Nilesh Patra <nilesh@debian.org> writes: >> > https://github.com/go-git/go-git-fixtures/tree/master/data >> > >> > directly into the installed Debian package. Given the recent xz fiasco, >> > I have doubts that this is a good idea -- there is a bunch of >> > pre-generated compressed git repositories in that directory, and I don't >> > see any way to re-create them from scratch. They seem to have been >> > manually curated by some developer in the past and then compressed and >> > uploaded, somewhat similar to how the xz problem happened. > > At this rate, we will end up pruning a bunch of stuff from Debian. I don't think it > is wise to remove a package just because of paranoia without fact-checking. I would > at least check with the upstream developer once. Just saying. I agree! I think my initial review came out too strong. I like an incremental approach - file this as an upstream wishlist bug to improve reproducing the included binary blobs. And we could file a wishlist debian bug to analyze these binary blobs in case they turn out not to be reproducible from source... I believe that is Debian policy for all packages in main anyway. There is a lot of these pregenerated binary blobs in Debian that are assumed to be possible to re-create from source but rarely tested, as you say. >> > Dropping these files may mean we don't test as much of go-git that is >> > possible to test, but the alternative that we create a vector to inject >> > binaries with no source code into Debian seems worse. >> > >> > Could you modify this package to drop any files that we cannot re-create >> > during the build? Maybe the entire package becomes useless, if so, then >> > we should just remove it IMHO. >> >> RM bug filed. > > In such cases, you need to consult the uploader. Please never file RM bugs without taking > permission from uploader or maintainer (if it is an individual) of a package. > > Do note that it has 2 reverse-depends, which need to be fixed before the removal happens, else > they start to FTBFS. > > | $ reverse-depends golang-github-go-git-go-git-fixtures-dev -b > | Reverse-Build-Depends > | ===================== > | * golang-github-go-git-go-git > | * golang-github-jesseduffield-go-git Yeah I don't see the urgency in completing the RM now; more review and discussion is better. /Simon
Attachment:
signature.asc
Description: PGP signature