• RFR: release notes update on golang security support

    From Justin B Rye@21:1/5 to Paul Gevers on Thu May 27 22:00:01 2021
    Paul Gevers wrote
    + <section id="golang-static-linking">
    + <!-- Check if this still matches the view of the security team -->
    + <title>Go based packages</title>
    + <para>
    + The Debian infrastructure currently doesn't properly enable
    + rebuilding packages that statically link parts of other
    + packages on a large scale.

    It's not obvious what "on a large scale" modifies here, and perhaps
    instead of talking about a build process linking parts of packages we
    should just make it:

    The Debian infrastructure currently has problems with
    rebuilding packages of types that systematically use static
    linking.

    Until buster that hasn't been a

    Now that the buster release is in the past I'd have to say:

    Before buster this wasn't a

    + problem in practice, but with the growth of the Go ecosystem
    + it means that Go based packages will be covered by limited

    Optional extra hyphen: Go-based packages.

    + security support until the infrastructure is improved to
    + deal with them maintainably.
    + </para>
    + <para>
    + If updates for Go <quote>libaries</quote> are warranted,

    Missing R in libRaries! (But why in quotes? Should that be
    <emphasis>?)

    + they can only come via regular point releases, which may be
    + slow in arriving.
    + </para>
    + </section>

    --
    JBR with qualifications in linguistics, experience as a Debian
    sysadmin, and probably no clue about this particular package

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Paul Gevers@21:1/5 to Justin B Rye on Thu May 27 22:10:04 2021
    This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --J7pZujBLS5Wasv8lwf8cCi7aFRygUR8M9
    Content-Type: text/plain; charset=utf-8
    Content-Language: en-US
    Content-Transfer-Encoding: quoted-printable

    Hi Justin,

    As always, thanks for the feedback.

    On 27-05-2021 21:54, Justin B Rye wrote:
    + If updates for Go <quote>libaries</quote> are warranted,

    Missing R in libRaries! (But why in quotes? Should that be
    <emphasis>?)

    These are not libraries in the c-library sense. Can you elaborate when
    you'd expect <emphasis> and when <quotes>? To me <quotes> feels natural, <emphasis>, I don't know what it would mean to me in this place.

    + they can only come via regular point releases, which may be
    + slow in arriving.
    + </para>
    + </section>

    Paul


    --J7pZujBLS5Wasv8lwf8cCi7aFRygUR8M9--

    -----BEGIN PGP SIGNATURE-----

    wsB5BAABCAAjFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAmCv+8UFAwAAAAAACgkQnFyZ6wW9dQqE YAf+PcO79ef9JS25f1Y4sMc4Wzn+3X1pcn1Q3jz/WjyVewgf85HUZuUAb/qFqqKbap4d3uXOtZcZ M5fvQxXpPqY5lL2EuLcYA8dmsFMMZmBGeoFSmb96GgwfPKuOte+Fg+WzVaFeXePKkYihoD+kMgNm tRjVR6Gzw/bbE84f6p708lFlAe1Wb9Ox4T2BzDswujNUO8LDYZK1TK9vaf070TDN6p0m+INdTzOM W5rWSyuaf+aDRV83aV0t1zinqxSh2q5sVHtvXhWyL0wtP9veTH/o2bJFollIGbY1+YxAuVRn6gK2 idXaTbx42NLnUNIOJcM7XM9ZgyxolCpLpcoD7St83Q==
    =GVXV
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Paul Gevers@21:1/5 to All on Thu May 27 21:20:01 2021
    This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --rNSyfrKITOby6QjHv9JEqsZxaNWPuzO0b
    Content-Type: multipart/mixed;
    boundary="------------642D235018BF16D088FD4672"
    Content-Language: en-US

    This is a multi-part message in MIME format. --------------642D235018BF16D088FD4672
    Content-Type: text/plain; charset=utf-8
    Content-Transfer-Encoding: quoted-printable

    Hi all,

    I've prepared an update the release notes on request of the security
    team. The text is *nearly* the same as in the buster release notes, with
    two tweaks.

    Feedback appreciated.

