Re: [Help] Re: Bug#995171: need newer release

To: 995171@bugs.debian.org
Cc: debian-go@lists.debian.org
Subject: Re: [Help] Re: Bug#995171: need newer release
From: Andreas Tille <andreas@an3as.eu>
Date: Thu, 27 Jan 2022 14:51:37 +0100
Message-id: <[🔎] YfKjaSt+qGniqcDU@an3as.eu>
In-reply-to: <[🔎] ed147999-b69f-2917-a59c-6482aec34ae2@tchncs.de>
References: <[🔎] YfJuiqYQhtO5da1M@an3as.eu> <[🔎] ed147999-b69f-2917-a59c-6482aec34ae2@tchncs.de>

Hi Nilesh,

Am Thu, Jan 27, 2022 at 06:23:08PM +0530 schrieb Nilesh Patra:
> > is not the case for the latest
> > version of golang-github-vbauerster-mpb-dev:> [...]
> >          -o ./singularity /build/singularity-container-3.9.4+ds1/_build/src/github.com/sylabs/singularity/cmd/singularity
> > ../internal/app/singularity/push.go:23:2: cannot find package "github.com/vbauerster/mpb/v4" in any of:
> 
> That's because if you look in singularity's go.mod, it depends on both versions of this package (v4 and v6)
> see here[1]
> Ideally, it should have different versioned 'XS-Go-Import-Path' for all versions. For instance as done in
> blackfriday package see here[4][5]
> 
> So as far as I can tell, you could do the following:
> 
> a) Package different versions of both with correct import paths, upload to new and then
> add B-D on these.

I admit this sounds technically clean but I would like to fix the CVEs
in singularity-container rather sooner than later and passing NEW queue
is not promising regarding a quick fix.
 
> b) (Not highly) recommended) Vendor[6] the old version of  golang-github-vbauerster-mpb in the vendor directory and use
> that to build. This is messy but would solve the issue. There's already a vendor dir in that package which already
> gets a bunch of stuff, so this might not be much worse.

Amongst your suggestions this sounds like the most probable *I* feel
able to implement.  I would love if someone might beat me with a
better solution.

> c) Port code to the version 7 of this package (which you uploaded)

I've never written a line of code in Go - so this is not for me.
I'd also think this should rather be done upstream.
 
> d) Revert your upload to version 6 (where it was earlier) and port the code written with version 4 to 6

This will not be sufficient since also version 7 is needed (according
to the docs as well as according to the error message if you build
against version 6.

> > Since I'm not a Go programmer I wonder whether somebody could give
> > some helpful hint how to fix this.
> 
> Me neither, but hopefully that helped a bit?

It gave me some interesting ideas and might hopefully inspire others
to step in in case option b) sound to ugly.

> > PS: I'm not subscribed to debian-go list.  Please keep the bug report
> >      in CC.
> 
> Hope I did enough to reach out to you :-))

You did! ;-)
 
Kind regards

      Andreas.
 
> > [1] https://salsa.debian.org/hpc-team/singularity-container
> > [2] https://salsa.debian.org/hpc-team/singularity-container/-/jobs/2403226
> [3]: https://salsa.debian.org/hpc-team/singularity-container/-/blob/master/go.mod#L48-49
> [4]: https://salsa.debian.org/go-team/packages/golang-blackfriday/-/blob/debian/sid/debian/control#L18
> [5]: https://salsa.debian.org/go-team/packages/golang-blackfriday-v2/-/blob/debian/sid/debian/control#L17
> [6]: https://blog.gopheracademy.com/advent-2015/vendor-folder/
> 
> 




-- 
http://fam-tille.de

Reply to:

References:
- [Help] Re: Bug#995171: need newer release
  - From: Andreas Tille <andreas@an3as.eu>
- Re: [Help] Re: Bug#995171: need newer release
  - From: Nilesh Patra <nilesh@tchncs.de>

Prev by Date: Re: [Help] Re: Bug#995171: need newer release
Next by Date: Re: [Help] Re: Bug#995171: need newer release
Previous by thread: Re: [Help] Re: Bug#995171: need newer release
Next by thread: Re: [Help] Re: Bug#995171: need newer release
Index(es):
- Date
- Thread