Bug#799019: jessie-pu: package golang/2:1.3.3-1+deb8u1
Control: tags -1 + moreinfo On Tue, 2015-09-15 at 13:36 -0700, Tianon Gravi wrote: > On 15 September 2015 at 12:15, Julien Cristauwrote: > > Does this involve rebuilding reverse dependencies? > > Unfortunately, yes. We could skip arch:all since those are going to > be -dev packages that contain source, but any actual binaries would > need to be rebuilt. Do you have an estimate of how many packages that would be? I looked at the output of "dak rm -Rn -s stable golang" and made various sad faces. (Also, do -dev packages that are architecture-dependent also need rebuilding? I wasn't clear from your description, but for instance: golang-websocket-dev | 0.0~git20140119-1 | stable | amd64, armel, armhf, i386 golang-websocket-dev | 0.0~git20150811.0.b6ab76f-1 | testing | all golang-websocket-dev | 0.0~git20150811.0.b6ab76f-1 | unstable| all ) > To Salvatore's comment, I'd be happy to update to include the fix for > that too if RT is OK with it. :) (Meanwhile will work on getting a > fix for it into unstable.) It doesn't look like that happened yet? (Or the Security Tracker hasn't been updated.) Regards, Adam
Bug#799019: jessie-pu: package golang/2:1.3.3-1+deb8u1
Hi Tianon, On Thu, Nov 05, 2015 at 06:41:54AM -0800, Tianon Gravi wrote: > I think this is a case of the security tracker not being updated: > > | golang (2:1.4.3-1) unstable; urgency=medium > | > | * New upstream version > (https://golang.org/doc/devel/release.html#go1.4.minor) > |- includes previous CVE and non-CVE security fixes, especially > | TEMP-000-1C4729 > | > | -- Tianon GraviFri, 25 Sep 2015 00:02:31 -0700 > > (Upstream made a 1.4.3 release that is 1.4.2 + CVE and security fixes.) Thanks for the notice. I have update the security-tracker side for this. Btw, please do not use these TEMP identifiers, they are not meant to be stable at any rate. E.g. if we fill a but in the BTS they will already change. Regards, Salvatore
Bug#799019: jessie-pu: package golang/2:1.3.3-1+deb8u1
On 5 November 2015 at 08:08, Salvatore Bonaccorsowrote: > Thanks for the notice. I have update the security-tracker side for > this. Btw, please do not use these TEMP identifiers, they are not > meant to be stable at any rate. E.g. if we fill a but in the BTS they > will already change. Doh, sorry! I was trying to make sure I referenced it identifiably since it didn't have any other real identifier. Now I know. >.< ♥, - Tianon 4096R / B42F 6819 007F 00F8 8E36 4FD4 036A 9C25 BF35 7DD4
Bug#799019: jessie-pu: package golang/2:1.3.3-1+deb8u1
On 5 November 2015 at 06:23, Adam D. Barrattwrote: > Do you have an estimate of how many packages that would be? I looked at > the output of "dak rm -Rn -s stable golang" and made various sad faces. That sad face is 100% warranted. :( I don't know the number off-hand, but I imagine it's pretty large by now. > (Also, do -dev packages that are architecture-dependent also need > rebuilding? I wasn't clear from your description, but for instance: > > golang-websocket-dev | 0.0~git20140119-1 | stable | amd64, > armel, armhf, i386 > golang-websocket-dev | 0.0~git20150811.0.b6ab76f-1 | testing | all > golang-websocket-dev | 0.0~git20150811.0.b6ab76f-1 | unstable| all > ) Right -- I meant -dev packages which are arch:all, since they're going to just be full of .go files. Any that aren't _probably_ contain a binary, and thus would need a rebuild (or a maintainer made a mistake and it's really supposed to be an arch:all package, but I don't think we've got many of those left). >> To Salvatore's comment, I'd be happy to update to include the fix for >> that too if RT is OK with it. :) (Meanwhile will work on getting a >> fix for it into unstable.) > > It doesn't look like that happened yet? (Or the Security Tracker hasn't > been updated.) I think this is a case of the security tracker not being updated: | golang (2:1.4.3-1) unstable; urgency=medium | | * New upstream version (https://golang.org/doc/devel/release.html#go1.4.minor) |- includes previous CVE and non-CVE security fixes, especially | TEMP-000-1C4729 | | -- Tianon Gravi Fri, 25 Sep 2015 00:02:31 -0700 (Upstream made a 1.4.3 release that is 1.4.2 + CVE and security fixes.) ♥, - Tianon 4096R / B42F 6819 007F 00F8 8E36 4FD4 036A 9C25 BF35 7DD4
Bug#799019: jessie-pu: package golang/2:1.3.3-1+deb8u1
On Mon, Sep 14, 2015 at 17:18:30 -0700, Tianon Gravi wrote: > Package: release.debian.org > User: release.debian@packages.debian.org > Usertags: pu > Tags: jessie > Severity: normal > > Hi! > > "src:golang" has recently had a group of non-critical CVEs (#795106); > I've finally got a fix in unstable now, but the security team > requested[1] that I also propose an upload to s-p-u also to update > jessie. > Does this involve rebuilding reverse dependencies? Cheers, Julien signature.asc Description: Digital signature
Bug#799019: jessie-pu: package golang/2:1.3.3-1+deb8u1
On 15 September 2015 at 12:15, Julien Cristauwrote: > Does this involve rebuilding reverse dependencies? Unfortunately, yes. We could skip arch:all since those are going to be -dev packages that contain source, but any actual binaries would need to be rebuilt. To Salvatore's comment, I'd be happy to update to include the fix for that too if RT is OK with it. :) (Meanwhile will work on getting a fix for it into unstable.) ♥, - Tianon 4096R / B42F 6819 007F 00F8 8E36 4FD4 036A 9C25 BF35 7DD4
Bug#799019: jessie-pu: package golang/2:1.3.3-1+deb8u1
Hi Tianon, On Mon, Sep 14, 2015 at 05:18:30PM -0700, Tianon Gravi wrote: > Package: release.debian.org > User: release.debian@packages.debian.org > Usertags: pu > Tags: jessie > Severity: normal > > Hi! > > "src:golang" has recently had a group of non-critical CVEs (#795106); > I've finally got a fix in unstable now, but the security team > requested[1] that I also propose an upload to s-p-u also to update > jessie. > > I've attached the proposed debdiff -- the only functional change is > the addition of the .patch file containing the three backported > upstream commits to fix the CVEs. > > [1]: https://bugs.debian.org/795106#45 > > Thanks for your consideration! Remark: not spaeking as Release Team member, just "outsider": could you as well include the fix for the issue without CVE, see: https://security-tracker.debian.org/tracker/source-package/golang (it needs to be addressed as well in unstable before though). Regards, Salvatore
Bug#799019: jessie-pu: package golang/2:1.3.3-1+deb8u1
Package: release.debian.org User: release.debian@packages.debian.org Usertags: pu Tags: jessie Severity: normal Hi! "src:golang" has recently had a group of non-critical CVEs (#795106); I've finally got a fix in unstable now, but the security team requested[1] that I also propose an upload to s-p-u also to update jessie. I've attached the proposed debdiff -- the only functional change is the addition of the .patch file containing the three backported upstream commits to fix the CVEs. [1]: https://bugs.debian.org/795106#45 Thanks for your consideration! ♥, - Tianon 4096R / B42F 6819 007F 00F8 8E36 4FD4 036A 9C25 BF35 7DD4 golang_2:1.3.3-1.debdiff Description: Binary data