Florian Weimer wrote: > > On Wednesday, 6 July 2016 9:59:32 PM AEST Moritz Mühlenhoff wrote: > >> What's the current status? Is there technical progress compared to what was > >> discussed in April? The freeze is coming really close and we can't support > >> the status quo for stretch. > > > > Perhaps I'm not the best person to speak on the matter as I've never > > touched any Golang tools except dh-golang. Situation with Golab > > libraries is not ideal (to say the least) but I understand that > > Golang is not the only language without concept of dynamic > > linking. As I recall someone mentioned Haskell as another example. > > > > It is my understanding that when vulnerability is fixed in Golang > > library it should be sufficient to NMU (re-build) all reverse > > dependencies. > > Part of the problem is that we currently lack a decent way to list all > these reverse dependencies.
And there's also the much bigger problem that we can't actually rebuild packages on security.debian.org without a lot of manual work! The dak installation for security-master has a _lot_ of tech debt. One that particularly bites us here is that tarballs between security-master and ftp-master are separate. This e.g. requires that every package that is new on security-master needs to be build with "-sa" to include source and we can only issue binNMUs for packages which were at least once upload to jessie-security/stretch-security etc. And with that setup (and in addition to what Florian mentioned) I see no sane way that we can support Go applications in stretch. It's already difficult enough to support a distro of the size of Debian with volunteers only. As Haskell was mentioned; sure it has the same problem. But Go is a totally different ballpark: Go aims at system-level services which have a notable security surface (think of docker or kubernetes), while I can't remember any security vulnerability in an application written in Haskell in the archive in the 10+ years I'm in the Security Team. Cheers, Moritz _______________________________________________ Pkg-go-maintainers mailing list Pkgemail@example.com http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-go-maintainers