[pkg-go] Bug#859655: golang-go.crypto: CVE-2017-3204

Vincent Bernat bernat at debian.org
Sat Apr 15 09:04:31 UTC 2017


 ❦ 14 avril 2017 15:07 -0400, anarcat <anarcat at debian.org> :

> I looked into this during the Montreal BSP, and it's unclear what we
> should do here, considering there has been multiple new uploads since
> the stretch freeze. 
>
> The patch is pretty long:
>
> https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991
>
> ... and there's no way to just backport it into stretch at this point
> (IIRC).

The patch is not that big. Most of its content is in tests and
examples. The only problem is that it exposes a behavioral change that
may break reverse dependencies at runtime.

> So I'm wondering if the next step here would not just be to ask for an
> exception to unblock this for stretch, or just tell the release team to
> just ignore this and drop the package from stretch.

There are many reverse dependencies that would be removed by removing
this package, including some high profile ones, like etcd, rkt,
influxdb. Their removal will in turn remove a lot of additional
packages.
-- 
A is for Apple.
		-- Hester Pryne
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-go-maintainers/attachments/20170415/9a542ae6/attachment-0001.sig>


More information about the Pkg-go-maintainers mailing list