[pkg-golang-devel] [SECURITY] [DLA 1664-1] golang security update
Dr. Tobias Quathamer
toddy at debian.org
Fri Feb 8 16:12:16 GMT 2019
Am 08.02.2019 um 16:20 schrieb Chris Lamb:
> Hi all,
>
>>> There is no sensible way to schedule binnmu's via security. So far none
>>> appeared AFAIK.
> […]
>> thanks for the quick feedback still!
>
> Indeed thanks for the feedback. Looking into this quickly from a
> jessie chroot:
>
> $ build-rdeps golang
>
> Reverse Build-depends in main:
> ------------------------------
>
> heartbleeder
> golang-gocapability-dev
> aptly
>
> Assuming that is right (it seems a curiously small number to me...)
> I then believe we may only need sourceful uploads of:
>
> * aptly
> * heartbleeder
>
> ... as golang-gocapability-dev does not import "crypto/elliptic".
> However, it could be using it transitively so it might be worth
> uploading just in case.
>
> Sound sensible?
Hi all,
I think the small number is due to the "golang" keyword. If you search
for golang-go, the actual go compiler at that time, you'll get more
packages. Please note that I was not able to get build-rdeps to run in a
jessie chroot, so you might want to execute "build-rdeps golang-go" in
your chroot to compare the lists.
However, this list has been generated with the following command:
$ grep-dctrl -FBuild-Depends golang-go -w -sPackage
/var/lib/apt/lists/*Sources
codesearch
direnv
go-md2man
gocode
golang-barcode
golang-bindata
golang-blackfriday
golang-context
golang-coreos-log
golang-dbus
golang-dns
golang-doozer
golang-ed25519-dev
golang-etcd
golang-go-dbus
golang-go-flags
golang-go-patricia
golang-go-systemd
golang-go.crypto
golang-go.tools
golang-gocheck
golang-godebiancontrol-dev
golang-gogoprotobuf
golang-goprotobuf
golang-goptlib
golang-goyaml
golang-libgeoip
golang-log4go
golang-metrics
golang-mreiferson-httpclient
golang-mux
golang-nzaat
golang-objx
golang-openldap
golang-pb
golang-pretty
golang-pty
golang-raft
golang-rrd
golang-siphash-dev
golang-termbox
golang-testify
golang-text
golang-thrift
golang-uuid
golang-vhost
golang-websocket
gopacket
kxd
libguestfs
ngrok
obfs4proxy
pt-websocket
slt
Please note that there are probably a lot of false positives in this
list, because not every package uses crypto/elliptic.
Regards,
Tobias
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-golang-devel/attachments/20190208/28afed99/attachment.sig>
More information about the pkg-golang-devel
mailing list