[pkg-go] [pkg-golang-devel] Security support for packages written in Go

Moritz Mühlenhoff jmm at inutil.org
Wed Jul 13 07:17:48 UTC 2016


On Mon, Jul 11, 2016 at 05:41:52PM +1000, Dmitry Smirnov wrote:
> On Monday, 11 July 2016 9:22:12 AM AEST Florian Weimer wrote:
> > Hmm.  I poked at a few packages, and here is what I found:
> > golang-siphash-dev does not have any Built-Using header.
> > golang-gopkg-tylerb-graceful.v1-dev does not list golang-x-text,
> > although its dependency golang-golang-x-net-dev was built using it.
> > (I'm looking at unstable.)
> 
> But you are looking at wrong packages. -dev packages are just sources that 
> strictly speaking are not "built" but more like "validated" on build time.
> 
> You do not need to re-build source/-dev packages so they do not have Built-
> Using header intentionally. What you need to be looking at is arch:any binary 
> packages built from go sources involving multiple libraries.
> 
> Examples of Golang executables include docker.io, containerd, etcd, grafana, 
> runc, acbuild, docker2aci, influxdb, rkt, consul, fleet, nomad, skydns, 
> kubernetes-{node|master|client}, etc.

To have some hard numbers: If golang itselfs needs an update, how many
packages need a rebuild?

Cheers,
        Moritz



More information about the Pkg-go-maintainers mailing list