Package: release.debian.org User: release.debian....@packages.debian.org Usertags: unblock Severity: normal
Please unblock package golang-go.crypto About 18 days ago, a security issue was patched [1] in this package. For reasons not directly related to the CVE [2], an upload to unstable was done about 9 days after the relevant security update. I have not yet confirmed the fix is in unstable (haven't had the time available, yet), but believe it's there. While the patch itself is relatively simple [3], there is a large delta from testing and the debdiff is quite substantial (~16,000 lines). Unfortunately, I agree with the severity and RC status... and this package has a very large number of reverse build dependencies against it. Adding to the headache, this change introduces an unavoidable breaking change. I know the current unstable package needs d/NEWS,chglog updated before an acceptable debdiff could be presented. I now see other security updates [4] have been resolved since the version in testing. This is my first time requesting a freeze exception or trying to handle one at all and the list of reverse dependencies has me a feeling a little uneasy. If anyone is interested in mentoring (or taking over), please do! [1] https://github.com/golang/go/issues/19767 [2] https://security-tracker.debian.org/tracker/CVE-2017-3204 [3] https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991 [4] https://github.com/golang/go/issues?q=label%3ASecurity+is%3Aclosed [-] https://bugs.debian.org/859655 unblock golang-go.crypto/1:0.0~git20170407.0.55a552f-1 -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
