From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-79861-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 56AB2139694
	for <garchives@archives.gentoo.org>; Fri, 10 Mar 2017 14:45:37 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id B1F7AE0C5F;
	Fri, 10 Mar 2017 14:45:28 +0000 (UTC)
Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 6047AE0C11
	for <gentoo-dev@lists.gentoo.org>; Fri, 10 Mar 2017 14:45:28 +0000 (UTC)
Received: from [10.100.0.22] (host-37-191-236-118.lynet.no [37.191.236.118])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: k_f)
	by smtp.gentoo.org (Postfix) with ESMTPSA id CF2B7340806
	for <gentoo-dev@lists.gentoo.org>; Fri, 10 Mar 2017 14:45:26 +0000 (UTC)
Subject: Re: [gentoo-dev] new virtual -- virtual/go to fix go build time
 dependencies
References: <c612b525-7036-501e-102b-115ead53964a@gentoo.org>
 <20170307224006.GA4087@whubbs1.gaikai.biz>
 <fd035340-a558-7bb5-93f5-1c564ef341ef@gentoo.org>
 <20170307160238.118d503f@patrickm>
 <c3ec7982-7d51-7d30-32e3-623df6a4d7a6@gentoo.org>
 <20170308003814.GA9573@whubbs1.gaikai.biz>
 <CAMiTYSqN0Lv40k-Jyk6vZQf97ab5fFMKW_2r9MEJsTLavK_exw@mail.gmail.com>
 <2e5e4aa2-5979-800c-1689-d26915be64b1@gentoo.org>
 <20170308192009.GA12051@whubbs1.gaikai.biz>
 <b752f9a5-cd84-27d2-d4ff-4d3a8ea80a80@gentoo.org>
 <20170309153638.GA13941@linux1>
 <e469b405-e6d7-618f-9daa-ea0b934851b0@gentoo.org>
To: gentoo-dev@lists.gentoo.org
From: Kristian Fiskerstrand <k_f@gentoo.org>
Message-ID: <6e445624-db82-7629-109a-98b9de37edf0@gentoo.org>
Date: Fri, 10 Mar 2017 15:44:31 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.7.0
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
In-Reply-To: <e469b405-e6d7-618f-9daa-ea0b934851b0@gentoo.org>
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="sOe0h8LEsoqFQ2Fx9n51roxNc6aNpmqWd"
X-Archives-Salt: f187db8b-8837-4a16-9c91-6cd7e1251126
X-Archives-Hash: 2776af14f90481403da35d985e941ddc

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--sOe0h8LEsoqFQ2Fx9n51roxNc6aNpmqWd
Content-Type: multipart/mixed; boundary="Dewn40QK5nR1Le31vUtFreXxRucpv45mn"
From: Kristian Fiskerstrand <k_f@gentoo.org>
Reply-To: k_f@gentoo.org
To: gentoo-dev@lists.gentoo.org
Message-ID: <6e445624-db82-7629-109a-98b9de37edf0@gentoo.org>
Subject: Re: [gentoo-dev] new virtual -- virtual/go to fix go build time
 dependencies
References: <c612b525-7036-501e-102b-115ead53964a@gentoo.org>
 <20170307224006.GA4087@whubbs1.gaikai.biz>
 <fd035340-a558-7bb5-93f5-1c564ef341ef@gentoo.org>
 <20170307160238.118d503f@patrickm>
 <c3ec7982-7d51-7d30-32e3-623df6a4d7a6@gentoo.org>
 <20170308003814.GA9573@whubbs1.gaikai.biz>
 <CAMiTYSqN0Lv40k-Jyk6vZQf97ab5fFMKW_2r9MEJsTLavK_exw@mail.gmail.com>
 <2e5e4aa2-5979-800c-1689-d26915be64b1@gentoo.org>
 <20170308192009.GA12051@whubbs1.gaikai.biz>
 <b752f9a5-cd84-27d2-d4ff-4d3a8ea80a80@gentoo.org>
 <20170309153638.GA13941@linux1>
 <e469b405-e6d7-618f-9daa-ea0b934851b0@gentoo.org>
In-Reply-To: <e469b405-e6d7-618f-9daa-ea0b934851b0@gentoo.org>

--Dewn40QK5nR1Le31vUtFreXxRucpv45mn
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 03/09/2017 05:06 PM, Michael Orlitzky wrote:
> "How do we update insecure libraries?" would have been a good question
> to ask *before* adding Go to the tree, because the answer is pretty
> clearly "we can't."=20

As it is now, if a go-package is to be in stable tree; the package
maintainer adding a go package will need to keep track of relevant
dependencies that are embedded and do a revdep of the package if a
vulnerability in the chain is discovered.

--=20
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


--Dewn40QK5nR1Le31vUtFreXxRucpv45mn--

--sOe0h8LEsoqFQ2Fx9n51roxNc6aNpmqWd
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEtOrRIMf4mkrqRycHJQt6/tY3nYUFAljCu88ACgkQJQt6/tY3
nYXMcwgAwlv/dMvb+k72Bq7EiSoJf2iI8W/StkPLLp5/WagSgwrdlXlqwNaC759K
8Cps6d498svAwqFtVhpZ3+UogTjaOIflPaKgXGr1UTi0otqLOYR59Fss9kF0skUI
nr8EvkSYxMVuLNTez4SW7RPOrxW0B3EW2FlNZBntYcCz2rP00sn4uzu36qmfZIaS
W5AzJNXjrkhJJxfjL6iErLqM/I4SYhqHJupf531JQ8HxWCzMWpeemoKawxkaPwTg
8nhoVGod3z8SoBqb02vTp2uzaGV6A1w0QSHyYOjkrVF5gH32I9Nuhw51zDWi5gaf
sYhIK5ohkfSYNrJzR7klfM1/3g/0yA==
=vzmQ
-----END PGP SIGNATURE-----

--sOe0h8LEsoqFQ2Fx9n51roxNc6aNpmqWd--