[pkg-go] [pkg-golang-devel] Security support for packages written in Go

Florian Weimer fw at deneb.enyo.de
Wed Apr 6 17:33:41 UTC 2016


* Tianon Gravi:

> On 5 April 2016 at 14:47, Florian Weimer <fw at deneb.enyo.de> wrote:
>> We currently need these intermediate dependencies to discover all the
>> affected applications.  So perhaps dh_golang needs to construct the
>> transitive closure, instead of listing just immediate build
>> dependencies.  If we don't want to put this information into the
>> Packages file, maybe we can keep it in the separate debuginfo
>> packages.
>
> It _should_ be possible to adjust dh_golang to use "go list" in order
> to determine the exact full set of Go packages which the application
> code depends on, and then use _that_ list to cross-reference the files
> in /usr/share/gocode to get the real list of packages for Built-Using
> ( haven't verified whether it's feasible for dh_golang to do this, but
> it's pretty similar to how it's currently using "go list" to gather
> the list of packages to actually build).

Please also add the version of the dh-golang package, so that we know
what to rebuild if there's a bug in the Built-Using generation.



More information about the Pkg-go-maintainers mailing list