On 24/01/24 2:07 pm, Simon Josefsson wrote:
Yes, for a low-level Go package (e.g., golang-golang-x-net-dev), this will mean rebuilding almost all of the Go packages in Debian and publish them in a security advisory. This algorithm can be optimized (i.e., reduce the number of packages to publish in an advisory) by either of: 1) using information from Built-Using: (which was not designed for this purpose, so this is fragile) or *.buildinfo. 2) by dropping all 'Architecture: all' packages that does not embedd the buggy code. The last optimization 2) would reduce the number of Go packages to publish significantly, as it would drop most golang-*-dev packages. I think this actually makes this process feasible in practice, as there are relatively few binary packages written in Go.
I was also wondering about this, the actual number of arch:any go packages is much smaller if we skip arch:all *-dev packages so this should be a smaller number of rebuilds than what is currently considered. We can make this even smaller by choosing a limited number of packages for security support, for example caddy, soh etc, which would already be better than not providing any security update at all.
OpenPGP_0x8F53E0193B294B75.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature