Paul Gevers wrote

+ <section id="golang-static-linking">
+ <!-- Check if this still matches the view of the security team -->
+ <title>Go based packages</title>
+ <para>
+ The Debian infrastructure currently doesn't properly enable
+ rebuilding packages that statically link parts of other
+ packages on a large scale.

It's not obvious what "on a large scale" modifies here, and perhaps
instead of talking about a build process linking parts of packages we
should just make it:

The Debian infrastructure currently has problems with
rebuilding packages of types that systematically use static
linking.

Until buster that hasn't been a

Now that the buster release is in the past I'd have to say:

Before buster this wasn't a

+ problem in practice, but with the growth of the Go ecosystem
+ it means that Go based packages will be covered by limited

Optional extra hyphen: Go-based packages.

+ security support until the infrastructure is improved to
+ deal with them maintainably.
+ </para>
+ <para>
+ If updates for Go <quote>libaries</quote> are warranted,

Missing R in libRaries! (But why in quotes? Should that be
<emphasis>?)

+ they can only come via regular point releases, which may be
+ slow in arriving.
+ </para>
+ </section>

--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --J7pZujBLS5Wasv8lwf8cCi7aFRygUR8M9
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

Hi Justin,

As always, thanks for the feedback.

On 27-05-2021 21:54, Justin B Rye wrote:

+ If updates for Go <quote>libaries</quote> are warranted,

Missing R in libRaries! (But why in quotes? Should that be
<emphasis>?)

These are not libraries in the c-library sense. Can you elaborate when
you'd expect <emphasis> and when <quotes>? To me <quotes> feels natural, <emphasis>, I don't know what it would mean to me in this place.

+ they can only come via regular point releases, which may be
+ slow in arriving.
+ </para>
+ </section>

Paul


--J7pZujBLS5Wasv8lwf8cCi7aFRygUR8M9--

-----BEGIN PGP SIGNATURE-----

wsB5BAABCAAjFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAmCv+8UFAwAAAAAACgkQnFyZ6wW9dQqE YAf+PcO79ef9JS25f1Y4sMc4Wzn+3X1pcn1Q3jz/WjyVewgf85HUZuUAb/qFqqKbap4d3uXOtZcZ M5fvQxXpPqY5lL2EuLcYA8dmsFMMZmBGeoFSmb96GgwfPKuOte+Fg+WzVaFeXePKkYihoD+kMgNm tRjVR6Gzw/bbE84f6p708lFlAe1Wb9Ox4T2BzDswujNUO8LDYZK1TK9vaf070TDN6p0m+INdTzOM W5rWSyuaf+aDRV83aV0t1zinqxSh2q5sVHtvXhWyL0wtP9veTH/o2bJFollIGbY1+YxAuVRn6gK2 idXaTbx42NLnUNIOJcM7XM9ZgyxolCpLpcoD7St83Q==
=GVXV
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --rNSyfrKITOby6QjHv9JEqsZxaNWPuzO0b
Content-Type: multipart/mixed;
boundary="------------642D235018BF16D088FD4672"
Content-Language: en-US

This is a multi-part message in MIME format. --------------642D235018BF16D088FD4672
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi all,

I've prepared an update the release notes on request of the security
team. The text is *nearly* the same as in the buster release notes, with
two tweaks.

Feedback appreciated.

Paul

--------------642D235018BF16D088FD4672
Content-Type: text/x-patch; charset=UTF-8;
name="0001-issues.dbk-add-security-warning-about-golang-again.patch" Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename*0="0001-issues.dbk-add-security-warning-about-golang-again.patc";
filename*1="h"

From 09c562e45c09776891801bae6425adb773fc044c Mon Sep 17 00:00:00 2001
From: Paul Gevers <[email protected]>
Date: Thu, 27 May 2021 21:09:57 +0200
Subject: [PATCH] issues.dbk: add security warning about golang again

---
en/issues.dbk | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)

diff --git a/en/issues.dbk b/en/issues.dbk
index 70a48dc7..7165267e 100644
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -513,6 +513,24 @@ data = ${lookup{$local_part}lsearch{/some/path/$domain_data/aliases}}
for every quarterly upstream security update.
</para>
</section>
+ <section id="golang-static-linking">
+ <!-- Check if this still matches the view of the security team -->
+ <title>Go based packages</title>
+ <para>
+ The Debian infrastructure currently doesn't properly enable
+ rebuilding packages that statically link parts of other
+ packages on a large scale. Until buster that hasn't been a
+ problem in practice, but with the growth of the Go ecosystem
+ it means that Go based packages will be covered by limited
+ security support until the infrastructure is improved to
+ deal with them maintainably.
+ </para>
+ <para>
+ If updates for Go <quote>libaries</quote> are wa

On Thu, 27 May 2021 22:06:29 +0200
Paul Gevers wrote:

+ <title>Go based packages</title>

maybe this should have hyphen:
+ <title>Go-based packages</title>

--
victory
no need to CC me :-)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Paul Gevers wrote:

On 27-05-2021 21:54, Justin B Rye wrote:

+ If updates for Go <quote>libaries</quote> are warranted,

Missing R in libRaries! (But why in quotes? Should that be
<emphasis>?)

These are not libraries in the c-library sense. Can you elaborate when
you'd expect <emphasis> and when <quotes>? To me <quotes> feels natural, <emphasis>, I don't know what it would mean to me in this place.

