1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
Built-Using
-----------
From https://www.debian.org/doc/debian-policy/ch-relationships.html:
"7.8 Additional source packages used to build the binary - Built-Using
Some binary packages incorporate parts of other packages when built but do not
have to depend on those packages. Examples include linking with static
libraries or incorporating source code from another package during the build.
In this case, the source packages of those other packages are a required part
of the complete source (the binary package is not reproducible without them).
A Built-Using field must list the corresponding source package for any such
binary package incorporated during the build [56], including an "exactly equal"
("=") version relation on the version that was used to build that binary
package."
Considering the above, UCT/scripts/report-built-using.py can be used to examine
the Packages files (as from packages_mirror) and report the version of the
package they are importing. For example:
$ ./scripts/report-built-using.py glibc
Source (version) Pocket Component Used by
------------------------------------------------------------------------------
...
glibc (2.19-10ubuntu2) wily main aide
The above shows that the aide source package in wily was built using files from
glibc 2.19-10ubuntu2 binaries.
See './scripts/report-built-using.py --help' for more examples.
When triaging CVEs, the report-built-using.py command can be used to see if
other packages are candidates for a no change rebuild when the affected source
is fixed.
golang
------
golang 1.4 and earlier does not have shared library support. "Go 1.5 can
produce Go shared libraries that can be consumed by Go programs.... Go 1.5 can
also build Go programs as C archive files (for static linking) or shared
libraries (for dynamic linking) that can be consumed by C programs."[1] golang
will not have shared library support for all architectures though (eg, arm64)
but this support is coming.
Because 1.5 is not available in Debian or Ubuntu yet, golang packages are
statically compiled. They may use Build-Depends in their packaging[2] to
depend on other go libraries and this will install the source files for those
libraries on the system for the build to use to statically compile everything
together. When a source package does this, it should use Built-Using in its
control file so that the produced binaries have the proper Built-Using that
follows Debian policy[3]. In general, packages should use dh-golang and
dh-make-golang.
NOTE REGARDING OFFICIALLY SUPPORTED STATICALLY COMPILED GOLANG PACKAGES:
golang packages that need to be rebuilt because they are Built-Using an out of
date package that has received a security update will be rebuilt by the
Ubuntu Security team. Testing will in general not be performed by the Ubuntu
Security team for rebuilt packages that receive community support. For packages
that receive official support, the Ubuntu Security team will notify affected
upstreams that rebuilt packages are available for testing and will publish the
rebuilt packages at a later date.
[1]https://talks.golang.org/2015/state-of-go-may.slide#13
[2]http://pkg-go.alioth.debian.org/packaging.html
|