[pkg-go] Security support for packages written in Go
Ian Campbell
ijc at debian.org
Fri Jul 8 07:31:57 UTC 2016
On Fri, 2016-07-08 at 08:53 +0200, Florian Weimer wrote:
> * Dmitry Smirnov:
>
> > On Wednesday, 6 July 2016 9:59:32 PM AEST Moritz Mühlenhoff wrote:
> >> What's the current status? Is there technical progress compared to
> what was
> >> discussed in April? The freeze is coming really close and we can't
> support
> >> the status quo for stretch.
> >
> > Perhaps I'm not the best person to speak on the matter as I've
> never
> > touched any Golang tools except dh-golang. Situation with Golab
> > libraries is not ideal (to say the least) but I understand that
> > Golang is not the only language without concept of dynamic
> > linking. As I recall someone mentioned Haskell as another example.
> >
> > It is my understanding that when vulnerability is fixed in Golang
> > library it should be sufficient to NMU (re-build) all reverse
> > dependencies.
>
> Part of the problem is that we currently lack a decent way to list all
> these reverse dependencies.
I was under the (vague and quite possibly wrong) impression that the
ocaml and/or haskell packaging folks had such tooling, might be worth
reaching out to them?
A bit of websearching found https://people.debian.org/~nomeata/binNMUs-
haskell.txt which points to nometa (Joachim?), cc'd, who can perhaps
point in the right direction.
Ian.
More information about the Pkg-go-maintainers
mailing list