[pkg-go] Security support for packages written in Go

[Michael Hudson-Doyle]

On 13 April 2016 at 17:03, Florian Weimer <fw at deneb.enyo.de> wrote:
> * Michael Hudson-Doyle:
>
>> There is another approach to the static linking issue, which is to
>> start using dynamic linking instead. It's implemented upstream for
>> most architectures now (only mips64 le/be and ppc64 be missing I
>> think). I'm going to be working on starting to use dynamic linking
>> during the next cycle of Ubuntu development, and I'd certainly be
>> interested in getting it going for Debian too. (the timeframes re:
>> stretch release look reasonable for this).
>
> Can you explain a bit more how dynamic linking would help us to
> determine what we need to rebuild?

Well, some of the time, rebuilding won't be needed, hopefully.

Also, the way my prototype dh-golang change works, a libgolang*
package Provides a value that contains the abi hash and dependencies
depend on the hash value (via dpkg-shlibdeps), so in that case
figuring out how much to rebuild is a case of "build stuff until
britney stops shouting at you about making packages uninstallable" (I
don't know if that's practical for the way you build security updates
though).

> I expect that dynamic linking will complicate matters because we will
> have to rebuild library packages in dependency order.  I don't see how
> Go shared objects can provide a stable ABI.

Over releases, no, I think you're right, but I really hope that
security fixes can at least sometimes preserve ABI (the crypto fixes
in Go 1.6.1 would not break ABI, for example).

Cheers,
mwh