@doko "I'm still sceptical about how to track third party libaries, i.e. if they are included as a dependency, or built form the vendorized copies. dh-golang tries to do that, and sets the "Built-Using" attribute for the binary packages. If juju-core doesn't want, or cannot use dh-golang, that should be done directly in the packaging. Is this a solved problem how to select which copy to use, or does this still need investigation?"
The security team has a mechanism for tracking embedded copies and while I would've preferred to see many of the embedded copies moved out to golang-*-dev packages, for 15.10 the security team agreed to the juju team updating juju to use the golang-*-dev packages that currently exist in the archive. I'll be filing a separate bug for 16.04 to pull out the others. Furthermore, We have developed in response to this MIR a process and tooling for tracking Built-Using. The upcoming https://code.launchpad.net/~james-page/ubuntu/wily/juju-core/mir- fixes/+merge/274052 uses Built-Using and dh-golang, so juju-core is 'ok' on this front. "jujud is still linked statically. Is this needed for the juju-core copy in the archive?" As mentioned in comment 119, this is ok for 15.10. This should remain 'Incomplete' and can be marked 'Fix Committed' once https://code.launchpad.net/~james-page/ubuntu/wily/juju-core/mir- fixes/+merge/274052 is uploaded. ** Changed in: juju-core (Ubuntu) Status: Triaged => Incomplete -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to golang-github-bmizerany-pat in Ubuntu. https://bugs.launchpad.net/bugs/1267393 Title: [MIR] juju-core, juju-mongodb, gccgo, golang To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dh-golang/+bug/1267393/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
