[pkg-go] [pkg-golang-devel] Security support for packages written in Go

[Florian Weimer]

* Michael Hudson-Doyle:

> Also, the way my prototype dh-golang change works, a libgolang*
> package Provides a value that contains the abi hash and dependencies
> depend on the hash value (via dpkg-shlibdeps), so in that case
> figuring out how much to rebuild is a case of "build stuff until
> britney stops shouting at you about making packages uninstallable" (I
> don't know if that's practical for the way you build security updates
> though).

What goes into the ABI hash?  All export data (which, I believe,
includes the body of functions which can be inlined across compilation
unit boundaries)?

> Over releases, no, I think you're right, but I really hope that
> security fixes can at least sometimes preserve ABI (the crypto fixes
> in Go 1.6.1 would not break ABI, for example).

I looked at this for a few updates, and with the exception of
potential inlining (for which I don't have a mental model), it seems
to happen surprisingly often for Go itself.