Hi,
For golang-gogoprotobuf, given that (AFAIK) the Go maintainers didn't
answer your request for comment, given that the vulnerability includes 2
levels of rdeps (statically generated library sources + static library
linking) implying dozens of DLAs, given that buster doesn't have an
update, and given that the conversation died 2 months ago, I think we
can mark it as no-dsa now.
Cheers!
Sylvain
On 17/05/2021 11:57, Ola Lundqvist wrote:
Hi
Ok, thanks for the clarification.
But we should then generally mark golang updates as no-dsa unless they
are critical, right?
For example golang-gogoprotobuf are rather questionable whether we
should fix at all.
// Ola
On Mon, 17 May 2021 at 11:44, Sylvain Beucler <b...@beuc.net
<mailto:b...@beuc.net>> wrote:
Hi,
According to debian-security-support, golang packages are not
"unsupported" but with "limited support".
Currently some packages are updated in stable and rdeps are manually
bin-num'd (e.g. #946467), see also
https://www.debian.org/News/2020/20200718
<https://www.debian.org/News/2020/20200718> for stretch-before-LTS.
It looks like golang will be fully supported in bullseye, so IMHO we'd
rather prepare to handle some critical golang updates and not mass-EOL
these packages.
Cheers!
Sylvain
On 17/05/2021 09:20, Ola Lundqvist wrote:
> Hi fellow LTS contributors
>
> I have a question about go package support.
>
> The question is whether we should try to support it in LTS or not:
> According to this we do not give security support for go packages in
> buster.
>
https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#golang-static-linking
<https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#golang-static-linking>
>
<https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#golang-static-linking
<https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#golang-static-linking>>
>
> There is also a discussion thread about adding this kind of
information
> to debian-security-support package, but there are concerns about
> wildcards being a little too noisy.
>
> I can also see a note in dla-needed for Thorsten working on
automating
> go updates.
>
> My thinking is that we should remove these packages from
dla-needed.txt
> file and mark the CVE entries as EOL.
>
> Alternatively make some statement that we do in fact intend to make
> these updates even though they are not done for buster. Buf in that
> case, what is the motivation for making such updates for
oldstable when
> there is no plan to do is for stable.
>
> What do you think?
--
--- Inguza Technology AB --- MSc in Information Technology ----
| o...@inguza.com <mailto:o...@inguza.com>o...@debian.org
<mailto:o...@debian.org> |
| http://inguza.com/ <http://inguza.com/> Mobile: +46
(0)70-332 1551 |
---------------------------------------------------------------
