -- but from my understanding, there should be no transitive imports in this specific case. If I understand you correctly, you mean that package "A" does not use crypto/elliptic itself, but Build-Depends on package "B", which *does* use crypto/elliptic, right? The golang compiler itself is affected, so any package ("A" in the example) which Build-Depends on a -dev package which uses crypto/elliptic ("B" in the example) should also have a Build-Depends on golang-go. Therefore, I think it would be save to skip all packages which only produce a -dev package. With that in mind, the list gets much shorter. Is there an easy way to find out if a source package produces only the -dev binary package? One hint at finding the right packages would be that the -dev packages are arch:all, while other binary packages are arch:any. Does this help and/or makes sense? :-) >> Please note that I was not able to get build-rdeps to run in a >> jessie chroot > > (Ah, not just me then; I needed to hack the "sid|unstable" bit in > the code but didn't want to yak-shave that at the time!) :-) Nice to know, I was at a loss in that chroot, only wondering how the hell you got that command to run ... Regards, Tobias
Description: OpenPGP digital signature