On Fri, Aug 04, 2023 at 07:20:32PM +0200, Tom Payne wrote: > On Thu, 3 Aug 2023 at 05:03, Nilesh Patra <nilesh@debian.org> wrote: > > > On Thu, Aug 03, 2023 at 01:28:44AM +0200, Tom Payne wrote: > > > I, and chezmoi's users, would love for chezmoi to be included in Debian. > > > There's an existing Debian bug for this > > > <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012721>, and an > > existing > > > issue in the chezmoi repo < > > https://github.com/twpayne/chezmoi/issues/2130>. > > > > As per the Bug report, Ryan is working on it so I've kept them in CC. > > > > > What is tricky is that chezmoi has regular releases > > > <https://www.chezmoi.io/reference/release-history/> (roughly, a minor > > > version every two weeks), including fixing security problems > > > > Are security problems relatively frequent? > > > > They're every month or so. For example, Go 1.19 has had twelve patch > releases to address security problems since it's release on year ago. Of > course, not all of these affect chezmoi. > > Security problems in other dependencies are less frequent, maybe a few per > year. I have a scheduled daily govulncheck run and fix problems as soon as > I can, usually within a few hours. so, allow me to clarify this -- where are the vulnerabilities usually found? a) In chezmoi code itself b) In the dependencies of chezmoi c) In the libraries vendored by chezmoi (i.e. in vendor/ directory if it has one). If it's "b" then I don't think you need to do much except for tagging the CVE with updated version in go.mod. > > If so, do note that the debian release cycle may have quirks with > > the same. Debian is released once in ~2 years and the stable version > > needs support for ~3 years. Except for very urgent cases, packages > > are not updated in stable. > > > > If a security bug hits the version in stable, do you find it a possibility > > to support backporting security patches? > > > > Yes-ish. Go itself only supports security fixes up to ~1 year, so I'm not > sure how chezmoi (or Debian) can do better than that. Are you backporting > security fixes from Go 1.20.7 (which has a recent security fix) to Go 1.15 > (which was released ~3 years ago)? Can you provide the exact CVE number you are referring to? In any case, I think the answer is very likely a yes. There have been few uploads this march for go1.15 with a bunch of CVE fixes https://tracker.debian.org/news/1308221/accepted-golang-115-11515-1deb11u3-source-into-proposed-updates-stable-new-proposed-updates/ https://tracker.debian.org/news/1311213/accepted-golang-115-11515-1deb11u4-source-into-proposed-updates-stable-new-proposed-updates/ That said, I'm not directly involved with golang compiler package itself. I have CC'ed Shengjing to comment more on it. > > Are _major_ version changes in the dependencies a frequent occurence? > > > > I probably do about a ten major version changes per year. However minor and > patch version bumps also cause problems, for example: > - New minor and patch versions are obviously broken, and the maintainer has > no interest in fixing them (e.g. https://github.com/sergi/go-diff) > - New patch versions drop significant functionality (e.g. > https://github.com/containerd/console/issues/75) > I know that the underlying problem here is that these maintainers have not > used semantic versioning correctly, but maintainers are human and therefore > make mistakes, so you cannot rely on semantic versions being correct. Ack. > > > Would you consider accepting chezmoi as a vendored package, as happened > > > with Kubernetes > > > <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971515#172>? > > > > I find it unlikely but I think a mix of vendored libs and system > > packages can make it work. Many packages follow similar methods. > > > > What do I need to do to enable this mix? I read the Debian Go packaging page > <https://go-team.pages.debian.net/packaging.html> but could not find any > mention of it. Yep, because vendoring is usually discouraged, since it leads to code copies and that can cause issues if one of the vendored libs hits a CVE. We usually do this by repacking un-needed vendored stuff and adding a build dependency on corresponding debian packages in the archive. > Would vendoring-in chezmoi's dependencies be sufficient from > upstream (i.e. me)? If the dependencies are very frequently updated, then _probably_ yes. That said, since I did not dive deep into the package, I can't comment with certainity. Maybe Ryan could chime in here? Best, Nilesh
Attachment:
signature.asc
Description: PGP signature