    Paul

    --------------642D235018BF16D088FD4672
    Content-Type: text/x-patch; charset=UTF-8;
    name="0001-issues.dbk-add-security-warning-about-golang-again.patch" Content-Transfer-Encoding: quoted-printable
    Content-Disposition: attachment;
    filename*0="0001-issues.dbk-add-security-warning-about-golang-again.patc";
    filename*1="h"

    From 09c562e45c09776891801bae6425adb773fc044c Mon Sep 17 00:00:00 2001
    From: Paul Gevers <elbrus@debian.org>
    Date: Thu, 27 May 2021 21:09:57 +0200
    Subject: [PATCH] issues.dbk: add security warning about golang again

    ---
    en/issues.dbk | 18 ++++++++++++++++++
    1 file changed, 18 insertions(+)

    diff --git a/en/issues.dbk b/en/issues.dbk
    index 70a48dc7..7165267e 100644
    --- a/en/issues.dbk
    +++ b/en/issues.dbk
    @@ -513,6 +513,24 @@ data = ${lookup{$local_part}lsearch{/some/path/$domain_data/aliases}}
    for every quarterly upstream security update.
    </para>
    </section>
    + <section id="golang-static-linking">
    + <!-- Check if this still matches the view of the security team -->
    + <title>Go based packages</title>
    + <para>
    + The Debian infrastructure currently doesn't properly enable
    + rebuilding packages that statically link parts of other
    + packages on a large scale. Until buster that hasn't been a
    + problem in practice, but with the growth of the Go ecosystem
    + it means that Go based packages will be covered by limited
    + security support until the infrastructure is improved to
    + deal with them maintainably.
    + </para>
    + <para>
    + If updates for Go <quote>libaries</quote> are wa
  • From victory@21:1/5 to Paul Gevers on Fri May 28 01:50:01 2021
    On Thu, 27 May 2021 22:06:29 +0200
    Paul Gevers wrote:

    + <title>Go based packages</title>

    maybe this should have hyphen:
    + <title>Go-based packages</title>

    --
    victory
    no need to CC me :-)

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Justin B Rye@21:1/5 to Paul Gevers on Fri May 28 06:50:02 2021
    Paul Gevers wrote:
    On 27-05-2021 21:54, Justin B Rye wrote:
    + If updates for Go <quote>libaries</quote> are warranted,

    Missing R in libRaries! (But why in quotes? Should that be
    <emphasis>?)

    These are not libraries in the c-library sense. Can you elaborate when
    you'd expect <emphasis> and when <quotes>? To me <quotes> feels natural, <emphasis>, I don't know what it would mean to me in this place.

    Well, Perl modules aren't quite libraries in the C-library sense,
    either, but we still treat them as library packages. If these ones
    will have package names beginning with lib-, I'd call them libraries
    without scarequotes. If they're libraries needed only to build
    software, rather than at runtime, should we perhaps be saying:

    + If updates are warranted for Go development libraries,
    --
    JBR with qualifications in linguistics, experience as a Debian
    sysadmin, and probably no clue about this particular package

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Justin B Rye@21:1/5 to victory on Fri May 28 06:50:02 2021
    victory wrote:
    Paul Gevers wrote:

    + <title>Go based packages</title>

    maybe this should have hyphen:
    + <title>Go-based packages</title>

    Oh, yes, thanks!
    --
    JBR with qualifications in linguistics, experience as a Debian
    sysadmin, and probably no clue about this particular package

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andrei POPESCU@21:1/5 to Justin B Rye on Sat May 29 08:30:01 2021
    On Vi, 28 mai 21, 05:43:26, Justin B Rye wrote:
    Paul Gevers wrote:
    On 27-05-2021 21:54, Justin B Rye wrote:
    + If updates for Go <quote>libaries</quote> are warranted,

    Missing R in libRaries! (But why in quotes? Should that be
    <emphasis>?)

    These are not libraries in the c-library sense. Can you elaborate when you'd expect <emphasis> and when <quotes>? To me <quotes> feels natural, <emphasis>, I don't know what it would mean to me in this place.

    Well, Perl modules aren't quite libraries in the C-library sense,
    either, but we still treat them as library packages. If these ones
    will have package names beginning with lib-, I'd call them libraries
    without scarequotes. If they're libraries needed only to build
    software, rather than at runtime, should we perhaps be saying:

    + If updates are warranted for Go development libraries,

    Hi Justin,

    It might be useful for us non-native English speakers if you could
    elaborate on the appropriate use of (scare)quotes[1].

