On Sun, 28 Sept 2025 at 12:55, Geert Stappers <[email protected]> wrote: > Somewhere augustus 2024: > > Kindly update golang version to >=1.22 or atleast >=1.19.13 in the > > stable Bookworm release for fixing the above listed vulnerabilities. > > > > Let us know if any help is needed from my side for migrating the > > package from backports to stable Bookworm release. > > > Meanwhile became Bookworm oldstable and Trixie stable. > > As I read https://tracker.debian.org/pkg/golang-defaults > today, 2025-09-28: > > - For stable is 2:1.24~2 available > - For old-bpo is 2:1.23~2~bpo12+1 available > - oldstable is it still 2:1.19~1 > > > What would be good for Debian regarding this bugreport? > > Upload a 1.23 to oldstable? > Advice Bookworm users to activate backports?
We should definitely not update src:golang-defaults to a new minor version in a prior release directly, as its primary purpose is to control the "default" version of Go used to compile most packages in the archive (and that might cause buildability issues in a place where we want to be even more careful about them than usual). At most, backports are probably reasonable, but I'm not exactly sure what the implication of that would be (it's probably mostly without issue, since backports builds don't necessarily choose backports packages unless their version constraints require it). ♥, - Tianon 4096R / B42F 6819 007F 00F8 8E36 4FD4 036A 9C25 BF35 7DD4
