On Tue, Jul 13, 2021 at 6:12 AM Shengjing Zhu wrote: > Sadly the std library are statically embedded in all packages built by Go > compiler. > So if there's security issue in std library, bunch of packages need to be > rebuild. > > It may be possible to disassemble all Go binaries to see how many std > libraries > are embedded, but currently we don't have such tool to go through all > unpacked binary > packages.
An alternative more brute-force approach might be to rebuild all packages locally twice, once without the patched std library and once with the patched std library, then use diffoscope to compare the binaries and if there are any changes then request a binNMU for the package. Packages that don't use the crypto library should not have it linked in and should see no changes after rebuilding with the patch. -- bye, pabs https://wiki.debian.org/PaulWise
