Hi I do not really think it is worth it. But that is more related to the fact that I have not understood what the security problem is.
Yes, my site is down. It is concluded to be just ash right now. I have a backup so I should be able to upload the patch to somewhere else. // Ola On Thu, 18 Mar 2021 at 22:27, Utkarsh Gupta <utka...@debian.org> wrote: > Hello, > > On Tue, Mar 9, 2021 at 11:15 PM Sylvain Beucler <b...@beuc.net> wrote: > > > You can find the patch here: > > > > http://apt.inguza.net/stretch-lts/golang-gogoprotobuf/CVE-2021-3121-1.patch > > Ola, can you move that patch to somewhere else? Because I guess your > site is still down. :( > > > It should be noted that golang* packages are supported in stretch but > > come with limited support, not to due to code generation but due to Go > > static linking in the first place: > > > https://salsa.debian.org/debian/debian-security-support/-/blob/stretch/security-support-limited > > > > > > If you do decide to support this package, I recently documented how to > > find direct reverse build dependencies at: > > https://wiki.debian.org/LTS/TestSuites/golang > > > > $ dose-ceve --deb-native-arch=amd64 -r golang-github-gogo-protobuf-dev > > -T debsrc > > > debsrc:///var/lib/apt/lists/ftp.fr.debian.org_debian_dists_stretch_main_source_Sources > > > > > deb:///var/lib/apt/lists/ftp.fr.debian.org_debian_dists_stretch_main_binary-amd64_Packages > > | grep-dctrl -n -s Package '' | sort -u > > gobgp > > golang-github-appc-goaci > > golang-github-appc-spec > > golang-github-mesos-mesos-go > > influxdb > > syncthing > > (Note: this is not recursive.) > > > > > > In addition, apt-file does provide a list of generated .pb.go files, > > though it also includes those from "plain" protobuf (of which > > gogoprotobuf if a fork) so not all are affected (the affected ones > > should contain "skippy" somewhere): > > # apt-file search .pb.go | cut -d: -f1 | sort -u > > golang-github-appc-spec-dev > > golang-github-gogo-protobuf-dev > > golang-github-golang-groupcache-dev > > golang-github-influxdb-influxdb-dev > > golang-github-mesos-mesos-go-dev > > golang-github-opencontainers-runc-dev > > golang-github-osrg-gobgp-dev > > golang-github-prometheus-alertmanager-dev > > golang-github-prometheus-client-model-dev > > golang-github-syncthing-syncthing-dev > > golang-gomega-dev > > golang-google-appengine-dev > > golang-google-genproto-dev > > golang-google-grpc-dev > > golang-gopkg-dancannon-gorethink.v1-dev > > golang-gopkg-dancannon-gorethink.v2-dev > > golang-goprotobuf-dev > > I'll be happy to do the work (that is push the fix of > golang-gogoprotobuf and then rebuild all these packages) but honestly, > is it worth doing that? I don't think releasing these many DLAs makes > sense unless there's a fair trade-off, which I don't see yet. > > What do y'all think? > > > - u > > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
