Hi Ok, thanks for the clarification.
But we should then generally mark golang updates as no-dsa unless they are critical, right? For example golang-gogoprotobuf are rather questionable whether we should fix at all. // Ola On Mon, 17 May 2021 at 11:44, Sylvain Beucler <b...@beuc.net> wrote: > Hi, > > According to debian-security-support, golang packages are not > "unsupported" but with "limited support". > Currently some packages are updated in stable and rdeps are manually > bin-num'd (e.g. #946467), see also > https://www.debian.org/News/2020/20200718 for stretch-before-LTS. > It looks like golang will be fully supported in bullseye, so IMHO we'd > rather prepare to handle some critical golang updates and not mass-EOL > these packages. > > Cheers! > Sylvain > > On 17/05/2021 09:20, Ola Lundqvist wrote: > > Hi fellow LTS contributors > > > > I have a question about go package support. > > > > The question is whether we should try to support it in LTS or not: > > According to this we do not give security support for go packages in > > buster. > > > https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#golang-static-linking > > < > https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#golang-static-linking > > > > > > There is also a discussion thread about adding this kind of information > > to debian-security-support package, but there are concerns about > > wildcards being a little too noisy. > > > > I can also see a note in dla-needed for Thorsten working on automating > > go updates. > > > > My thinking is that we should remove these packages from dla-needed.txt > > file and mark the CVE entries as EOL. > > > > Alternatively make some statement that we do in fact intend to make > > these updates even though they are not done for buster. Buf in that > > case, what is the motivation for making such updates for oldstable when > > there is no plan to do is for stable. > > > > What do you think? > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