Well, Perl modules aren't quite libraries in the C-library sense,
either, but we still treat them as library packages. If these ones
will have package names beginning with lib-, I'd call them libraries
without scarequotes. If they're libraries needed only to build
software, rather than at runtime, should we perhaps be saying:

+ If updates are warranted for Go development libraries,
--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

victory wrote:

Paul Gevers wrote:

+ <title>Go based packages</title>

maybe this should have hyphen:
+ <title>Go-based packages</title>

Oh, yes, thanks!
--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Vi, 28 mai 21, 05:43:26, Justin B Rye wrote:

Paul Gevers wrote:

On 27-05-2021 21:54, Justin B Rye wrote:

+ If updates for Go <quote>libaries</quote> are warranted,

Missing R in libRaries! (But why in quotes? Should that be
<emphasis>?)

These are not libraries in the c-library sense. Can you elaborate when you'd expect <emphasis> and when <quotes>? To me <quotes> feels natural, <emphasis>, I don't know what it would mean to me in this place.

Well, Perl modules aren't quite libraries in the C-library sense,
either, but we still treat them as library packages. If these ones
will have package names beginning with lib-, I'd call them libraries
without scarequotes. If they're libraries needed only to build
software, rather than at runtime, should we perhaps be saying:

+ If updates are warranted for Go development libraries,

Hi Justin,

It might be useful for us non-native English speakers if you could
elaborate on the appropriate use of (scare)quotes[1].

For what it's worth, in this particular case I also believe they are not needed or could even twist the meaning, though I can't quite explain
why.

[1] at one point we should probably collect all of these in a style
guide somewhere. Maybe just a .md file in git would be sufficient as a
start?

Kind regards,
Andrei
--
http://wiki.debian.org/FAQsFromDebianUser

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE5E64jOIbhY42OXqk/8eFRO8iNBwFAmCx3w4ACgkQ/8eFRO8i NBzFURAAjR4ypKohJ3XSfB99wMjvXbHPgRBA1y5bUBIE8o8d/4GrUS2lX5gy1H0I 7mvCBnl64HgEUCHVGUT2tfItLWNsdAXwO/nj+zFrF89Jni9EsTdXseOOrTrY83st QTtppcxsfvBOKC7tqVHrJE4CkVSgt1D6miE9op5iU2xaqOg6Dcda6fIZIq4dbfx1 ka51VTQJ7O/PmjY8gEwJohJ15vTz7iJ1hJtB377tVwHjJfRJNOdrbaAj8j+UWItA V3psBusvQas1tZj58EC7iLCYXpghXaH1UVtgrxDkA2O8dG1Zl0Imdtv5Qf/LL19w dASlBnArQOH090pZvn5WhSP2ZgfWHjdjpdETSoFnWHrUCXmqjfrZs+7ZDjyHqp9N nHtzCEQbNH0JTqYoVYWv8NpX1HaPibD9VtQ6BoH9YFlaMIslQCVngNR/TmgYXgMx Q0En7yfV9xKYfOdqYVkVxbYCSsbR0LxALNIYC9VUdz3MpNTqKTBgHaz5VJS+22V1 Ghp8oSaYp6aVGxbctKh6O0/r8x+BayRJ8fg2wp0zIDKXLuI/oVLevygsQgHDmb36 fpui/SyYlvnurDmBAfYwdzSDCzkAjqy1h3wCJ1aGCWKgFmz4pnLTl8O6Q0ZLqLJh aYZJI8AYoGWwxb0rxdVDjlhs3rQMJwBD1368u+dpDwAJ2W3kWMI=
=hJAE
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

An1drei POPESCU wrote:

Justin B Rye wrote:

Paul Gevers wrote:

On 27-05-2021 21:54, Justin B Rye wrote:

+ If updates for Go <quote>libaries</quote> are warranted,

Missing R in libRaries! (But why in quotes? Should that be
<emphasis>?)

These are not libraries in the c-library sense. Can you elaborate when
you'd expect <emphasis> and when <quotes>? To me <quotes> feels natural, >>> <emphasis>, I don't know what it would mean to me in this place.

Well, Perl modules aren't quite libraries in the C-library sense,
either, but we still treat them as library packages. If these ones
will have package names beginning with lib-, I'd call them libraries
without scarequotes. If they're libraries needed only to build
software, rather than at runtime, should we perhaps be saying:

+ If updates are warranted for Go development libraries,

Hi Justin,

It might be useful for us non-native English speakers if you could
elaborate on the appropriate use of (scare)quotes[1].

The idea of scarequotes is that we're not asserting that it's a
library, we're in effect quoting indefinite/imaginary sources that
would *call* it a library. Depending on context this can have
overtones anywhere between "we really might as well all call it this,
even if it isn't technically accurate" and "would you believe some
people are actually dumb enough to call it *this*?"

In other words, it's very like "so-called libraries", except without
such a clear implication that using that label is bad.

For what it's worth, in this particular case I also believe they are not needed or could even twist the meaning, though I can't quite explain
why.

I'm still not sure I know what sort of packages it's talking about.
If it's things like golang-dbus-dev, the description calls it a
library and I don't see any reason for scepticism, though we might
specifically call it a development library.

[1] at one point we should probably collect all of these in a style
guide somewhere. Maybe just a .md file in git would be sufficient as a
start?

Well, I've put some of my frequent recommendations in "http://jbr.me.uk/linux/esl.html", but I didn't have anything about
this.
--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)