[pkg-golang-devel] [pkg-go] Security support for packages written in Go

Florian Weimer fw at deneb.enyo.de
Wed Apr 6 19:14:19 UTC 2016

* Paul Tagliamonte:

> I don't think B-U is the appropriate place for this. This means if we
> didn't change anything in dh-golang, we'd need to binNMU the package before
> we can decruft the sources that have a newer versions, dak side.
> With an ftp hat on, I think that's not right. Having the entire build
> closure in it would be useful, but B-U is also used by dak to keep sources
> we still have binaries related to in the archive.
> We could add it as some sort of binary control header, but that's also
> annoying. Less annoying, though.

Do you agree that keeping this information would be useful?

There's also the option of stuffing these bits into the debug
packages.  Not as easily analyzed, but it's not so great to pollute
the Packages file with such obscure information.

More information about the pkg-golang-devel mailing list