Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aedhJq1VF7pR2sc1@mertle>
Date: Tue, 21 Apr 2026 07:36:06 -0400
From: Michael Orlitzky <michael@...itzky.com>
To: oss-security@...ts.openwall.com
Cc: Morten Linderud <morten@...derud.pw>
Subject: Re: Go 1.26.2 and Go 1.25.9 are released with 10
 security fixes

On 2026-04-20 13:10:13, Demi Marie Obenour wrote:
> 
> I wonder if build infra needs to be updated to support automated
> rebuilds when a reverse dependency is updated.  My understanding is
> that FreeBSD ports, Nix, and OBS already support this.

On its own this isn't sufficient because many packages pin their
dependencies to specific versions or git commits. This causes a
cascade of problems:

 * Most dependencies can't be packaged separately, because eventually
   two applications will require two different versions of the same
   library, not to mention the labor involved.

 * You can try to loosen the dependency constraints yourself, but with
   everyone else bundling, no one cares about API/ABI stability and
   breakage is likely.

 * OTOH with dependencies left bundled and pinned to specific
   versions, rebuilding does nothing except change mtimes.

Download attachment "signature.asc" of type "application/pgp-signature" (871 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.