"Limited Security Support" prompt on update

[kwinz]

Hi,

today I ran updates of PVE (8.1.3) as usual, and I got this prompt:



I have PVE subscriptions and licenses installed on all servers. I can't believe I didn't find anything about this with the forum search function.

I think that this is just telling me that the package has to be maintained by Proxmox because it links Go libaries staticly?

Is this expected behaviour?

Thanks in advance!

 

[Folke]

Hi,
your suspicion goes in the right direction. proxmox-backup is written in Rust, which, like Go, relies heavily on static linking.
Static linking means that dependencies are compiled into the resulting library, instead of dynamically linking to them at runtime.
This means, in order to update dependencies, a new binary needs to be build and distributed instead of just the dependencies. If not well maintained, this can result in the usage of faulty or insecure dependencies.
For this reason, the debian-security-support project classifies all Rust and Go projects as limited support, as can be seen in this wildcard in their config:

golang.*        See https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#golang-static-linking
rust.*          See https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#golang-static-linking

Since the proxmox projects are actively maintained and updated, this does not present a problem.