[pkg-golang-devel] [pkg-go] Security support for packages written in Go

Tianon Gravi admwiggin at gmail.com
Wed Apr 13 05:07:31 UTC 2016

On 12 April 2016 at 21:39, Michael Hudson-Doyle
<michael.hudson at canonical.com> wrote:
> We could do it without 1) and the consequent re-uploading of every go
> library by using dpkg-query --search a lot, which would be slow I
> guess, but maybe could be done as a fallback?

I still asking dpkg about file/directory package ownership should be
our primary means of generating this field -- the metadata that dpkg
itself tracks about "which package provided
/usr/share/gocode/src/abc/xyz which I just compiled against" will
always be correct (due to the fact that it really is the single proper
source of truth for such information), where some arbitrary metadata
we add not only clutters up the package metadata as has been
discussed, but much more importantly will have a tendency to "drift"
from the truth, which is something that IMO we shouldn't tolerate for
a field whose primary purpose is knowing when it's necessary to
rebuild, especially for security fixes.  Even for really large
packages like Docker (to choose an example that I know off the top of
my head is reasonably hefty WRT deps) we're only talking about maybe
~200 of these queries at the outside end, and only at build-time, and
only once per build, which IMO is in the realm of reasonable to avoid
yet again uploading a minor fix to every package (moving the metadata
over to the binary packages when we still haven't added the existing
source package metadata to all of them yet) with information that will
have a potential for drifting from the truth or for being too limited
(single package providing multiple namespaces after a repo move, for

- Tianon
  4096R / B42F 6819 007F 00F8 8E36  4FD4 036A 9C25 BF35 7DD4

More information about the pkg-golang-devel mailing list