[pkg-golang-devel] [pkg-go] Security support for packages written in Go
paultag at debian.org
Wed Apr 6 19:17:57 UTC 2016
On Wed, Apr 6, 2016 at 3:14 PM, Florian Weimer <fw at deneb.enyo.de> wrote:
> * Paul Tagliamonte:
> > I don't think B-U is the appropriate place for this. This means if we
> > didn't change anything in dh-golang, we'd need to binNMU the package
> > we can decruft the sources that have a newer versions, dak side.
> > With an ftp hat on, I think that's not right. Having the entire build
> > closure in it would be useful, but B-U is also used by dak to keep
> > we still have binaries related to in the archive.
> > We could add it as some sort of binary control header, but that's also
> > annoying. Less annoying, though.
> Do you agree that keeping this information would be useful?
Yes, absolutely, but I don't think B-U is the right place - we can use
another binary control field, as I said, though! Something like:
I'm also interested in writing tooling to make this process (querying for
cruft and sending out binNMUs) easier :)
> There's also the option of stuffing these bits into the debug
> packages. Not as easily analyzed, but it's not so great to pollute
> the Packages file with such obscure information.
> Pkg-go-maintainers mailing list
> Pkg-go-maintainers at lists.alioth.debian.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the pkg-golang-devel