It was in an IRC conversation between me and Steve Langasek, after getting the Security team's approval (via tyhicks, also on IRC) that re-vendorizing golang-go.crypto was okay in yakkety, given that it's not a LTS release, and that there is at least another package (definitely snapd, and probably also lxd) that vendorizes everything.
My immediate concern isn't in the effort of rebuilding every reverse-dependency of golang-go.crypto, but of the high potential for regression involved in getting this new crypto and rebuilding everything against it, in the context of juju-core which is a project that is expected to change a lot. There WILL be other SRUs of juju-core in the future, and I don't know if other updates of golang packages may be required.
It was in an IRC conversation between me and Steve Langasek, after getting the Security team's approval (via tyhicks, also on IRC) that re-vendorizing golang-go.crypto was okay in yakkety, given that it's not a LTS release, and that there is at least another package (definitely snapd, and probably also lxd) that vendorizes everything.
My immediate concern isn't in the effort of rebuilding every reverse-dependency of golang-go.crypto, but of the high potential for regression involved in getting this new crypto and rebuilding everything against it, in the context of juju-core which is a project that is expected to change a lot. There WILL be other SRUs of juju-core in the future, and I don't know if other updates of golang packages may be required.