[pkg-golang-devel] [pkg-go] Security support for packages written in Go

[Martín Ferrari]

Moritz,

On 08/07/16 20:21, Moritz Muehlenhoff wrote:

> And there's also the much bigger problem that we can't actually rebuild
> packages on security.debian.org without a lot of manual work!
> 
> The dak installation for security-master has a _lot_ of tech debt. One
> that particularly bites us here is that tarballs between security-master
> and ftp-master are separate. This e.g. requires that every package that
> is new on security-master needs to be build with "-sa" to include source
> and we can only issue binNMUs for packages which were at least once
> upload to jessie-security/stretch-security etc.

I understand the pain here. But again, I don't think we can do anything
to fix that. And in this case, seems to me that the effort should be
aimed at fixing that technical debt.

> And with that setup (and in addition to what Florian mentioned) I see
> no sane way that we can support Go applications in stretch. It's
> already difficult enough to support a distro of the size of Debian with
> volunteers only.

So what would be the way forward for this? Declaring golang apps to be
not supported for security updates? I am ready to live with that,
although I know I will do any work needed to prepare security fixes for
the few apps I maintain.

-- 
Martín Ferrari (Tincho)