Re: Browserified copy and DFSG
- Date: Sun, 9 Sep 2018 01:10:45 +0800
- From: Shengjing Zhu <zhsj@xxxxxxxxxx>
- Subject: Re: Browserified copy and DFSG
On Sun, Sep 9, 2018 at 12:52 AM Sean Whitton <spwhitton@xxxxxxxxxxxxxx> wrote:
> On Sat 08 Sep 2018 at 10:02AM +0800, Paul Wise wrote:
> > On Fri, Sep 7, 2018 at 7:22 PM, Bastien ROUCARIES wrote:
> >> Ok adding cc @security
> >> How will you handle security problem in static
> > Same goes for the other languages that do static linking. It would be
> > great to have this wiki page updated with some realistic strategies:
> > https://wiki.debian.org/StaticLinking
> > IIRC the security team recently flagged Go packages as being
> > problematic for security support in the Debian buster release. I guess
> > the same will apply to Rust now that Firefox switched to it?
> Hmm, Go looks to be using Built-Using in a way that is not
I just sent this Go team few days ago,
What I see as a replacement is using X-Go-Built-Using, like the Rust
team(which uses X-Cargo-Built-Using).
But this needs release-team (and maybe security team) to confirm as
mentioned by stapelberg
For the security concern about Go in buster, more background is at
The main issue seems that we can't simply schedule binNMU on security-master.
Whatever field is using to record the library statically embedded, the
script to filter the outdated binary is simple.
Shengjing Zhu <zhsj@xxxxxxxxxx>
GPG Key: 0xCF0E265B7DFBB2F2