On Wed, Jul 14, 2021 at 03:13:13AM +0000, Paul Wise wrote: > On Tue, Jul 13, 2021 at 6:12 AM Shengjing Zhu wrote: > > > Sadly the std library are statically embedded in all packages built by Go > > compiler. > > So if there's security issue in std library, bunch of packages need to be > > rebuild. > > > > It may be possible to disassemble all Go binaries to see how many std > > libraries > > are embedded, but currently we don't have such tool to go through all > > unpacked binary > > packages. > > An alternative more brute-force approach might be to rebuild all > packages locally twice, once without the patched std library and once > with the patched std library, then use diffoscope to compare the > binaries and if there are any changes then request a binNMU for the > package. Packages that don't use the crypto library should not have it > linked in and should see no changes after rebuilding with the patch.
That feels over-engineering/energy-wasting. But if someone can offer the compute resource, I can offer some time to write the scripts to do the work.
