On Mon, Aug 14, 2023 at 11:54 PM Roberto C. Sánchez <robe...@debian.org> wrote: > > Greetings Security Team and Go Team members, > > (Note that I am not subscribed to the debian-go mailing list and I > appreciated to be kept in the CC of replies.) > > Last month I updated golang-yaml.v2 in buster LTS (DLA-3479-1). This was > work that I took over from another LTS contributor, and since I am not > familiar with updates of Go packages, it seems that I may have > overlooked the need to rebuild rdeps. > > A member of the LTS team has prepared a page regarding updates of Go > packages [0], which I only found out about out quite recently. However, > in speaking with Sylvain (the author of the page) he noted that the page > has not been reviewed by members of the Go Team or the Security Team. > So, he recommended that I seek specific guidance in this case. > > I prepared the update of golang-yaml.v2 and uploaded it. When I found > out about the page I mentioned, I executed the command below (in a > buster chroot): > > dose-ceve --deb-native-arch=amd64 -r golang-yaml.v2 -T debsrc > debsrc:///var/lib/apt/lists/deb.debian.org_debian_dists_buster_main_source_Sources > > deb:///var/lib/apt/lists/deb.debian.org_debian_dists_buster_main_binary-amd64_Packages > | grep-dctrl -n -s Package '' | sort -u >
This is not right, you should check the Built-Using field. For example grep-dctrl -F Built-Using golang-yaml.v2 -sPackage This will drop some packages that only use golang-yaml.v2 for tests, which don't need to be rebuilt. > The resulting list of packages (attached) showed that there were 101 > rdeps. I would like to request some guidance about how to handle the > situation. > > I am aware that Go based packages have limited support, as per [1]. > Thus, I am wondering what, even with limited support, would be > reasonable for us to do. > > Do all 101 of the rdeps need to be rebuilt in order for the update I > prepared to be considered complete? Is there something subset that > can/should/must be rebuilt? Is there anything else that I need to do in > relation to this? > > Regards, > > -Roberto > > [0] https://lts-team.pages.debian.net/wiki/TestSuites/golang.html > [1] > https://www.debian.org/releases/{buster,bullseye,bookworm}/amd64/release-notes/ch-information.en.html#golang-static-linking > > -- > Roberto C. Sánchez -- Shengjing Zhu
