security updates of Golang packages

To: debian-release@lists.debian.org
Subject: security updates of Golang packages
From: Thorsten Alteholz <debian@alteholz.de>
Date: Sun, 24 Apr 2022 11:46:29 +0000 (UTC)
Message-id: <[🔎] alpine.DEB.2.21.2204241139570.31894@postfach.intern.alteholz.me>

Hi everybody,

I would like to improve the situation of security support for Golangpackages (as already criticised long time ago[1]).

Uploads to Unstable should be no problem, but how would you like to handlestable/oldstable updates for CVEs that are marked as no-dsa from thesecurity team?

For example the fix of CVE-2021-42836 in golang-github-tidwall-gjson forBullseye requires eight uploads of reverse dependencies. Do you want tohandle each of them with different PU-bugs?


  Thorsten

[1] https://lists.debian.org/debian-release/2018/06/msg00725.html

Reply to:

Follow-Ups:
- Re: security updates of Golang packages
  - From: Paul Gevers <elbrus@debian.org>

Prev by Date: Bug#1009726: [Pkg-samba-maint] broken build of samba_4.13.13+dfsg-1~deb11u3 on i386
Next by Date: Re: security updates of Golang packages
Previous by thread: Bug#1010060: buster-pu: package mutt/1.10.1-2.1+deb10u6
Next by thread: Re: security updates of Golang packages
Index(es):
- Date
- Thread