[pkg-go] [pkg-golang-devel] Security support for packages written in Go
Michael Hudson-Doyle
michael.hudson at canonical.com
Thu Apr 14 01:08:33 UTC 2016
On 13 April 2016 at 21:05, Michael Hudson-Doyle
<michael.hudson at canonical.com> wrote:
> On 13 April 2016 at 17:07, Tianon Gravi <admwiggin at gmail.com> wrote:
>> On 12 April 2016 at 21:39, Michael Hudson-Doyle
>> <michael.hudson at canonical.com> wrote:
>>> We could do it without 1) and the consequent re-uploading of every go
>>> library by using dpkg-query --search a lot, which would be slow I
>>> guess, but maybe could be done as a fallback?
>>
>> I still asking dpkg about file/directory package ownership should be
>> our primary means of generating this field -- the metadata that dpkg
>> itself tracks about "which package provided
>> /usr/share/gocode/src/abc/xyz which I just compiled against" will
>> always be correct (due to the fact that it really is the single proper
>> source of truth for such information), where some arbitrary metadata
>> we add not only clutters up the package metadata as has been
>> discussed, but much more importantly will have a tendency to "drift"
>> from the truth, which is something that IMO we shouldn't tolerate for
>> a field whose primary purpose is knowing when it's necessary to
>> rebuild, especially for security fixes. Even for really large
>> packages like Docker (to choose an example that I know off the top of
>> my head is reasonably hefty WRT deps) we're only talking about maybe
>> ~200 of these queries at the outside end, and only at build-time, and
>> only once per build, which IMO is in the realm of reasonable to avoid
>> yet again uploading a minor fix to every package (moving the metadata
>> over to the binary packages when we still haven't added the existing
>> source package metadata to all of them yet) with information that will
>> have a potential for drifting from the truth or for being too limited
>> (single package providing multiple namespaces after a repo move, for
>> example).
>
> Yes, all that seems fair. Something like this?
> http://paste.ubuntu.com/15806327/ -- it's pretty terrible perl, but
> it's actually arguably simpler than what dh_golang does already!
FWIW, I sent a better version of this patch:
http://lists.alioth.debian.org/pipermail/pkg-go-maintainers/Week-of-Mon-20160411/004304.html
Cheers,
mwh
More information about the Pkg-go-maintainers
mailing list