[pkg-golang-devel] [pkg-go] Security support for packages written in Go

Tianon Gravi tianon at debian.org
Tue Apr 5 22:12:07 UTC 2016 

https://sources.debian.net/src/dh-golang/1.12/script/dh_golang/#L121
is where Built-Using is added (generated from the code above that
line)

https://sources.debian.net/src/dh-golang/1.12/lib/Debian/Debhelper/Buildsystem/golang.pm/#L144
is where dh-golang currently invokes "go list" (on "DH_GOPKG/..."
which is set from XS-Go-Import-Path or "DH_GOLANG_BUILDPKG" which is
set in d/rules)

http://dave.cheney.net/2014/09/14/go-list-your-swiss-army-knife is a
good overview of what "go list" is capable of ("Who depends on what?"
is the interesting section which talks about -f '{{ .Imports }}' and
-f '{{ .Deps }}')

♥,
- Tianon
  4096R / B42F 6819 007F 00F8 8E36  4FD4 036A 9C25 BF35 7DD4


On 5 April 2016 at 15:05, Paul Tagliamonte <paultag at debian.org> wrote:
> Love this idea, I wonder if the Import-Path XS header could help resolve
> packages in a proof of concept
>
> On Apr 5, 2016 5:54 PM, "Tianon Gravi" <tianon at debian.org> wrote:
>>
>> On 5 April 2016 at 14:47, Florian Weimer <fw at deneb.enyo.de> wrote:
>> > We currently need these intermediate dependencies to discover all the
>> > affected applications.  So perhaps dh_golang needs to construct the
>> > transitive closure, instead of listing just immediate build
>> > dependencies.  If we don't want to put this information into the
>> > Packages file, maybe we can keep it in the separate debuginfo
>> > packages.
>>
>> It _should_ be possible to adjust dh_golang to use "go list" in order
>> to determine the exact full set of Go packages which the application
>> code depends on, and then use _that_ list to cross-reference the files
>> in /usr/share/gocode to get the real list of packages for Built-Using
>> ( haven't verified whether it's feasible for dh_golang to do this, but
>> it's pretty similar to how it's currently using "go list" to gather
>> the list of packages to actually build).
>>
>> ♥,
>> - Tianon
>>   4096R / B42F 6819 007F 00F8 8E36  4FD4 036A 9C25 BF35 7DD4
>>
>> _______________________________________________
>> Pkg-go-maintainers mailing list
>> Pkg-go-maintainers at lists.alioth.debian.org
>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-go-maintainers

More information about the pkg-golang-devel mailing list