[pkg-golang-devel] [pkg-go] Security support for packages written in Go

Moritz Muehlenhoff jmm at inutil.org
Fri Jul 8 19:21:30 UTC 2016 

Florian Weimer wrote:
> > On Wednesday, 6 July 2016 9:59:32 PM AEST Moritz Mühlenhoff wrote:
> >> What's the current status? Is there technical progress compared to what was
> >> discussed in April? The freeze is coming really close and we can't support
> >> the status quo for stretch.
> >
> > Perhaps I'm not the best person to speak on the matter as I've never
> > touched any Golang tools except dh-golang. Situation with Golab
> > libraries is not ideal (to say the least) but I understand that
> > Golang is not the only language without concept of dynamic
> > linking. As I recall someone mentioned Haskell as another example.
> >
> > It is my understanding that when vulnerability is fixed in Golang
> > library it should be sufficient to NMU (re-build) all reverse
> > dependencies.
> 
> Part of the problem is that we currently lack a decent way to list all
> these reverse dependencies.

And there's also the much bigger problem that we can't actually rebuild
packages on security.debian.org without a lot of manual work!

The dak installation for security-master has a _lot_ of tech debt. One
that particularly bites us here is that tarballs between security-master
and ftp-master are separate. This e.g. requires that every package that
is new on security-master needs to be build with "-sa" to include source
and we can only issue binNMUs for packages which were at least once
upload to jessie-security/stretch-security etc.

And with that setup (and in addition to what Florian mentioned) I see
no sane way that we can support Go applications in stretch. It's
already difficult enough to support a distro of the size of Debian with
volunteers only.

As Haskell was mentioned; sure it has the same problem. But Go is a totally
different ballpark: Go aims at system-level services which have a notable
security surface (think of docker or kubernetes), while I can't remember
any security vulnerability in an application written in Haskell in the
archive in the 10+ years I'm in the Security Team.

Cheers,
        Moritz

More information about the pkg-golang-devel mailing list