On Mon, Jul 11, 2016 at 10:53:57AM +1200, Michael Hudson-Doyle wrote: > On 9 July 2016 at 07:21, Moritz Muehlenhoff <j...@inutil.org> wrote: > > Florian Weimer wrote: > >> > On Wednesday, 6 July 2016 9:59:32 PM AEST Moritz Mühlenhoff wrote: > >> >> What's the current status? Is there technical progress compared to what > >> >> was > >> >> discussed in April? The freeze is coming really close and we can't > >> >> support > >> >> the status quo for stretch. > >> > > >> > Perhaps I'm not the best person to speak on the matter as I've never > >> > touched any Golang tools except dh-golang. Situation with Golab > >> > libraries is not ideal (to say the least) but I understand that > >> > Golang is not the only language without concept of dynamic > >> > linking. As I recall someone mentioned Haskell as another example. > >> > > >> > It is my understanding that when vulnerability is fixed in Golang > >> > library it should be sufficient to NMU (re-build) all reverse > >> > dependencies. > >> > >> Part of the problem is that we currently lack a decent way to list all > >> these reverse dependencies. > > > > And there's also the much bigger problem that we can't actually rebuild > > packages on security.debian.org without a lot of manual work! > > > > The dak installation for security-master has a _lot_ of tech debt. One > > that particularly bites us here is that tarballs between security-master > > and ftp-master are separate. This e.g. requires that every package that > > is new on security-master needs to be build with "-sa" to include source > > and we can only issue binNMUs for packages which were at least once > > upload to jessie-security/stretch-security etc. > > That does sound unfortunate in the Go context. > > It is worth bearing in mind though, that you only need to rebuild the > binary-containing packages, so if the number of binary-containing > packages supported by the security team is tightly constrained, then > so is the number of (no-change source, I guess) uploads required to > handle any security update (e.g. in Ubuntu 16.04 there are only three > packages that contain Go binaries in main). > > The changes I'm making in Ubuntu to use shared libraries should in the > common case (i.e. the fix does not break ABI) make this better, but > worst case (where the fix breaks ABI) it will be worse as we might end > up having to rebuild the whole rdep tree.
What's the status of that work, will that land in the stretch release? Cheers, Moritz _______________________________________________ Pkg-go-maintainers mailing list Pkgfirstname.lastname@example.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-go-maintainers