    For what it's worth, in this particular case I also believe they are not needed or could even twist the meaning, though I can't quite explain
    why.

    [1] at one point we should probably collect all of these in a style
    guide somewhere. Maybe just a .md file in git would be sufficient as a
    start?

    Kind regards,
    Andrei
    --
    http://wiki.debian.org/FAQsFromDebianUser

    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCAAdFiEE5E64jOIbhY42OXqk/8eFRO8iNBwFAmCx3w4ACgkQ/8eFRO8i NBzFURAAjR4ypKohJ3XSfB99wMjvXbHPgRBA1y5bUBIE8o8d/4GrUS2lX5gy1H0I 7mvCBnl64HgEUCHVGUT2tfItLWNsdAXwO/nj+zFrF89Jni9EsTdXseOOrTrY83st QTtppcxsfvBOKC7tqVHrJE4CkVSgt1D6miE9op5iU2xaqOg6Dcda6fIZIq4dbfx1 ka51VTQJ7O/PmjY8gEwJohJ15vTz7iJ1hJtB377tVwHjJfRJNOdrbaAj8j+UWItA V3psBusvQas1tZj58EC7iLCYXpghXaH1UVtgrxDkA2O8dG1Zl0Imdtv5Qf/LL19w dASlBnArQOH090pZvn5WhSP2ZgfWHjdjpdETSoFnWHrUCXmqjfrZs+7ZDjyHqp9N nHtzCEQbNH0JTqYoVYWv8NpX1HaPibD9VtQ6BoH9YFlaMIslQCVngNR/TmgYXgMx Q0En7yfV9xKYfOdqYVkVxbYCSsbR0LxALNIYC9VUdz3MpNTqKTBgHaz5VJS+22V1 Ghp8oSaYp6aVGxbctKh6O0/r8x+BayRJ8fg2wp0zIDKXLuI/oVLevygsQgHDmb36 fpui/SyYlvnurDmBAfYwdzSDCzkAjqy1h3wCJ1aGCWKgFmz4pnLTl8O6Q0ZLqLJh aYZJI8AYoGWwxb0rxdVDjlhs3rQMJwBD1368u+dpDwAJ2W3kWMI=
    =hJAE
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Justin B Rye@21:1/5 to All on Sat May 29 09:50:01 2021
    An1drei POPESCU wrote:
    Justin B Rye wrote:
    Paul Gevers wrote:
    On 27-05-2021 21:54, Justin B Rye wrote:
    + If updates for Go <quote>libaries</quote> are warranted,

    Missing R in libRaries! (But why in quotes? Should that be
    <emphasis>?)

    These are not libraries in the c-library sense. Can you elaborate when
    you'd expect <emphasis> and when <quotes>? To me <quotes> feels natural, >>> <emphasis>, I don't know what it would mean to me in this place.

    Well, Perl modules aren't quite libraries in the C-library sense,
    either, but we still treat them as library packages. If these ones
    will have package names beginning with lib-, I'd call them libraries
    without scarequotes. If they're libraries needed only to build
    software, rather than at runtime, should we perhaps be saying:

    + If updates are warranted for Go development libraries,

    Hi Justin,

    It might be useful for us non-native English speakers if you could
    elaborate on the appropriate use of (scare)quotes[1].

    The idea of scarequotes is that we're not asserting that it's a
    library, we're in effect quoting indefinite/imaginary sources that
    would *call* it a library. Depending on context this can have
    overtones anywhere between "we really might as well all call it this,
    even if it isn't technically accurate" and "would you believe some
    people are actually dumb enough to call it *this*?"

    In other words, it's very like "so-called libraries", except without
    such a clear implication that using that label is bad.

    For what it's worth, in this particular case I also believe they are not needed or could even twist the meaning, though I can't quite explain
    why.

    I'm still not sure I know what sort of packages it's talking about.
    If it's things like golang-dbus-dev, the description calls it a
    library and I don't see any reason for scepticism, though we might
    specifically call it a development library.

    [1] at one point we should probably collect all of these in a style
    guide somewhere. Maybe just a .md file in git would be sufficient as a
    start?

    Well, I've put some of my frequent recommendations in "http://jbr.me.uk/linux/esl.html", but I didn't have anything about
    this.
    --
    JBR with qualifications in linguistics, experience as a Debian
    sysadmin, and probably no clue about this particular package

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)