On Mon, 2024-01-15 at 10:17 +0100, Bastian Blank wrote: > I asked for practical solutions, not theoretical ones. We don't have a > suitable way to rebuild all packages just because right now.
There are some ideas on the static linking wiki page: https://wiki.debian.org/StaticLinking Probably the most practical solution for today would be to use a build info database to find out which builds had installed binary packages containing insecure statically linkable files of any kind, then rebuild the source packages that were affected. There is a 2019 demo here: https://salsa.debian.org/bremner/builtin-pho/-/blob/master/demos/needs-rebuild.sh https://www.cs.unb.ca/~bremner//blog/posts/builtin-pho/ This may mean rebuilding more packages than were really needed, but a more exact method would require full tracing of input data to output data during builds being added to all toolchains, which seems like a much longer term project than buildinfo based rebuilds. -- bye, pabs https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part