[pkg-golang-devel] [pkg-go] Security support for packages written in Go
Michael Hudson-Doyle
michael.hudson at canonical.com
Mon Jul 11 11:02:59 UTC 2016
On 11 July 2016 at 19:22, Florian Weimer <fw at deneb.enyo.de> wrote:
> * Michael Hudson-Doyle:
>
>> On 10 July 2016 at 07:39, Florian Weimer <fw at deneb.enyo.de> wrote:
>>> * Dmitry Smirnov:
>>>
>>>> On Friday, 8 July 2016 8:53:20 AM AEST Florian Weimer wrote:
>>>>> Part of the problem is that we currently lack a decent way to list all
>>>>> these reverse dependencies.
>>>>
>>>> We can get list of all source packages to re-build from reverse build
>>>> dependencies. Then it should be possible to filter arch:any
>>>> packages to bin-
>>>> NMU.
>>>>
>>>> Alternatively Built-Using field could be of help.
>>>
>>> We already discussed why this doesn't work with the present state of
>>> the metadata.
>>
>> Do you mean the "B-U is only direct dependencies" problem? That's
>> fixed now.
>
> Hmm. I poked at a few packages, and here is what I found:
> golang-siphash-dev does not have any Built-Using header.
> golang-gopkg-tylerb-graceful.v1-dev does not list golang-x-text,
> although its dependency golang-golang-x-net-dev was built using it.
> (I'm looking at unstable.)
As Dmitry says, -dev packages should not have Built-Using headers at
all, https://www.debian.org/doc/debian-policy/ch-relationships.html#s-built-using:
"Some binary packages incorporate parts of other packages when built
but do not have to depend on those packages. Examples include linking
with static libraries or incorporating source code from another
package during the build. In this case, the source packages of those
other packages are a required part of the complete source (the binary
package is not reproducible without them).
A Built-Using field must list the corresponding source package for any
such binary package incorporated during the build..."
Lots of -dev packages _do_ have Built-Using though, we should try to
kill them off...
> Would this be fixable through a mass rebuild?
If there are binary packages with out of date Built-Using, yes,
rebuilding will fix.
>> Was there something else?
>
> The dependency-generating script does not end up in Built-Using.
> I think we discussed including its version at some point.
As above, not really the right place for it?
Cheers,
mwh
More information about the pkg-golang-devel
mailing list