Hi Shengjing, golang maintainers, On 27-05-2019 05:25, Shengjing Zhu wrote: > On Mon, May 27, 2019 at 2:04 AM Shengjing Zhu <z...@debian.org> wrote: > [...] >> The following are all the affected packages, generated by [2]: >> > > This list is now at > https://wiki.debian.org/Teams/DebianGoTeam/AlignUnstableWithBuster
This list hasn't been updated since. Does that mean that also no uploads happened? When are you planning to do that? Just for your information, the golang security situation is the major reason why we don't have a release date for buster yet. I hope the Debian golang community is taking the situation very seriously. On that topic, I'd like to take this opportunity to say that soon after the release of buster we will most likely remove Go and it's reverse dependencies from testing and prevent them from entering again until the infrastructure issues are solved. We may release buster with the golang ecosystem, but Go based packages will be marked without support via security.debian.org until that moment as well. Updates can only go via point releases. When the infrastructure issues are solve during the buster life cycle, Go based packages in buster can be supported from that moment on. I realize that the underlying problem isn't perfectly clear. I understand from various people that the situation is complex with all kind of subtleties. Making sure the problem is well understood and the path(s) to the solution(s) is clear is an extremely useful contribution to solving the support issue. And for the avoidance of doubt, yes, other static linking languages have the same fundamental issue. The security team claims that these languages haven't seen many security issues yet so there is no worry yet to support those. Hence most involved teams and people expect initiative from the golang community to fix the situation in cooperation with the involved teams. Paul PS: I am still seeing new upstream version uploads to unstable. I would have expected that it is clear by now that probably isn't smart. At the very least, it doesn't send a good message.
signature.asc
Description: OpenPGP digital signature
