[pkg-go] Security support for packages written in Go

Dmitry Smirnov onlyjob at debian.org
Fri Jul 8 03:35:09 UTC 2016


On Wednesday, 6 July 2016 9:59:32 PM AEST Moritz Mühlenhoff wrote:
> What's the current status? Is there technical progress compared to what was
> discussed in April? The freeze is coming really close and we can't support
> the status quo for stretch.

Perhaps I'm not the best person to speak on the matter as I've never touched 
any Golang tools except dh-golang. Situation with Golab libraries is not 
ideal (to say the least) but I understand that Golang is not the only 
language without concept of dynamic linking. As I recall someone mentioned 
Haskell as another example.

It is my understanding that when vulnerability is fixed in Golang library it 
should be sufficient to NMU (re-build) all reverse dependencies.

I believe that Golang stuff that we've packaged should become part of next 
release even without security support. Debian simply won't be competitive 
without container tools so excluding Golang is not an option.
IMHO shipping container-related software should be our strategic priority for 
next release.

-- 
Cheers,
 Dmitry Smirnov.

---

In individuals, insanity is rare; but in groups, parties, nations and
epochs, it is the rule.
        -- Friedrich Nietzsche
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-go-maintainers/attachments/20160708/0cf4394c/attachment-0001.sig>


More information about the Pkg-go-maintainers mailing list