Hi, On Sun, Apr 24, 2022 at 7:30 PM Thorsten Alteholz <deb...@alteholz.de> wrote: > > Hi everybody, > > some time ago, before the release of Buster, the Release Team and the > Security Team critizied the missing tooling for security updates of Golang > packages[1]. > I would like to improve the situation here and try to develop some scripts > to automatically rebuild/upload affected packages (they are basically > based on the reverse dependencies detected by ratt). So I hope you don't > mind if I upload seemingly random packages. The corresponding changelog > entry should explain what CVE triggered the upload. > If you notice a missing or a superfluous upload, please don't hesitate to > tell me. >
Do you want to 1. Rebuild package to carry fixed CVE in dependencies 2. Fix CVE in library and then go through 1 For 1, I think you don't need to use the Build-Depends field which is used by ratt, or build-rdeps tool. We use Built-Using field, which records the static linked package. (We will move to a new field called Static-Built-Using, but it hasn't happened yet). For 1, do you want to no-change rebuild upload like Ubuntu, or do you want to give a list of packages to Release Team to schedule binMNU? For 2, I think it's just like normal team upload, it's not special for security fix or not. Please just go ahead. And thanks for doing this! -- Shengjing Zhu
