Reinhard Tartler <siretart@gmail.com> writes: > On Sun, Jan 14, 2024 at 8:36 PM Simon Josefsson <simon@josefsson.org> wrote: > >> Package: wnpp >> Severity: wishlist >> Owner: Simon Josefsson <simon@josefsson.org> >> >> * Package name : golang-github-cyberphone-json-canonicalization >> Version : 0.0~git20220623.57a0ce2-1 >> Upstream Author : Anders Rundgren >> * URL : https://github.com/cyberphone/json-canonicalization >> * License : Apache-2.0 >> Programming Lang: Go >> Description : JSON Canonicalization Scheme (JCS) (Go library) >> >> > I contemplated packaging this library in the past, but found it actually > contains > a lot of other stuff I didn't nede. In the end, I ended up packaging > https://salsa.debian.org/debian/golang-webpki-org-jsoncanonicalizer > which seems to be what the proposed package is "repackaing". > > In a way, I went straight for the source, I guess. Thanks -- I missed your package! No ITP bug? Your package looks cleaner, and I haven't yet figured out how to repack the golang-github-cyberphone-json-canonicalization tarball to only contain the Go code, much in the same way you did but instead extracted only the source code. I am considering to use your package instead, and haven't made the ftp-master NEW upload yet for 1060820. I wasn't able to build your package, did you forgot to push upstream branch and tags? Rekor has github.com/cyberphone/json-canonicalization in go.mod and is using that namespace: jas@kaka:~/dpkg/golang-github-sigstore-rekor$ rgrep jsoncanonicalizer . ./tests/e2e_test.go: "github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer" ./tests/e2e_test.go: canonicalized, err := jsoncanonicalizer.Transform(payload) ./pkg/verify/verify.go: "github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer" ./pkg/verify/verify.go: canonicalized, err := jsoncanonicalizer.Transform(contents) ./pkg/types/entries.go: "github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer" ./pkg/types/entries.go: return jsoncanonicalizer.Transform(canonicalEntry) ./pkg/api/entries.go: "github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer" ./pkg/api/entries.go: canonicalized, err := jsoncanonicalizer.Transform(payload) ./pkg/pki/tuf/tuf.go: "github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer" ./pkg/pki/tuf/tuf.go: return jsoncanonicalizer.Transform(marshalledBytes) ./pkg/pki/tuf/tuf.go: return jsoncanonicalizer.Transform(marshalledBytes) jas@kaka:~/dpkg/golang-github-sigstore-rekor$ How would I force it to use your webpki.org namespace instead, simply patch all these occurances? Is is acceptable to patch upstream Go code to use other dependencies for Debian? I haven't done this with any package, so some assistance is appreciated. For reference my rekor package lives here: https://salsa.debian.org/jas/golang-github-sigstore-rekor Is this approach really scalable? Say 100 other upstream projects end up using cyberphone namespace, then Debian has to carry patches to change namespace for all of them, which is a lot of manual work. Once I can build your package, I can experiment with using it instead of my variant that lives here (failing license and lintian checks): https://salsa.debian.org/go-team/packages/golang-github-cyberphone-json-canonicalization https://salsa.debian.org/jas/golang-github-cyberphone-json-canonicalization/-/pipelines Hmm. Thinking out loud, perhaps a simpler compromise is to use your packaging but use the upstream namespace instead of changing it to golang-webpki-org-jsoncanonicalizer and webpki.org/jsoncanonicalizer namespace? Then no dependency will require patches. /Simon
Attachment:
signature.asc
Description: PGP signature