[pkg-go] Bug#859655: Bug#859655: golang-go.crypto: CVE-2017-3204

Antoine Beaupré anarcat at debian.org
Sat Apr 15 13:42:38 UTC 2017


On 2017-04-15 11:04:31, Vincent Bernat wrote:
>  ❦ 14 avril 2017 15:07 -0400, anarcat <anarcat at debian.org> :
>
>> I looked into this during the Montreal BSP, and it's unclear what we
>> should do here, considering there has been multiple new uploads since
>> the stretch freeze. 
>>
>> The patch is pretty long:
>>
>> https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991
>>
>> ... and there's no way to just backport it into stretch at this point
>> (IIRC).
>
> The patch is not that big. Most of its content is in tests and
> examples. The only problem is that it exposes a behavioral change that
> may break reverse dependencies at runtime.
>
>> So I'm wondering if the next step here would not just be to ask for an
>> exception to unblock this for stretch, or just tell the release team to
>> just ignore this and drop the package from stretch.
>
> There are many reverse dependencies that would be removed by removing
> this package, including some high profile ones, like etcd, rkt,
> influxdb. Their removal will in turn remove a lot of additional
> packages.

Okay well, you guys need to figure out what you do with this package,
because as it stands 1) it has a RC bug and 2) it is completely out of
sync with unstable. I don't understand why so many uploads were done
after stretch was frozen, but I guess you should ask the release team
for an exception at this point.

Then this patch can be added on top...

A.

-- 
There is no cloud, it's just someone else's computer.
                       - Chris Watterson



More information about the Pkg-go-maintainers mailing list