Control: tags -1 moreinfo
Michael Lustfield:
> Package: release.debian.org
> User: release.debian....@packages.debian.org
> Usertags: unblock
> Severity: normal
>
> Please unblock package golang-go.crypto
>
> About 18 days ago, a security issue was patched [1] in this package. For
> reasons
> not directly related to the CVE [2], an upload to unstable was done about 9
> days
> after the relevant security update. I have not yet confirmed the fix is in
> unstable (haven't had the time available, yet), but believe it's there.
>
> While the patch itself is relatively simple [3], there is a large delta from
> testing and the debdiff is quite substantial (~16,000 lines). Unfortunately, I
> agree with the severity and RC status... and this package has a very large
> number of reverse build dependencies against it. Adding to the headache, this
> change introduces an unavoidable breaking change.
>
> I know the current unstable package needs d/NEWS,chglog updated before an
> acceptable debdiff could be presented. I now see other security updates [4]
> have been resolved since the version in testing.
>
> This is my first time requesting a freeze exception or trying to handle one at
> all and the list of reverse dependencies has me a feeling a little uneasy. If
> anyone is interested in mentoring (or taking over), please do!
>
> [1] https://github.com/golang/go/issues/19767
> [2] https://security-tracker.debian.org/tracker/CVE-2017-3204
> [3]
> https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991
> [4] https://github.com/golang/go/issues?q=label%3ASecurity+is%3Aclosed
> [-] https://bugs.debian.org/859655
>
> unblock golang-go.crypto/1:0.0~git20170407.0.55a552f-1
>
> [...]
Hi Michael,
Thanks for bringing this issue to our attention. This is a very
unfortunate situation.
* First of all. AFAIUT, the change will at least possibly break the
following packages:
* golang-github-jamesclonk-vultr
* aptly
* gitlab-ci-multi-runner
* kubernetes
* golang-github-pkg-sftp
* golang-github-spf13-afero
* golang-github-kisom-goutils
* packer
They need to be fixed or removed from testing before we can even
consider doing an exception for this breaking change.
* Secondly, is it correctly understood of me that the issue is
basically that golang-go.crypto defaults to not validating an SSH
key, but a client /can/ do so with the current API? The fix is
then to require the client to explicitly choose a way to deal with
SSH keys?
Thanks,
~Niels
