[pkg-golang-devel] [pkg-go] Security support for packages written in Go

Paul Tagliamonte paultag at debian.org
Wed Apr 6 19:17:57 UTC 2016

On Wed, Apr 6, 2016 at 3:14 PM, Florian Weimer <fw at deneb.enyo.de> wrote:

> * Paul Tagliamonte:
> > I don't think B-U is the appropriate place for this. This means if we
> > didn't change anything in dh-golang, we'd need to binNMU the package
> before
> > we can decruft the sources that have a newer versions, dak side.
> >
> > With an ftp hat on, I think that's not right. Having the entire build
> > closure in it would be useful, but B-U is also used by dak to keep
> sources
> > we still have binaries related to in the archive.
> >
> > We could add it as some sort of binary control header, but that's also
> > annoying. Less annoying, though.
> Do you agree that keeping this information would be useful?

Yes, absolutely, but I don't think B-U is the right place - we can use
another binary control field, as I said, though! Something like:
XB-DH-Golang-Version: 1.0-2ubuntu1+nmu1.2~RC2.

I'm also interested in writing tooling to make this process (querying for
cruft and sending out binNMUs) easier :)

> There's also the option of stuffing these bits into the debug
> packages.  Not as easily analyzed, but it's not so great to pollute
> the Packages file with such obscure information.

Mmmm. Yeah.

> _______________________________________________
> Pkg-go-maintainers mailing list
> Pkg-go-maintainers at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-go-maintainers

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-golang-devel/attachments/20160406/9dd1058e/attachment-0001.html>

More information about the pkg-golang-devel mailing list