Hi, On Sun, May 5, 2019 at 7:46 PM Ivo De Decker <iv...@debian.org> wrote: > > Control: tags -1 moreinfo > > Hi, > > On Tue, Apr 30, 2019 at 05:07:57PM +0800, Drew Parsons wrote: > > Please unblock package golang-golang-x-net-dev > > > > Upstream has provided patches addressing security issues > > CVE-2018-17846 / CVE-2018-17847 / CVE-2018-17848 > > (Debian bug #911795). > > How will unblocking this fix these issues? golang-golang-x-net-dev is embedded > in a number of packages in buster. If they are not updated, the unblock will > not fix anything. How will this be handled? >
All the reverse depends need binNMU. Since the Go packages are using(abusing) Built-Using tag, probably the release team will binNMU all outdated Built-Using packages at this period(before release)? Maybe we can keep the conversation at https://lists.debian.org/msgid-search/20190427073148.GA7478@debian ? -- Shengjing Zhu
