Hi,
I've been preparing an updated crowdsec package, and here's a new batch
of new or updated packages that are needed for the v1.4.x branch. Please
let me know if you have any concerns or comments regarding that bunch of
packages. I've split it into several lists to ease reviewing them.
I would expect people not to care too much about the first list; but
maybe maintainers of the existing packages (second and third lists) have
an opinion about my plans.
New packages:
-------------
- golang-ariga-atlas
+ required by golang-entgo-ent
- golang-entgo-ent
+ required by crowdsec
+ replaces golang-github-facebook-ent
- golang-github-alexliesenfeld-health
+ required by crowdsec
- golang-github-c-robinson-iplib
+ required by crowdsec
- golang-github-confluentinc-bincover
+ required by crowdsec
- golang-github-crowdsecurity-dlog
+ required by crowdsec
- golang-github-crowdsecurity-grokky
+ required by crowdsec
+ replaces golang-github-logrusorgru-grokky
- golang-github-crowdsecurity-machineid
+ required by crowdsec
- golang-github-jszwec-csvutil
+ required by crowdsec
- golang-github-r3labs-diff
+ required by crowdsec
- golang-github-slack-go-slack
+ required by crowdsec
New -vN packages:
-----------------
- golang-github-apparentlymart-go-textseg-v13
+ required by (updated) golang-github-zclconf-go-cty
+ upstream documents using the /v13 path in `go get`, go.mod, etc.
+ golang-github-apparentlymart-go-textseg-dev has a few reverse
dependencies in main
+ a few patches were needed to support Unicode 13 / Go 1.19, so
using a new -v13 package seems safer than trying to switch the
existing versionless package to a new upstream release; some
users of /v12 are actually shipping vendorized hashicorp/hcl,
so I'm not sure we could fix anything even if we wanted to…
(see nomad* and packer further down).
- golang-github-hashicorp-hcl-v2
+ required by golang-ariga-atlas
+ golang-github-hashicorp-hcl-dev has 98 reverse dependencies in
main, so keeping the existing versionless package and introducing a
-v2 looks much safer!
+ will likely be beneficial to others, since hashicorp/hcl is
currently stuck at 1.0.0, and hashicorp/hcl/v2 is vendorized by
other packages…
Updated packages:
-----------------
- golang-github-gin-gonic-gin
+ required by crowdsec
+ update from 1.6.3 to 1.8.1
+ ratt is fine except:
- crowdsec:
+ I'm working on its update, the old version doesn't count!
- golang-gitlab-gitlab-org-labkit:
+ already RC-buggy: #1021583 (FTBFS)
- golang-nhooyr-websocket:
+ package confusion, fixed in 1.8.7-3
https://salsa.debian.org/go-team/packages/golang-nhooyr-websocket/-/commit/e00ff53
- nomad:
+ already RC-buggy: #1000441 (FTBFS), #1021273 (many CVEs),
#994214 (FTBFS)
- prometheus:
+ already RC-buggy: #1020145 (FTBFS)
- golang-github-zclconf-go-cty
+ required by golang-github-hashicorp-hcl-v2
+ update from 1.5.1 to 1.11.0
+ ratt is fine except:
- nomad:
+ already RC-buggy: #1000441, #1021273, #994214
+ additionally, undocumented (build-)dep on
golang-github-apparentlymart-go-textseg, which is going to be
exposed by golang-github-zclconf-go-cty moving to the -v13
package: #1021650
- nomad-driver-podman:
+ RC-buggy, outdated
+ additionally, undocumented (build-)dep on
golang-github-apparentlymart-go-textseg, via nomad and its
golang-github-hashicorp-nomad-dev (#1021650): #1021652
- packer
+ undocumented (build-)dep on
golang-github-apparentlymart-go-textseg, which is going to be
exposed by golang-github-zclconf-go-cty moving to the -v13
package: #1021654
+ This one can be fixed (right now) since it doesn't otherwise
FTBFS.
In summary, updating those two packages would break a little more
existing packages that are already RC-buggy; and that “extra breakage”
would only be about exposing existing issues (hidden by accident) for
which trivial patches aren't sufficient due to other, more important
issues. The following bug reports would get a severity bump from
important to serious after golang-github-zclconf-go-cty is uploaded:
#1021650 (nomad), #1021652 (nomad-driver-podman), #1021654 (packer);
even if I'm about to fix the last one in advance.
Cheers,
--
Cyril Brulebois -- Debian Consultant @ DEBAMAX -- https://debamax.com/
Attachment:
signature.asc
Description: PGP signature