On Mon, Apr 25, 2022 at 6:30 AM Thorsten Alteholz <deb...@alteholz.de> wrote: > > > > On Mon, 25 Apr 2022, Shengjing Zhu wrote: > > For binNMU, it's also possible to add Dep-Wait. > > Hmm, but that would be some manually work, wouldn't it? > > > I don't have a preference for it. And I think binNMU is not friendly > > to Debian derivatives. > > Ok, that is a good point. > > > For ratt and other packages focusing on Build-Depends, they ensure > > other packages won't FTBFS. > > For tools focusing on (Static-)Built-Using, they ensure the embedded > > libraries are up to date. > > I would like to object here. > > If you look at package crowdsec, you find no dependency on > golang-github-tidwall-gjson in its Built-Using:, but only an entry for > golang-github-appleboy-gin-jwt. > > golang-github-appleboy-gin-jwt for its part depends on > golang-github-tidwall-gjson-dev. > > So wouldn't be crowdsec affected by a CVE in golang-github-tidwall-gjson, > which is not detected when using Built-Using: but only by Build-Depends:? > > At least I got more packages to be rebuilt when using ratt than with > Built-Using: ...
This is exactly the case for false positives of Build-Depends. For golang-github-appleboy-gin-jwt, golang-github-tidwall-gjson is only used in its tests. Ref: https://codesearch.debian.net/search?q=github.com%2Ftidwall%2Fgjson+filetype%3Ago+package%3A%5CQgolang-github-appleboy-gin-jwt%5CE&literal=1 -- Shengjing Zhu
