[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[RFC] Updating crowdsec, adding and updating other packages


I've been preparing an updated crowdsec package, and here's a new batch
of new or updated packages that are needed for the v1.4.x branch. Please
let me know if you have any concerns or comments regarding that bunch of
packages. I've split it into several lists to ease reviewing them.

I would expect people not to care too much about the first list; but
maybe maintainers of the existing packages (second and third lists) have
an opinion about my plans.

New packages:

- golang-ariga-atlas
   + required by golang-entgo-ent
- golang-entgo-ent
   + required by crowdsec
   + replaces golang-github-facebook-ent
- golang-github-alexliesenfeld-health
   + required by crowdsec
- golang-github-c-robinson-iplib
   + required by crowdsec
- golang-github-confluentinc-bincover
   + required by crowdsec
- golang-github-crowdsecurity-dlog
   + required by crowdsec
- golang-github-crowdsecurity-grokky
   + required by crowdsec
   + replaces golang-github-logrusorgru-grokky
- golang-github-crowdsecurity-machineid
   + required by crowdsec
- golang-github-jszwec-csvutil
   + required by crowdsec
- golang-github-r3labs-diff
   + required by crowdsec
- golang-github-slack-go-slack
   + required by crowdsec

New -vN packages:

- golang-github-apparentlymart-go-textseg-v13
   + required by (updated) golang-github-zclconf-go-cty
   + upstream documents using the /v13 path in `go get`, go.mod, etc.
   + golang-github-apparentlymart-go-textseg-dev has a few reverse
     dependencies in main
   + a few patches were needed to support Unicode 13 / Go 1.19, so
     using a new -v13 package seems safer than trying to switch the
     existing versionless package to a new upstream release; some
     users of /v12 are actually shipping vendorized hashicorp/hcl,
     so I'm not sure we could fix anything even if we wanted to…
     (see nomad* and packer further down).
- golang-github-hashicorp-hcl-v2
   + required by golang-ariga-atlas
   + golang-github-hashicorp-hcl-dev has 98 reverse dependencies in
     main, so keeping the existing versionless package and introducing a
     -v2 looks much safer!
   + will likely be beneficial to others, since hashicorp/hcl is
     currently stuck at 1.0.0, and hashicorp/hcl/v2 is vendorized by
     other packages…

Updated packages:

- golang-github-gin-gonic-gin
   + required by crowdsec
   + update from 1.6.3 to 1.8.1
   + ratt is fine except:
      - crowdsec:
	 + I'm working on its update, the old version doesn't count!
      - golang-gitlab-gitlab-org-labkit:
         + already RC-buggy: #1021583 (FTBFS)
      - golang-nhooyr-websocket:
         + package confusion, fixed in 1.8.7-3
      - nomad:
	 + already RC-buggy: #1000441 (FTBFS), #1021273 (many CVEs),
           #994214 (FTBFS)
      - prometheus:
         + already RC-buggy: #1020145 (FTBFS)
- golang-github-zclconf-go-cty
   + required by golang-github-hashicorp-hcl-v2
   + update from 1.5.1 to 1.11.0
   + ratt is fine except:
      - nomad:
         + already RC-buggy: #1000441, #1021273, #994214
	 + additionally, undocumented (build-)dep on
	   golang-github-apparentlymart-go-textseg, which is going to be
	   exposed by golang-github-zclconf-go-cty moving to the -v13
           package: #1021650
      - nomad-driver-podman:
         + RC-buggy, outdated
	 + additionally, undocumented (build-)dep on
	   golang-github-apparentlymart-go-textseg, via nomad and its
           golang-github-hashicorp-nomad-dev (#1021650): #1021652
      - packer
	 + undocumented (build-)dep on
	   golang-github-apparentlymart-go-textseg, which is going to be
	   exposed by golang-github-zclconf-go-cty moving to the -v13
           package: #1021654
         + This one can be fixed (right now) since it doesn't otherwise

In summary, updating those two packages would break a little more
existing packages that are already RC-buggy; and that “extra breakage”
would only be about exposing existing issues (hidden by accident) for
which trivial patches aren't sufficient due to other, more important
issues. The following bug reports would get a severity bump from
important to serious after golang-github-zclconf-go-cty is uploaded:
#1021650 (nomad), #1021652 (nomad-driver-podman), #1021654 (packer);
even if I'm about to fix the last one in advance.

Cyril Brulebois -- Debian Consultant @ DEBAMAX -- https://debamax.com/

Attachment: signature.asc
Description: PGP signature

Reply to: