Hi,
According to debian-security-support, golang packages are not
"unsupported" but with "limited support".
Currently some packages are updated in stable and rdeps are manually
bin-num'd (e.g. #946467), see also
https://www.debian.org/News/2020/20200718 for stretch-before-LTS.
It looks like golang will be fully supported in bullseye, so IMHO we'd
rather prepare to handle some critical golang updates and not mass-EOL
these packages.
Cheers!
Sylvain
On 17/05/2021 09:20, Ola Lundqvist wrote:
Hi fellow LTS contributors
I have a question about go package support.
The question is whether we should try to support it in LTS or not:
According to this we do not give security support for go packages in
buster.
https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#golang-static-linking
<https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#golang-static-linking>
There is also a discussion thread about adding this kind of information
to debian-security-support package, but there are concerns about
wildcards being a little too noisy.
I can also see a note in dla-needed for Thorsten working on automating
go updates.
My thinking is that we should remove these packages from dla-needed.txt
file and mark the CVE entries as EOL.
Alternatively make some statement that we do in fact intend to make
these updates even though they are not done for buster. Buf in that
case, what is the motivation for making such updates for oldstable when
there is no plan to do is for stable.
What do you think?
