Limited security support

Elements of decision/triage, considering the static linking issue:

See also: Teams/DebianGoTeam/2020/GoEcosystemIssues#stable_updates_.28through_security_update_or_point_release.29

Finding reverse build dependencies

Replace $golang_binary_package with the package you want to find reverse build-dependencies for, e.g. golang-go or golang-github-prometheus-client-golang-dev.

(stretch or later)


dose-ceve --deb-native-arch=amd64 -r $golang_binary_package -T debsrc \
    debsrc:///var/lib/apt/lists/XXX_debian_dists_stretch_main_source_Sources \
       deb:///var/lib/apt/lists/XXX_debian_dists_stretch_main_binary-amd64_Packages \
  | grep-dctrl -n -s Package '' | sort -u


dose-ceve --deb-native-arch=amd64 -r $golang_binary_package -T debsrc \
     debsrc:///var/lib/apt/lists/XXX_debian_dists_jessie_main_source_Sources \
        deb:///var/lib/apt/lists/XXX_debian_dists_jessie_main_binary-amd64_Packages \
 | grep-dctrl -n -s Package '' | sort -u


Maintainer snippet: excludes source-only/arch-all packages, but misses some packages such as 'aptly' (missing/incomplete Built-Using field):

apt-cache dumpavail | \
    grep-dctrl \
        -F Built-Using 'golang-1.7' -a \
        '(' --not -F Architecture all ')' \
        -s Source,Package,Version

Example non-obvious affected packages (no Go dependencies in binary packages): heartbleader, toxiproxy

Example reverse-dependencies rebuilds:

Limitations / TODO:

Run test suite

Run/re-run full test suite:

debian/rules override_dh_auto_test-arch
debian/rules override_dh_auto_test RUN_TEST=true  # jessie

Run a specific test:


# Simple case
cd src/pkg/net/url/
go test -v  # default to '.'
go test -v -run '^TestParse$' .

# More complex case
cd /.../debian-source-packages/golang-1.x/src/  # src/pkg/ for jessie
rm -rf ../pkg/linux_*/  # Go reuses the .a files there
GOROOT=/.../debian-source-packages/golang-1.x/ PATH=../bin:$PATH go test -v ./net/http/     # not 'net/http/', this would check the system install
GOROOT=/.../debian-source-packages/golang-1.x/ PATH=../bin:$PATH go test -v ./net/http/...  # '...' means 'with subdirs'
GOROOT=/.../debian-source-packages/golang-1.x/ PATH=../bin:$PATH go test -v ./net/http/httputil/reverseproxy*.go

# Another way for internal test suites:
GOROOT=/usr/src/golang/golang-1.8-1.8.1/ PATH=../bin:$PATH go tool dist test -list
GOROOT=/usr/src/golang/golang-1.8-1.8.1/ PATH=../bin:$PATH go tool dist test -run go_test:cmd/go
# If errors don't make sense:
GOROOT=/usr/src/golang/golang-1.8-1.8.1/ PATH=../bin:$PATH go tool dist test -run go_test:net/http -rebuild