Re: security updates of Golang packages

To: debian-release@lists.debian.org
Subject: Re: security updates of Golang packages
From: Thorsten Alteholz <debian@alteholz.de>
Date: Mon, 25 Apr 2022 21:47:50 +0000 (UTC)
Message-id: <[🔎] alpine.DEB.2.21.2204252133340.9076@postfach.intern.alteholz.me>
In-reply-to: <[🔎] f23781ba-046f-93de-137d-f66225bd0f13@debian.org>
References: <[🔎] alpine.DEB.2.21.2204241139570.31894@postfach.intern.alteholz.me> <[🔎] f23781ba-046f-93de-137d-f66225bd0f13@debian.org>

Hi Paul,

On Sun, 24 Apr 2022, Paul Gevers wrote:

If I understand correctly, if this is only about rebuilds, just request anbinNMU with the usual process (reportbug recommended).


from my point of view binNMUs are not the right way here.

Due to possibly long dependency chains of golang packages, the order ofuploads would be important. Trying to keep this order with binNMU bugsseems to be rather error-prone. Especially as the buildds on differentarchitectures work at different rates.What I had in mind was to change the dependencies of all affectedpackages to versioned dependencies with (>= the new version). So theuploads are not only rebuilds but really new verions of a package.

Your link [1] pointsat the issues we have with security support *via the security archive*.

Yes, but those updates would have the same problem, right? And both havein common that currently there is no tooling available ...


 Thorsten

Reply to:

Follow-Ups:
- Re: security updates of Golang packages
  - From: Paul Gevers <elbrus@debian.org>

References:
- security updates of Golang packages
  - From: Thorsten Alteholz <debian@alteholz.de>
- Re: security updates of Golang packages
  - From: Paul Gevers <elbrus@debian.org>

Prev by Date: Processed: fails autopkgtest against Octave 7
Next by Date: Bug#1010193: buster-pu: package distro-info-data/0.41+deb10u5
Previous by thread: Re: security updates of Golang packages
Next by thread: Re: security updates of Golang packages
Index(es):
- Date
- Thread