It was in an IRC conversation between me and Steve Langasek, after getting the Security team's approval (via tyhicks, also on IRC) that re- vendorizing golang-go.crypto was okay in yakkety, given that it's not a LTS release, and that there is at least another package (definitely snapd, and probably also lxd) that vendorizes everything.
My immediate concern isn't in the effort of rebuilding every reverse- dependency of golang-go.crypto, but of the high potential for regression involved in getting this new crypto and rebuilding everything against it, in the context of juju-core which is a project that is expected to change a lot. There WILL be other SRUs of juju-core in the future, and I don't know if other updates of golang packages may be required. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634609 Title: de-vendorize golang-go.crypto from juju-core To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/golang-go.crypto/+bug/1634609/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs